Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI_2024.exe

Overview

General Information

Sample name:PI_2024.exe
Analysis ID:1483269
MD5:44d203e05b0d9ef3262d3f62eca36ce7
SHA1:5f01f10a83d82d0618e29566ed361e32d4925476
SHA256:f16fa90e5255b1675b0cd1665c3b8fb80fe785a8d3db5fcad202394d9b5ab15f
Tags:exe
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PI_2024.exe (PID: 5428 cmdline: "C:\Users\user\Desktop\PI_2024.exe" MD5: 44D203E05B0D9EF3262D3F62ECA36CE7)
    • svchost.exe (PID: 5780 cmdline: "C:\Users\user\Desktop\PI_2024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f0f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17172:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bc70:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13cef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2f0f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x17172:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e2f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16372:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PI_2024.exe", CommandLine: "C:\Users\user\Desktop\PI_2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PI_2024.exe", ParentImage: C:\Users\user\Desktop\PI_2024.exe, ParentProcessId: 5428, ParentProcessName: PI_2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\PI_2024.exe", ProcessId: 5780, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PI_2024.exe", CommandLine: "C:\Users\user\Desktop\PI_2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PI_2024.exe", ParentImage: C:\Users\user\Desktop\PI_2024.exe, ParentProcessId: 5428, ParentProcessName: PI_2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\PI_2024.exe", ProcessId: 5780, ProcessName: svchost.exe

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-26T23:53:56.291015+0200
          SID:2022930
          Source Port:443
          Destination Port:49711
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T23:53:17.881849+0200
          SID:2022930
          Source Port:443
          Destination Port:49704
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: PI_2024.exeReversingLabs: Detection: 55%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: PI_2024.exeJoe Sandbox ML: detected
          Source: PI_2024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: PI_2024.exe, 00000000.00000003.2017767805.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, PI_2024.exe, 00000000.00000003.2017494732.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2247836567.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254330397.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PI_2024.exe, 00000000.00000003.2017767805.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, PI_2024.exe, 00000000.00000003.2017494732.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2247836567.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254330397.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0023DBBE
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0020C2A2 FindFirstFileExW,0_2_0020C2A2
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002468EE FindFirstFileW,FindClose,0_2_002468EE
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0024698F
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0023D076
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0023D3A9
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00249642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00249642
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0024979D
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00249B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00249B2B
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00245C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00245C97
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0024CE44
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0024EAFF
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0024ED6A
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0024EAFF
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0023AA57
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00269576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00269576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: PI_2024.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: PI_2024.exe, 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1f36b10e-0
          Source: PI_2024.exe, 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_42414da9-c
          Source: PI_2024.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a4f16b13-a
          Source: PI_2024.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_59117332-4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C3B3 NtClose,2_2_0042C3B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,2_2_03A72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0023D5EB
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00231201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00231201
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0023E8F6
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002420460_2_00242046
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D80600_2_001D8060
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002382980_2_00238298
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0020E4FF0_2_0020E4FF
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0020676B0_2_0020676B
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002648730_2_00264873
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001FCAA00_2_001FCAA0
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001DCAF00_2_001DCAF0
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001ECC390_2_001ECC39
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00206DD90_2_00206DD9
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001EB1190_2_001EB119
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D91C00_2_001D91C0
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F13940_2_001F1394
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F17060_2_001F1706
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F781B0_2_001F781B
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D79200_2_001D7920
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001E997D0_2_001E997D
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F19B00_2_001F19B0
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F7A4A0_2_001F7A4A
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F1C770_2_001F1C77
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F7CA70_2_001F7CA7
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0025BE440_2_0025BE44
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00209EEE0_2_00209EEE
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F1F320_2_001F1F32
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001DBF400_2_001DBF40
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_022E36200_2_022E3620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E9E32_2_0042E9E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032102_2_00403210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041646D2_2_0041646D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024002_2_00402400
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC032_2_0040FC03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402CE02_2_00402CE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004164E32_2_004164E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE232_2_0040FE23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DE992_2_0040DE99
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DEA32_2_0040DEA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027902_2_00402790
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC02C02_2_03AC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF41A22_2_03AF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD20002_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE44202_2_03AE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABEFA02_2_03ABEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE2F302_2_03AE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADCD1F2_2_03ADCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A856302_2_03A85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B095C32_2_03B095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE1AA32_2_03AE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD59102_2_03AD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD22_2_03A03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD52_2_03A03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 58 times
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: String function: 001F0A30 appears 46 times
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: String function: 001EF9F2 appears 40 times
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: String function: 001D9CB3 appears 31 times
          Source: PI_2024.exe, 00000000.00000003.2020306680.00000000040C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI_2024.exe
          Source: PI_2024.exe, 00000000.00000003.2017494732.000000000421D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI_2024.exe
          Source: PI_2024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002437B5 GetLastError,FormatMessageW,0_2_002437B5
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002310BF AdjustTokenPrivileges,CloseHandle,0_2_002310BF
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002316C3
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002451CD
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0025A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0025A67C
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0024648E
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_001D42A2
          Source: C:\Users\user\Desktop\PI_2024.exeFile created: C:\Users\user\AppData\Local\Temp\aut3E51.tmpJump to behavior
          Source: PI_2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PI_2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: PI_2024.exeReversingLabs: Detection: 55%
          Source: unknownProcess created: C:\Users\user\Desktop\PI_2024.exe "C:\Users\user\Desktop\PI_2024.exe"
          Source: C:\Users\user\Desktop\PI_2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI_2024.exe"
          Source: C:\Users\user\Desktop\PI_2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI_2024.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: ntmarta.dllJump to behavior
          Source: PI_2024.exeStatic file information: File size 1256960 > 1048576
          Source: PI_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PI_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PI_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PI_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PI_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PI_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PI_2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: PI_2024.exe, 00000000.00000003.2017767805.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, PI_2024.exe, 00000000.00000003.2017494732.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2247836567.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254330397.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PI_2024.exe, 00000000.00000003.2017767805.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, PI_2024.exe, 00000000.00000003.2017494732.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2247836567.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2254330397.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2713434206.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp
          Source: PI_2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PI_2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PI_2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PI_2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PI_2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001D42DE
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F0A76 push ecx; ret 0_2_001F0A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E822 pushad ; ret 2_2_0041E82C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004118F4 push edi; iretd 2_2_004118FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004018AB push ebx; ret 2_2_004018AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040C9B7 push eax; ret 2_2_0040C9C1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418BFB push ebx; ret 2_2_00418C2A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418B93 push ebx; ret 2_2_00418C2A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403480 push eax; ret 2_2_00403482
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004085DE push ss; iretd 2_2_004085E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418DE2 push edx; ret 2_2_00418DE3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5E8 push esi; ret 2_2_0041A5E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418DA9 push cs; ret 2_2_00418DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413603 push esi; retf 2_2_0041360A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414788 pushfd ; ret 2_2_00414789
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0225F pushad ; ret 2_2_03A027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A027FA pushad ; ret 2_2_03A027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0283D push eax; iretd 2_2_03A02858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A01366 push eax; iretd 2_2_03A01369
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_001EF98E
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00261C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00261C41
          Source: C:\Users\user\Desktop\PI_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\PI_2024.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95870
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\PI_2024.exeAPI/Special instruction interceptor: Address: 22E3244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
          Source: C:\Users\user\Desktop\PI_2024.exeAPI coverage: 3.8 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5824Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0023DBBE
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0020C2A2 FindFirstFileExW,0_2_0020C2A2
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002468EE FindFirstFileW,FindClose,0_2_002468EE
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0024698F
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0023D076
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0023D3A9
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00249642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00249642
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0024979D
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00249B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00249B2B
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00245C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00245C97
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001D42DE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417493 LdrLoadDll,2_2_00417493
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0024EAA2 BlockInput,0_2_0024EAA2
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00202622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00202622
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001D42DE
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F4CE8 mov eax, dword ptr fs:[00000030h]0_2_001F4CE8
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_022E34B0 mov eax, dword ptr fs:[00000030h]0_2_022E34B0
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_022E3510 mov eax, dword ptr fs:[00000030h]0_2_022E3510
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_022E1E70 mov eax, dword ptr fs:[00000030h]0_2_022E1E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]2_2_03AD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]2_2_03B0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]2_2_03B062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]2_2_03B0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]2_2_03A280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]2_2_03AC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]2_2_03AE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]2_2_03AD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]2_2_03ABE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]2_2_03ABE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]2_2_03A72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]2_2_03A62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]2_2_03A4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]2_2_03A32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]2_2_03A32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]2_2_03A64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]2_2_03A6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]2_2_03A325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]2_2_03A365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]2_2_03AC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]2_2_03A364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]2_2_03A644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]2_2_03ABA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]2_2_03AEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]2_2_03A304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]2_2_03A2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]2_2_03A6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]2_2_03ABC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]2_2_03AEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]2_2_03A2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]2_2_03A5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]2_2_03A5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]2_2_03ABCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]2_2_03ADEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]2_2_03B04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]2_2_03A2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]2_2_03AFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]2_2_03AD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]2_2_03A28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]2_2_03ADEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]2_2_03A86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]2_2_03B04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]2_2_03A68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]2_2_03A30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]2_2_03A6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]2_2_03A5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]2_2_03A6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]2_2_03ABCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]2_2_03ADEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]2_2_03ABE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]2_2_03AC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]2_2_03A649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03AFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]2_2_03AB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]2_2_03AC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]2_2_03ABC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]2_2_03ABC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]2_2_03AB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]2_2_03B04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]2_2_03A30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]2_2_03ABC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03AFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03A5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]2_2_03B008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00230B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00230B62
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00202622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00202622
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001F083F
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F09D5 SetUnhandledExceptionFilter,0_2_001F09D5
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_001F0C21

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\PI_2024.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\PI_2024.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EA8008Jump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00231201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00231201
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00212BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00212BA5
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0023B226 SendInput,keybd_event,0_2_0023B226
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_002522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_002522DA
          Source: C:\Users\user\Desktop\PI_2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI_2024.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00230B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00230B62
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00231663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00231663
          Source: PI_2024.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: PI_2024.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001F0698 cpuid 0_2_001F0698
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00248195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00248195
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0022D27A GetUserNameW,0_2_0022D27A
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_0020B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0020B952
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_001D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001D42DE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: PI_2024.exeBinary or memory string: WIN_81
          Source: PI_2024.exeBinary or memory string: WIN_XP
          Source: PI_2024.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: PI_2024.exeBinary or memory string: WIN_XPe
          Source: PI_2024.exeBinary or memory string: WIN_VISTA
          Source: PI_2024.exeBinary or memory string: WIN_7
          Source: PI_2024.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00251204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00251204
          Source: C:\Users\user\Desktop\PI_2024.exeCode function: 0_2_00251806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00251806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory24
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		12
          Virtualization/Sandbox Evasion          		Security Account Manager12
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PI_2024.exe55%ReversingLabsWin32.Trojan.Strab
          PI_2024.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1483269
          Start date and time:2024-07-26 23:52:09 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 4s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:PI_2024.exe
          Detection:MAL
          Classification:mal92.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 48
          • Number of non-executed functions: 296
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: PI_2024.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\Hymenophyllaceae

          Download File
          Process:C:\Users\user\Desktop\PI_2024.exe
          File Type:data
          Category:dropped
          Size (bytes):287232
          Entropy (8bit):7.9917249037824805
          Encrypted:true
          SSDEEP:6144:4xmXvO1DwfgvXjsrnSBumQ5U8010npsSDTlq:F210fgrcSITwenpNXQ
          MD5:6771F8201BC7B5DE49E58F43C2375F43
          SHA1:2F9871463DC95BA96BA73B2E957F50242F48FD15
          SHA-256:8EFA3F1CF3471014BD09A527896115BB31F4AE8C4CA72A4D250E2214967434A9
          SHA-512:17CA3F0C5C430C2FD14D271A296E743E3ECA387FB39190AFADD5D0AB87CA7B1B3BEA9218756F5F2FA318C52EB968EBE6C44F446BD09500BC487EF421629FF413
          Malicious:false
          Reputation:low
          Preview:y....F8GO...]....{.H7...E0...4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH.ZTF7Y.IO.=.u.8..f. ])t6K)_5.%.95(W)Lg--.(!(./Vg..gz9)]#.JBB.ZTF9F8G6I=.i&^..'(..:3.#...u(S.N....'(......&_..!W2i&^.8GOH4ZTFi.8G.I5Zx;!.8GOH4ZTF.F:FDI?ZT.=F8GOH4ZTF.R8GOX4ZT&=F8G.H4JTF9D8GIH4ZTF9F>GOH4ZTF9&<GOJ4ZTF9F:G..4ZDF9V8GOH$ZTV9F8GOH$ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4Zz2\>LGOH..PF9V8GO.0ZTV9F8GOH4ZTF9F8GoH4:TF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH

          C:\Users\user\AppData\Local\Temp\aut3E51.tmp

          Download File
          Process:C:\Users\user\Desktop\PI_2024.exe
          File Type:data
          Category:dropped
          Size (bytes):287232
          Entropy (8bit):7.9917249037824805
          Encrypted:true
          SSDEEP:6144:4xmXvO1DwfgvXjsrnSBumQ5U8010npsSDTlq:F210fgrcSITwenpNXQ
          MD5:6771F8201BC7B5DE49E58F43C2375F43
          SHA1:2F9871463DC95BA96BA73B2E957F50242F48FD15
          SHA-256:8EFA3F1CF3471014BD09A527896115BB31F4AE8C4CA72A4D250E2214967434A9
          SHA-512:17CA3F0C5C430C2FD14D271A296E743E3ECA387FB39190AFADD5D0AB87CA7B1B3BEA9218756F5F2FA318C52EB968EBE6C44F446BD09500BC487EF421629FF413
          Malicious:false
          Reputation:low
          Preview:y....F8GO...]....{.H7...E0...4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH.ZTF7Y.IO.=.u.8..f. ])t6K)_5.%.95(W)Lg--.(!(./Vg..gz9)]#.JBB.ZTF9F8G6I=.i&^..'(..:3.#...u(S.N....'(......&_..!W2i&^.8GOH4ZTFi.8G.I5Zx;!.8GOH4ZTF.F:FDI?ZT.=F8GOH4ZTF.R8GOX4ZT&=F8G.H4JTF9D8GIH4ZTF9F>GOH4ZTF9&<GOJ4ZTF9F:G..4ZDF9V8GOH$ZTV9F8GOH$ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4Zz2\>LGOH..PF9V8GO.0ZTV9F8GOH4ZTF9F8GoH4:TF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH4ZTF9F8GOH

          C:\Users\user\AppData\Local\Temp\aut3E80.tmp

          Download File
          Process:C:\Users\user\Desktop\PI_2024.exe
          File Type:data
          Category:dropped
          Size (bytes):9738
          Entropy (8bit):7.639969448194293
          Encrypted:false
          SSDEEP:192:Z6E+bT+X/8ER7PVz6sNiDrFdZMecXWHLN8R2oeUNct8ZTChRMnOKfwshT:Z6dwXRhNiHBN8R2dUeuZTZOKfhF
          MD5:C3561C05D8B395F916976B9ECC4CE0BC
          SHA1:AEBDCD8A36F2E5964CD8FF17049D1821933AB1E3
          SHA-256:1368AFE0271A902F9AF88F667DF9F51FE780F9302F61D82BCE75E0605E0DCE09
          SHA-512:D56334459A82C624D3C2FA3FE3360E8E7026C225EA5DCA8061F47AC8FC9D8C1584A5352E3B2A0250706E0ACEB4B843C084930CC21851C0B794BF19AE9512F97A
          Malicious:false
          Reputation:low
          Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

          C:\Users\user\AppData\Local\Temp\orographically

          Download File
          Process:C:\Users\user\Desktop\PI_2024.exe
          File Type:ASCII text, with very long lines (28674), with no line terminators
          Category:dropped
          Size (bytes):28674
          Entropy (8bit):3.5804022191654203
          Encrypted:false
          SSDEEP:768:JxBr6ScFCo3T3iC+vt63YntRUu+nZ+nskm/ersl2HzpmL5sCWi:Zr6ScFCo3T3i3vt63YntRUu+nZ+nskm9
          MD5:19B04707FF6755154BBDA374EB6ABC9A
          SHA1:FE914BAA126442B3717C3B110D58F05FDBAE4199
          SHA-256:5C85CA960B52B44D969C890F1178517659C003463D652256847C2DCC2B20BF2D
          SHA-512:CF6C2180693A9FB450381420253D8C673E023500CE4A424F8FF40FF45375731D1D9AA788D427A6604864671EBFD4A14610045A5192A57F76BD9EF523F398E711
          Malicious:false
          Reputation:low
          Preview:3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.142987823208491
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:PI_2024.exe
          File size:1'256'960 bytes
          MD5:44d203e05b0d9ef3262d3f62eca36ce7
          SHA1:5f01f10a83d82d0618e29566ed361e32d4925476
          SHA256:f16fa90e5255b1675b0cd1665c3b8fb80fe785a8d3db5fcad202394d9b5ab15f
          SHA512:df18b6cf8238580cef3af5b3b939bc3c34c24b80f940c810eaa5e715e202df95eb169265494e8518316b531470201572189bec5a677193b901c4687179fbb7e7
          SSDEEP:24576:QqDEvCTbMWu7rQYlBQcBiT6rprG8aW7FiiYQLdABwa2EgRNoCo:QTvC/MTQYxsWR7aW7955AB9C
          TLSH:4145C00273D1C062FFAB92334B5AF6515ABC6A260123E61F13981D79FE701B1563E7A3
          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x420577
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66A2FDE8 [Fri Jul 26 01:37:44 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:948cc502fe9226992dce9417f952fce3

          Entrypoint Preview

          Instruction
          call 00007FC500710A53h
          jmp 00007FC50071035Fh
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007FC50071053Dh
          mov dword ptr [esi], 0049FDF0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FDF8h
          mov dword ptr [ecx], 0049FDF0h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007FC50071050Ah
          mov dword ptr [esi], 0049FE0Ch
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FE14h
          mov dword ptr [ecx], 0049FE0Ch
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          and dword ptr [eax], 00000000h
          and dword ptr [eax+04h], 00000000h
          push eax
          mov eax, dword ptr [ebp+08h]
          add eax, 04h
          push eax
          call 00007FC5007130FDh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 0049FDD0h
          push eax
          call 00007FC500713148h
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          push eax
          call 00007FC500713131h
          test byte ptr [ebp+08h], 00000001h
          pop ecx

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5c2e8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1310000x7594.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xd40000x5c2e80x5c40026546436b2b76499219f15847c47a577False0.9285733189363143data7.896731535689446IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1310000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xdc7b80x535aedata1.0003251108598743
          RT_GROUP_ICON0x12fd680x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x12fde00x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x12fdf40x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x12fe080x14dataEnglishGreat Britain1.25
          RT_VERSION0x12fe1c0xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x12fef80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:17:52:56
          Start date:26/07/2024
          Path:C:\Users\user\Desktop\PI_2024.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\PI_2024.exe"
          Imagebase:0x1d0000
          File size:1'256'960 bytes
          MD5 hash:44D203E05B0D9EF3262D3F62ECA36CE7
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:17:52:57
          Start date:26/07/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\PI_2024.exe"
          Imagebase:0xbd0000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2713085575.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2713407785.0000000003840000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.1%
            Dynamic/Decrypted Code Coverage:0.9%
            Signature Coverage:3.1%
            Total number of Nodes:1939
            Total number of Limit Nodes:57
            execution_graph 95533 1ddddc 95536 1db710 95533->95536 95537 1db72b 95536->95537 95538 220146 95537->95538 95539 2200f8 95537->95539 95549 1db750 95537->95549 95602 2558a2 235 API calls 2 library calls 95538->95602 95542 220102 95539->95542 95545 22010f 95539->95545 95539->95549 95600 255d33 235 API calls 95542->95600 95559 1dba20 95545->95559 95601 2561d0 235 API calls 2 library calls 95545->95601 95548 2203d9 95548->95548 95551 1dbbe0 40 API calls 95549->95551 95553 1ed336 40 API calls 95549->95553 95555 1dba4e 95549->95555 95556 220322 95549->95556 95549->95559 95567 1dec40 95549->95567 95591 1da81b 41 API calls 95549->95591 95592 1ed2f0 40 API calls 95549->95592 95593 1ea01b 235 API calls 95549->95593 95594 1f0242 5 API calls __Init_thread_wait 95549->95594 95595 1eedcd 22 API calls 95549->95595 95596 1f00a3 29 API calls __onexit 95549->95596 95597 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95549->95597 95598 1eee53 82 API calls 95549->95598 95599 1ee5ca 235 API calls 95549->95599 95603 1daceb 23 API calls messages 95549->95603 95604 22f6bf 23 API calls 95549->95604 95605 1da8c7 95549->95605 95551->95549 95553->95549 95609 255c0c 82 API calls 95556->95609 95559->95555 95610 24359c 82 API calls __wsopen_s 95559->95610 95575 1dec76 messages 95567->95575 95568 1f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95568->95575 95569 1efddb 22 API calls 95569->95575 95570 1f00a3 29 API calls pre_c_initialization 95570->95575 95571 224beb 95616 24359c 82 API calls __wsopen_s 95571->95616 95572 1ded9d messages 95572->95549 95574 1dfef7 95574->95572 95579 1da8c7 22 API calls 95574->95579 95575->95568 95575->95569 95575->95570 95575->95571 95575->95572 95575->95574 95577 224600 95575->95577 95578 224b0b 95575->95578 95582 1da8c7 22 API calls 95575->95582 95585 1dfbe3 95575->95585 95586 1da961 22 API calls 95575->95586 95589 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95575->95589 95590 1df3ae messages 95575->95590 95611 1e01e0 235 API calls 2 library calls 95575->95611 95612 1e06a0 41 API calls messages 95575->95612 95577->95572 95583 1da8c7 22 API calls 95577->95583 95614 24359c 82 API calls __wsopen_s 95578->95614 95579->95572 95582->95575 95583->95572 95585->95572 95587 224bdc 95585->95587 95585->95590 95586->95575 95615 24359c 82 API calls __wsopen_s 95587->95615 95589->95575 95590->95572 95613 24359c 82 API calls __wsopen_s 95590->95613 95591->95549 95592->95549 95593->95549 95594->95549 95595->95549 95596->95549 95597->95549 95598->95549 95599->95549 95600->95545 95601->95559 95602->95549 95603->95549 95604->95549 95606 1da8ea __fread_nolock 95605->95606 95607 1da8db 95605->95607 95606->95549 95607->95606 95617 1efe0b 95607->95617 95609->95559 95610->95548 95611->95575 95612->95575 95613->95572 95614->95572 95615->95571 95616->95572 95620 1efddb 95617->95620 95619 1efdfa 95619->95606 95620->95619 95623 1efdfc 95620->95623 95627 1fea0c 95620->95627 95634 1f4ead 7 API calls 2 library calls 95620->95634 95622 1f066d 95636 1f32a4 RaiseException 95622->95636 95623->95622 95635 1f32a4 RaiseException 95623->95635 95626 1f068a 95626->95606 95633 203820 __FrameHandler3::FrameUnwindToState 95627->95633 95628 20385e 95638 1ff2d9 20 API calls __dosmaperr 95628->95638 95630 203849 RtlAllocateHeap 95631 20385c 95630->95631 95630->95633 95631->95620 95633->95628 95633->95630 95637 1f4ead 7 API calls 2 library calls 95633->95637 95634->95620 95635->95622 95636->95626 95637->95633 95638->95631 95639 208402 95644 2081be 95639->95644 95643 20842a 95649 2081ef try_get_first_available_module 95644->95649 95646 2083ee 95663 2027ec 26 API calls __fread_nolock 95646->95663 95648 208343 95648->95643 95656 210984 95648->95656 95655 208338 95649->95655 95659 1f8e0b 40 API calls 2 library calls 95649->95659 95651 20838c 95651->95655 95660 1f8e0b 40 API calls 2 library calls 95651->95660 95653 2083ab 95653->95655 95661 1f8e0b 40 API calls 2 library calls 95653->95661 95655->95648 95662 1ff2d9 20 API calls __dosmaperr 95655->95662 95664 210081 95656->95664 95658 21099f 95658->95643 95659->95651 95660->95653 95661->95655 95662->95646 95663->95648 95667 21008d __FrameHandler3::FrameUnwindToState 95664->95667 95665 21009b 95722 1ff2d9 20 API calls __dosmaperr 95665->95722 95667->95665 95669 2100d4 95667->95669 95668 2100a0 95723 2027ec 26 API calls __fread_nolock 95668->95723 95675 21065b 95669->95675 95674 2100aa __fread_nolock 95674->95658 95725 21042f 95675->95725 95678 2106a6 95743 205221 95678->95743 95679 21068d 95757 1ff2c6 20 API calls __dosmaperr 95679->95757 95682 210692 95758 1ff2d9 20 API calls __dosmaperr 95682->95758 95683 2106ab 95684 2106b4 95683->95684 95685 2106cb 95683->95685 95759 1ff2c6 20 API calls __dosmaperr 95684->95759 95756 21039a CreateFileW 95685->95756 95689 2106b9 95760 1ff2d9 20 API calls __dosmaperr 95689->95760 95691 210781 GetFileType 95693 2107d3 95691->95693 95694 21078c GetLastError 95691->95694 95692 210756 GetLastError 95762 1ff2a3 20 API calls __dosmaperr 95692->95762 95765 20516a 21 API calls 2 library calls 95693->95765 95763 1ff2a3 20 API calls __dosmaperr 95694->95763 95696 210704 95696->95691 95696->95692 95761 21039a CreateFileW 95696->95761 95698 21079a CloseHandle 95698->95682 95700 2107c3 95698->95700 95764 1ff2d9 20 API calls __dosmaperr 95700->95764 95702 210749 95702->95691 95702->95692 95704 2107c8 95704->95682 95705 2107f4 95709 210840 95705->95709 95766 2105ab 72 API calls 3 library calls 95705->95766 95708 210866 95710 21086d 95708->95710 95711 21087e 95708->95711 95709->95710 95767 21014d 72 API calls 4 library calls 95709->95767 95768 2086ae 95710->95768 95713 2100f8 95711->95713 95714 2108fc CloseHandle 95711->95714 95724 210121 LeaveCriticalSection __wsopen_s 95713->95724 95783 21039a CreateFileW 95714->95783 95716 210927 95717 210931 GetLastError 95716->95717 95718 21095d 95716->95718 95784 1ff2a3 20 API calls __dosmaperr 95717->95784 95718->95713 95720 21093d 95785 205333 21 API calls 2 library calls 95720->95785 95722->95668 95723->95674 95724->95674 95726 210450 95725->95726 95727 21046a 95725->95727 95726->95727 95793 1ff2d9 20 API calls __dosmaperr 95726->95793 95786 2103bf 95727->95786 95730 2104a2 95733 2104d1 95730->95733 95795 1ff2d9 20 API calls __dosmaperr 95730->95795 95731 21045f 95794 2027ec 26 API calls __fread_nolock 95731->95794 95741 210524 95733->95741 95797 1fd70d 26 API calls 2 library calls 95733->95797 95736 21051f 95738 21059e 95736->95738 95736->95741 95737 2104c6 95796 2027ec 26 API calls __fread_nolock 95737->95796 95798 2027fc 11 API calls _abort 95738->95798 95741->95678 95741->95679 95742 2105aa 95744 20522d __FrameHandler3::FrameUnwindToState 95743->95744 95801 202f5e EnterCriticalSection 95744->95801 95746 205259 95805 205000 95746->95805 95749 205234 95749->95746 95752 2052c7 EnterCriticalSection 95749->95752 95754 20527b 95749->95754 95751 2052a4 __fread_nolock 95751->95683 95753 2052d4 LeaveCriticalSection 95752->95753 95752->95754 95753->95749 95802 20532a 95754->95802 95756->95696 95757->95682 95758->95713 95759->95689 95760->95682 95761->95702 95762->95682 95763->95698 95764->95704 95765->95705 95766->95709 95767->95708 95831 2053c4 95768->95831 95770 2086c4 95844 205333 21 API calls 2 library calls 95770->95844 95772 2086be 95772->95770 95775 2053c4 __wsopen_s 26 API calls 95772->95775 95782 2086f6 95772->95782 95773 2053c4 __wsopen_s 26 API calls 95776 208702 FindCloseChangeNotification 95773->95776 95774 20871c 95777 20873e 95774->95777 95845 1ff2a3 20 API calls __dosmaperr 95774->95845 95778 2086ed 95775->95778 95776->95770 95779 20870e GetLastError 95776->95779 95777->95713 95781 2053c4 __wsopen_s 26 API calls 95778->95781 95779->95770 95781->95782 95782->95770 95782->95773 95783->95716 95784->95720 95785->95718 95789 2103d7 95786->95789 95787 2103f2 95787->95730 95789->95787 95799 1ff2d9 20 API calls __dosmaperr 95789->95799 95790 210416 95800 2027ec 26 API calls __fread_nolock 95790->95800 95792 210421 95792->95730 95793->95731 95794->95727 95795->95737 95796->95733 95797->95736 95798->95742 95799->95790 95800->95792 95801->95749 95813 202fa6 LeaveCriticalSection 95802->95813 95804 205331 95804->95751 95814 204c7d 95805->95814 95807 20501f 95822 2029c8 95807->95822 95808 205012 95808->95807 95821 203405 11 API calls 2 library calls 95808->95821 95811 205071 95811->95754 95812 205147 EnterCriticalSection 95811->95812 95812->95754 95813->95804 95819 204c8a __FrameHandler3::FrameUnwindToState 95814->95819 95815 204cca 95829 1ff2d9 20 API calls __dosmaperr 95815->95829 95816 204cb5 RtlAllocateHeap 95817 204cc8 95816->95817 95816->95819 95817->95808 95819->95815 95819->95816 95828 1f4ead 7 API calls 2 library calls 95819->95828 95821->95808 95823 2029fc __dosmaperr 95822->95823 95824 2029d3 RtlFreeHeap 95822->95824 95823->95811 95824->95823 95825 2029e8 95824->95825 95830 1ff2d9 20 API calls __dosmaperr 95825->95830 95827 2029ee GetLastError 95827->95823 95828->95819 95829->95817 95830->95827 95832 2053d1 95831->95832 95833 2053e6 95831->95833 95846 1ff2c6 20 API calls __dosmaperr 95832->95846 95838 20540b 95833->95838 95848 1ff2c6 20 API calls __dosmaperr 95833->95848 95835 2053d6 95847 1ff2d9 20 API calls __dosmaperr 95835->95847 95838->95772 95839 205416 95849 1ff2d9 20 API calls __dosmaperr 95839->95849 95840 2053de 95840->95772 95842 20541e 95850 2027ec 26 API calls __fread_nolock 95842->95850 95844->95774 95845->95777 95846->95835 95847->95840 95848->95839 95849->95842 95850->95840 95851 222a00 95852 1dd7b0 messages 95851->95852 95853 1ddb11 PeekMessageW 95852->95853 95854 1dd807 GetInputState 95852->95854 95855 221cbe TranslateAcceleratorW 95852->95855 95857 1ddb8f PeekMessageW 95852->95857 95858 1dda04 timeGetTime 95852->95858 95859 1ddb73 TranslateMessage DispatchMessageW 95852->95859 95860 1ddbaf Sleep 95852->95860 95861 222b74 Sleep 95852->95861 95863 221dda timeGetTime 95852->95863 95872 1dd9d5 95852->95872 95879 1dec40 235 API calls 95852->95879 95883 1ddd50 95852->95883 95890 1ddfd0 95852->95890 95913 1e1310 95852->95913 95968 1dbf40 235 API calls 2 library calls 95852->95968 95969 1eedf6 IsDialogMessageW GetClassLongW 95852->95969 95971 243a2a 23 API calls 95852->95971 95972 24359c 82 API calls __wsopen_s 95852->95972 95853->95852 95854->95852 95854->95853 95855->95852 95857->95852 95858->95852 95859->95857 95877 1ddbc0 95860->95877 95861->95877 95862 1ee551 timeGetTime 95862->95877 95970 1ee300 23 API calls 95863->95970 95866 222c0b GetExitCodeProcess 95867 222c21 WaitForSingleObject 95866->95867 95868 222c37 CloseHandle 95866->95868 95867->95852 95867->95868 95868->95877 95869 222a31 95869->95872 95870 2629bf GetForegroundWindow 95870->95877 95873 222ca9 Sleep 95873->95852 95877->95852 95877->95862 95877->95866 95877->95869 95877->95870 95877->95872 95877->95873 95973 255658 23 API calls 95877->95973 95974 23e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95877->95974 95975 23d4dc 47 API calls 95877->95975 95879->95852 95884 1ddd6f 95883->95884 95885 1ddd83 95883->95885 95976 1dd260 235 API calls 2 library calls 95884->95976 95977 24359c 82 API calls __wsopen_s 95885->95977 95887 1ddd7a 95887->95852 95889 222f75 95889->95889 95891 1de010 95890->95891 95906 1de0dc messages 95891->95906 95980 1f0242 5 API calls __Init_thread_wait 95891->95980 95892 1dec40 235 API calls 95892->95906 95895 222fca 95895->95906 95981 1da961 95895->95981 95896 1da961 22 API calls 95896->95906 95902 222fee 95987 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95902->95987 95906->95892 95906->95896 95907 1da8c7 22 API calls 95906->95907 95908 1e04f0 22 API calls 95906->95908 95909 24359c 82 API calls 95906->95909 95910 1de3e1 95906->95910 95978 1da81b 41 API calls 95906->95978 95979 1ea308 235 API calls 95906->95979 95988 1f0242 5 API calls __Init_thread_wait 95906->95988 95989 1f00a3 29 API calls __onexit 95906->95989 95990 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95906->95990 95991 2547d4 235 API calls 95906->95991 95992 2568c1 235 API calls 95906->95992 95907->95906 95908->95906 95909->95906 95910->95852 95914 1e1376 95913->95914 95915 1e17b0 95913->95915 95917 226331 95914->95917 95918 1e1390 95914->95918 96121 1f0242 5 API calls __Init_thread_wait 95915->96121 96132 25709c 235 API calls 95917->96132 96006 1e1940 95918->96006 95920 1e17ba 95928 1e17fb 95920->95928 96122 1d9cb3 95920->96122 95922 22633d 95922->95852 95925 1e1940 9 API calls 95926 1e13b6 95925->95926 95926->95928 95929 1e13ec 95926->95929 95927 226346 96133 24359c 82 API calls __wsopen_s 95927->96133 95928->95927 95930 1e182c 95928->95930 95929->95927 95954 1e1408 __fread_nolock 95929->95954 96129 1daceb 23 API calls messages 95930->96129 95931 1e17d4 96128 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95931->96128 95934 1e1839 96130 1ed217 235 API calls 95934->96130 95937 22636e 96134 24359c 82 API calls __wsopen_s 95937->96134 95938 1e152f 95940 1e153c 95938->95940 95941 2263d1 95938->95941 95943 1e1940 9 API calls 95940->95943 96136 255745 54 API calls _wcslen 95941->96136 95945 1e1549 95943->95945 95944 1efddb 22 API calls 95944->95954 95948 1e1940 9 API calls 95945->95948 95959 1e15c7 messages 95945->95959 95946 1e1872 96131 1efaeb 23 API calls 95946->96131 95947 1efe0b 22 API calls 95947->95954 95956 1e1563 95948->95956 95949 1e171d 95949->95852 95952 1dec40 235 API calls 95952->95954 95953 1e167b messages 95953->95949 96120 1ece17 22 API calls messages 95953->96120 95954->95934 95954->95937 95954->95938 95954->95944 95954->95947 95954->95952 95957 2263b2 95954->95957 95954->95959 95955 1e1940 9 API calls 95955->95959 95956->95959 95961 1da8c7 22 API calls 95956->95961 96135 24359c 82 API calls __wsopen_s 95957->96135 95959->95946 95959->95953 95959->95955 96016 1d4f39 95959->96016 96022 25959f 95959->96022 96025 24f0ec 95959->96025 96034 25958b 95959->96034 96037 23d4ce 95959->96037 96040 246ef1 95959->96040 96137 24359c 82 API calls __wsopen_s 95959->96137 95961->95959 95968->95852 95969->95852 95970->95852 95971->95852 95972->95852 95973->95877 95974->95877 95975->95877 95976->95887 95977->95889 95978->95906 95979->95906 95980->95895 95982 1efe0b 22 API calls 95981->95982 95983 1da976 95982->95983 95993 1efddb 95983->95993 95985 1da984 95986 1f00a3 29 API calls __onexit 95985->95986 95986->95902 95987->95906 95988->95906 95989->95906 95990->95906 95991->95906 95992->95906 95996 1efde0 95993->95996 95994 1fea0c ___std_exception_copy 21 API calls 95994->95996 95995 1efdfa 95995->95985 95996->95994 95996->95995 95998 1efdfc 95996->95998 96003 1f4ead 7 API calls 2 library calls 95996->96003 96002 1f066d 95998->96002 96004 1f32a4 RaiseException 95998->96004 96001 1f068a 96001->95985 96005 1f32a4 RaiseException 96002->96005 96003->95996 96004->96002 96005->96001 96007 1e1981 96006->96007 96010 1e195d 96006->96010 96138 1f0242 5 API calls __Init_thread_wait 96007->96138 96015 1e13a0 96010->96015 96140 1f0242 5 API calls __Init_thread_wait 96010->96140 96011 1e198b 96011->96010 96139 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96011->96139 96012 1e8727 96012->96015 96141 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96012->96141 96015->95925 96017 1d4f4a 96016->96017 96018 1d4f43 96016->96018 96020 1d4f59 96017->96020 96021 1d4f6a FreeLibrary 96017->96021 96142 1fe678 96018->96142 96020->95959 96021->96020 96365 257f59 96022->96365 96024 2595af 96024->95959 96026 1d7510 53 API calls 96025->96026 96027 24f126 96026->96027 96508 1d9e90 96027->96508 96029 24f136 96030 24f15b 96029->96030 96031 1dec40 235 API calls 96029->96031 96033 24f15f 96030->96033 96536 1d9c6e 22 API calls 96030->96536 96031->96030 96033->95959 96035 257f59 120 API calls 96034->96035 96036 25959b 96035->96036 96036->95959 96562 23dbbe lstrlenW 96037->96562 96041 1da961 22 API calls 96040->96041 96042 246f1d 96041->96042 96043 1da961 22 API calls 96042->96043 96044 246f26 96043->96044 96045 246f3a 96044->96045 96752 1db567 39 API calls 96044->96752 96047 1d7510 53 API calls 96045->96047 96050 246f57 _wcslen 96047->96050 96048 246fbc 96051 1d7510 53 API calls 96048->96051 96049 2470bf 96567 1d4ecb 96049->96567 96050->96048 96050->96049 96060 2470e9 96050->96060 96053 246fc8 96051->96053 96057 1da8c7 22 API calls 96053->96057 96063 246fdb 96053->96063 96055 2470e5 96056 1da961 22 API calls 96055->96056 96055->96060 96059 24711a 96056->96059 96057->96063 96058 1d4ecb 94 API calls 96058->96055 96061 1da961 22 API calls 96059->96061 96060->95959 96065 247126 96061->96065 96062 247027 96064 1d7510 53 API calls 96062->96064 96063->96062 96066 247005 96063->96066 96070 1da8c7 22 API calls 96063->96070 96068 247034 96064->96068 96069 1da961 22 API calls 96065->96069 96753 1d33c6 96066->96753 96072 247047 96068->96072 96073 24703d 96068->96073 96074 24712f 96069->96074 96070->96066 96071 24700f 96075 1d7510 53 API calls 96071->96075 96762 23e199 GetFileAttributesW 96072->96762 96076 1da8c7 22 API calls 96073->96076 96078 1da961 22 API calls 96074->96078 96079 24701b 96075->96079 96076->96072 96081 247138 96078->96081 96082 1d6350 22 API calls 96079->96082 96080 247050 96083 247063 96080->96083 96086 1d4c6d 22 API calls 96080->96086 96084 1d7510 53 API calls 96081->96084 96082->96062 96085 1d7510 53 API calls 96083->96085 96093 247069 96083->96093 96087 247145 96084->96087 96089 2470a0 96085->96089 96086->96083 96589 1d525f 96087->96589 96763 23d076 57 API calls 96089->96763 96090 247166 96631 1d4c6d 96090->96631 96093->96060 96095 2471a9 96097 1da8c7 22 API calls 96095->96097 96096 1d4c6d 22 API calls 96099 247186 96096->96099 96098 2471ba 96097->96098 96634 1d6350 96098->96634 96099->96095 96764 1d6b57 96099->96764 96103 1d6350 22 API calls 96105 2471d6 96103->96105 96104 24719b 96106 1d6b57 22 API calls 96104->96106 96107 1d6350 22 API calls 96105->96107 96106->96095 96108 2471e4 96107->96108 96109 1d7510 53 API calls 96108->96109 96110 2471f0 96109->96110 96643 23d7bc 96110->96643 96112 247201 96113 23d4ce 4 API calls 96112->96113 96114 24720b 96113->96114 96115 1d7510 53 API calls 96114->96115 96118 247239 96114->96118 96116 247229 96115->96116 96697 242947 96116->96697 96119 1d4f39 68 API calls 96118->96119 96119->96060 96120->95953 96121->95920 96123 1d9cc2 _wcslen 96122->96123 96124 1efe0b 22 API calls 96123->96124 96125 1d9cea __fread_nolock 96124->96125 96126 1efddb 22 API calls 96125->96126 96127 1d9d00 96126->96127 96127->95931 96128->95928 96129->95934 96130->95946 96131->95946 96132->95922 96133->95959 96134->95959 96135->95959 96136->95956 96137->95959 96138->96011 96139->96010 96140->96012 96141->96015 96143 1fe684 __FrameHandler3::FrameUnwindToState 96142->96143 96144 1fe6aa 96143->96144 96145 1fe695 96143->96145 96154 1fe6a5 __fread_nolock 96144->96154 96155 1f918d EnterCriticalSection 96144->96155 96172 1ff2d9 20 API calls __dosmaperr 96145->96172 96148 1fe69a 96173 2027ec 26 API calls __fread_nolock 96148->96173 96149 1fe6c6 96156 1fe602 96149->96156 96152 1fe6d1 96174 1fe6ee LeaveCriticalSection __fread_nolock 96152->96174 96154->96017 96155->96149 96157 1fe60f 96156->96157 96158 1fe624 96156->96158 96207 1ff2d9 20 API calls __dosmaperr 96157->96207 96164 1fe61f 96158->96164 96175 1fdc0b 96158->96175 96161 1fe614 96208 2027ec 26 API calls __fread_nolock 96161->96208 96164->96152 96168 1fe646 96192 20862f 96168->96192 96171 2029c8 _free 20 API calls 96171->96164 96172->96148 96173->96154 96174->96154 96176 1fdc23 96175->96176 96180 1fdc1f 96175->96180 96177 1fd955 __fread_nolock 26 API calls 96176->96177 96176->96180 96178 1fdc43 96177->96178 96209 2059be 96178->96209 96181 204d7a 96180->96181 96182 204d90 96181->96182 96183 1fe640 96181->96183 96182->96183 96184 2029c8 _free 20 API calls 96182->96184 96185 1fd955 96183->96185 96184->96183 96186 1fd976 96185->96186 96187 1fd961 96185->96187 96186->96168 96341 1ff2d9 20 API calls __dosmaperr 96187->96341 96189 1fd966 96342 2027ec 26 API calls __fread_nolock 96189->96342 96191 1fd971 96191->96168 96193 208653 96192->96193 96194 20863e 96192->96194 96196 20868e 96193->96196 96201 20867a 96193->96201 96346 1ff2c6 20 API calls __dosmaperr 96194->96346 96348 1ff2c6 20 API calls __dosmaperr 96196->96348 96198 208643 96347 1ff2d9 20 API calls __dosmaperr 96198->96347 96199 208693 96349 1ff2d9 20 API calls __dosmaperr 96199->96349 96343 208607 96201->96343 96204 20869b 96350 2027ec 26 API calls __fread_nolock 96204->96350 96205 1fe64c 96205->96164 96205->96171 96207->96161 96208->96164 96210 2059ca __FrameHandler3::FrameUnwindToState 96209->96210 96211 2059d2 96210->96211 96212 2059ea 96210->96212 96288 1ff2c6 20 API calls __dosmaperr 96211->96288 96214 205a88 96212->96214 96217 205a1f 96212->96217 96293 1ff2c6 20 API calls __dosmaperr 96214->96293 96216 2059d7 96289 1ff2d9 20 API calls __dosmaperr 96216->96289 96234 205147 EnterCriticalSection 96217->96234 96218 205a8d 96294 1ff2d9 20 API calls __dosmaperr 96218->96294 96222 205a25 96224 205a41 96222->96224 96225 205a56 96222->96225 96223 205a95 96295 2027ec 26 API calls __fread_nolock 96223->96295 96290 1ff2d9 20 API calls __dosmaperr 96224->96290 96235 205aa9 96225->96235 96228 2059df __fread_nolock 96228->96180 96230 205a46 96291 1ff2c6 20 API calls __dosmaperr 96230->96291 96231 205a51 96292 205a80 LeaveCriticalSection __wsopen_s 96231->96292 96234->96222 96236 205ad7 96235->96236 96274 205ad0 96235->96274 96237 205afa 96236->96237 96238 205adb 96236->96238 96242 205b4b 96237->96242 96243 205b2e 96237->96243 96303 1ff2c6 20 API calls __dosmaperr 96238->96303 96241 205ae0 96304 1ff2d9 20 API calls __dosmaperr 96241->96304 96246 205b61 96242->96246 96309 209424 28 API calls __wsopen_s 96242->96309 96306 1ff2c6 20 API calls __dosmaperr 96243->96306 96244 205cb1 96244->96231 96296 20564e 96246->96296 96248 205ae7 96305 2027ec 26 API calls __fread_nolock 96248->96305 96251 205b33 96307 1ff2d9 20 API calls __dosmaperr 96251->96307 96255 205ba8 96258 205c02 WriteFile 96255->96258 96259 205bbc 96255->96259 96256 205b6f 96260 205b73 96256->96260 96261 205b95 96256->96261 96257 205b3b 96308 2027ec 26 API calls __fread_nolock 96257->96308 96266 205c25 GetLastError 96258->96266 96272 205b8b 96258->96272 96263 205bf2 96259->96263 96264 205bc4 96259->96264 96265 205c69 96260->96265 96310 2055e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96260->96310 96311 20542e 45 API calls 3 library calls 96261->96311 96314 2056c4 7 API calls 2 library calls 96263->96314 96268 205be2 96264->96268 96269 205bc9 96264->96269 96265->96274 96318 1ff2d9 20 API calls __dosmaperr 96265->96318 96266->96272 96313 205891 8 API calls 2 library calls 96268->96313 96269->96265 96275 205bd2 96269->96275 96272->96265 96272->96274 96279 205c45 96272->96279 96320 1f0a8c 96274->96320 96312 2057a3 7 API calls 2 library calls 96275->96312 96277 205be0 96277->96272 96278 205c8e 96319 1ff2c6 20 API calls __dosmaperr 96278->96319 96282 205c60 96279->96282 96283 205c4c 96279->96283 96317 1ff2a3 20 API calls __dosmaperr 96282->96317 96315 1ff2d9 20 API calls __dosmaperr 96283->96315 96286 205c51 96316 1ff2c6 20 API calls __dosmaperr 96286->96316 96288->96216 96289->96228 96290->96230 96291->96231 96292->96228 96293->96218 96294->96223 96295->96228 96327 20f89b 96296->96327 96298 20565e 96299 205663 96298->96299 96336 202d74 38 API calls 3 library calls 96298->96336 96299->96255 96299->96256 96301 205686 96301->96299 96302 2056a4 GetConsoleMode 96301->96302 96302->96299 96303->96241 96304->96248 96305->96274 96306->96251 96307->96257 96308->96274 96309->96246 96310->96272 96311->96272 96312->96277 96313->96277 96314->96277 96315->96286 96316->96274 96317->96274 96318->96278 96319->96274 96321 1f0a97 IsProcessorFeaturePresent 96320->96321 96322 1f0a95 96320->96322 96324 1f0c5d 96321->96324 96322->96244 96340 1f0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96324->96340 96326 1f0d40 96326->96244 96328 20f8a8 96327->96328 96330 20f8b5 96327->96330 96337 1ff2d9 20 API calls __dosmaperr 96328->96337 96332 20f8c1 96330->96332 96338 1ff2d9 20 API calls __dosmaperr 96330->96338 96331 20f8ad 96331->96298 96332->96298 96334 20f8e2 96339 2027ec 26 API calls __fread_nolock 96334->96339 96336->96301 96337->96331 96338->96334 96339->96331 96340->96326 96341->96189 96342->96191 96351 208585 96343->96351 96345 20862b 96345->96205 96346->96198 96347->96205 96348->96199 96349->96204 96350->96205 96352 208591 __FrameHandler3::FrameUnwindToState 96351->96352 96362 205147 EnterCriticalSection 96352->96362 96354 20859f 96355 2085d1 96354->96355 96356 2085c6 96354->96356 96363 1ff2d9 20 API calls __dosmaperr 96355->96363 96357 2086ae __wsopen_s 29 API calls 96356->96357 96359 2085cc 96357->96359 96364 2085fb LeaveCriticalSection __wsopen_s 96359->96364 96361 2085ee __fread_nolock 96361->96345 96362->96354 96363->96359 96364->96361 96403 1d7510 96365->96403 96369 25844f 96467 258ee4 60 API calls 96369->96467 96372 25845e 96374 25828f 96372->96374 96375 25846a 96372->96375 96373 1d7510 53 API calls 96380 258049 96373->96380 96439 257e86 96374->96439 96382 257fd5 messages 96375->96382 96380->96373 96380->96382 96390 258281 96380->96390 96458 23417d 22 API calls __fread_nolock 96380->96458 96459 25851d 42 API calls _strftime 96380->96459 96381 2582c8 96454 1efc70 96381->96454 96382->96024 96385 258302 96461 1d63eb 22 API calls 96385->96461 96386 2582e8 96460 24359c 82 API calls __wsopen_s 96386->96460 96389 2582f3 GetCurrentProcess TerminateProcess 96389->96385 96390->96369 96390->96374 96391 258311 96462 1d6a50 22 API calls 96391->96462 96393 25832a 96401 258352 96393->96401 96463 1e04f0 22 API calls 96393->96463 96394 2584c5 96394->96382 96399 2584d9 FreeLibrary 96394->96399 96396 258341 96464 258b7b 75 API calls 96396->96464 96399->96382 96401->96394 96465 1e04f0 22 API calls 96401->96465 96466 1daceb 23 API calls messages 96401->96466 96468 258b7b 75 API calls 96401->96468 96404 1d7525 96403->96404 96405 1d7522 96403->96405 96406 1d752d 96404->96406 96407 1d755b 96404->96407 96405->96382 96426 258cd3 96405->96426 96469 1f51c6 26 API calls 96406->96469 96409 2150f6 96407->96409 96412 1d756d 96407->96412 96417 21500f 96407->96417 96472 1f5183 26 API calls 96409->96472 96410 1d753d 96416 1efddb 22 API calls 96410->96416 96470 1efb21 51 API calls 96412->96470 96413 21510e 96413->96413 96418 1d7547 96416->96418 96420 1efe0b 22 API calls 96417->96420 96425 215088 96417->96425 96419 1d9cb3 22 API calls 96418->96419 96419->96405 96421 215058 96420->96421 96422 1efddb 22 API calls 96421->96422 96423 21507f 96422->96423 96424 1d9cb3 22 API calls 96423->96424 96424->96425 96471 1efb21 51 API calls 96425->96471 96473 1daec9 96426->96473 96428 258cee CharLowerBuffW 96479 238e54 96428->96479 96432 1da961 22 API calls 96433 258d2a 96432->96433 96486 1d6d25 96433->96486 96435 258d3e 96499 1d93b2 96435->96499 96436 258e5e _wcslen 96436->96380 96438 258d48 _wcslen 96438->96436 96503 25851d 42 API calls _strftime 96438->96503 96440 257ea1 96439->96440 96444 257eec 96439->96444 96441 1efe0b 22 API calls 96440->96441 96443 257ec3 96441->96443 96442 1efddb 22 API calls 96442->96443 96443->96442 96443->96444 96445 259096 96444->96445 96446 2592ab messages 96445->96446 96453 2590ba _strcat _wcslen 96445->96453 96446->96381 96447 1db6b5 39 API calls 96447->96453 96448 1db567 39 API calls 96448->96453 96449 1db38f 39 API calls 96449->96453 96450 1d7510 53 API calls 96450->96453 96451 1fea0c 21 API calls ___std_exception_copy 96451->96453 96453->96446 96453->96447 96453->96448 96453->96449 96453->96450 96453->96451 96507 23efae 24 API calls _wcslen 96453->96507 96455 1efc85 96454->96455 96456 1efd1d VirtualAlloc 96455->96456 96457 1efceb 96455->96457 96456->96457 96457->96385 96457->96386 96458->96380 96459->96380 96460->96389 96461->96391 96462->96393 96463->96396 96464->96401 96465->96401 96466->96401 96467->96372 96468->96401 96469->96410 96470->96410 96471->96409 96472->96413 96474 1daedc 96473->96474 96478 1daed9 __fread_nolock 96473->96478 96475 1efddb 22 API calls 96474->96475 96476 1daee7 96475->96476 96477 1efe0b 22 API calls 96476->96477 96477->96478 96478->96428 96480 238e74 _wcslen 96479->96480 96481 238f63 96480->96481 96483 238ea9 96480->96483 96485 238f68 96480->96485 96481->96432 96481->96438 96483->96481 96504 1ece60 41 API calls 96483->96504 96485->96481 96505 1ece60 41 API calls 96485->96505 96487 1d6d34 96486->96487 96488 1d6d91 96486->96488 96487->96488 96490 1d6d3f 96487->96490 96489 1d93b2 22 API calls 96488->96489 96496 1d6d62 __fread_nolock 96489->96496 96491 1d6d5a 96490->96491 96492 214c9d 96490->96492 96506 1d6f34 22 API calls 96491->96506 96493 1efddb 22 API calls 96492->96493 96495 214ca7 96493->96495 96497 1efe0b 22 API calls 96495->96497 96496->96435 96498 214cda 96497->96498 96500 1d93c9 __fread_nolock 96499->96500 96501 1d93c0 96499->96501 96500->96438 96501->96500 96502 1daec9 22 API calls 96501->96502 96502->96500 96503->96436 96504->96483 96505->96485 96506->96496 96507->96453 96537 1d6270 96508->96537 96510 1d9fd2 96543 1da4a1 96510->96543 96512 1d9fec 96512->96029 96515 1da6c3 22 API calls 96534 1d9eb5 96515->96534 96516 21f7c4 96560 2396e2 84 API calls __wsopen_s 96516->96560 96517 21f699 96522 1efddb 22 API calls 96517->96522 96518 1da405 96518->96512 96561 2396e2 84 API calls __wsopen_s 96518->96561 96524 21f754 96522->96524 96523 21f7d2 96525 1da4a1 22 API calls 96523->96525 96527 1efe0b 22 API calls 96524->96527 96526 21f7e8 96525->96526 96526->96512 96529 1da12c __fread_nolock 96527->96529 96529->96516 96529->96518 96531 1daec9 22 API calls 96532 1da0db CharUpperBuffW 96531->96532 96556 1da673 22 API calls 96532->96556 96534->96510 96534->96515 96534->96516 96534->96517 96534->96518 96534->96529 96534->96531 96535 1da4a1 22 API calls 96534->96535 96542 1d4573 41 API calls _wcslen 96534->96542 96551 1da587 96534->96551 96557 1d48c8 23 API calls 96534->96557 96558 1d49bd 22 API calls __fread_nolock 96534->96558 96559 1da673 22 API calls 96534->96559 96535->96534 96536->96033 96538 1efe0b 22 API calls 96537->96538 96539 1d6295 96538->96539 96540 1efddb 22 API calls 96539->96540 96541 1d62a3 96540->96541 96541->96534 96542->96534 96544 1da52b 96543->96544 96550 1da4b1 __fread_nolock 96543->96550 96547 1efe0b 22 API calls 96544->96547 96545 1efddb 22 API calls 96546 1da4b8 96545->96546 96548 1da4d6 96546->96548 96549 1efddb 22 API calls 96546->96549 96547->96550 96548->96512 96549->96548 96550->96545 96552 1da59d 96551->96552 96555 1da598 __fread_nolock 96551->96555 96553 1efe0b 22 API calls 96552->96553 96554 21f80f 96552->96554 96553->96555 96554->96554 96555->96534 96556->96534 96557->96534 96558->96534 96559->96534 96560->96523 96561->96512 96563 23d4d5 96562->96563 96564 23dbdc GetFileAttributesW 96562->96564 96563->95959 96564->96563 96565 23dbe8 FindFirstFileW 96564->96565 96565->96563 96566 23dbf9 FindClose 96565->96566 96566->96563 96776 1d4e90 LoadLibraryA 96567->96776 96572 1d4ef6 LoadLibraryExW 96784 1d4e59 LoadLibraryA 96572->96784 96573 213ccf 96574 1d4f39 68 API calls 96573->96574 96577 213cd6 96574->96577 96579 1d4e59 3 API calls 96577->96579 96581 213cde 96579->96581 96580 1d4f20 96580->96581 96582 1d4f2c 96580->96582 96806 1d50f5 96581->96806 96583 1d4f39 68 API calls 96582->96583 96585 1d4f31 96583->96585 96585->96055 96585->96058 96588 213d05 96590 1da961 22 API calls 96589->96590 96591 1d5275 96590->96591 96592 1da961 22 API calls 96591->96592 96593 1d527d 96592->96593 96594 1da961 22 API calls 96593->96594 96595 1d5285 96594->96595 96596 1da961 22 API calls 96595->96596 96597 1d528d 96596->96597 96598 213df5 96597->96598 96599 1d52c1 96597->96599 96600 1da8c7 22 API calls 96598->96600 96601 1d6d25 22 API calls 96599->96601 96602 213dfe 96600->96602 96603 1d52cf 96601->96603 97040 1da6c3 96602->97040 96605 1d93b2 22 API calls 96603->96605 96606 1d52d9 96605->96606 96607 1d5304 96606->96607 96608 1d6d25 22 API calls 96606->96608 96609 1d5325 96607->96609 96623 1d5349 96607->96623 96626 213e20 96607->96626 96611 1d52fa 96608->96611 96614 1d4c6d 22 API calls 96609->96614 96609->96623 96610 1d6d25 22 API calls 96612 1d535a 96610->96612 96613 1d93b2 22 API calls 96611->96613 96616 1d5370 96612->96616 96620 1da8c7 22 API calls 96612->96620 96613->96607 96619 1d5332 96614->96619 96615 1d6b57 22 API calls 96628 213ee0 96615->96628 96618 1d5384 96616->96618 96621 1da8c7 22 API calls 96616->96621 96617 1d538f 96625 1da8c7 22 API calls 96617->96625 96630 1d539a 96617->96630 96618->96617 96624 1da8c7 22 API calls 96618->96624 96622 1d6d25 22 API calls 96619->96622 96619->96623 96620->96616 96621->96618 96622->96623 96623->96610 96624->96617 96625->96630 96626->96615 96627 1d4c6d 22 API calls 96627->96628 96628->96623 96628->96627 97046 1d49bd 22 API calls __fread_nolock 96628->97046 96630->96090 96632 1daec9 22 API calls 96631->96632 96633 1d4c78 96632->96633 96633->96095 96633->96096 96635 214a51 96634->96635 96636 1d6362 96634->96636 97057 1d4a88 22 API calls __fread_nolock 96635->97057 97047 1d6373 96636->97047 96639 1d636e 96639->96103 96640 214a5b 96641 1da8c7 22 API calls 96640->96641 96642 214a67 96640->96642 96641->96642 96644 23d7d8 96643->96644 96645 23d7f3 96644->96645 96646 23d7dd 96644->96646 96647 1da961 22 API calls 96645->96647 96648 1da8c7 22 API calls 96646->96648 96696 23d7ee 96646->96696 96649 23d7fb 96647->96649 96648->96696 96650 1da961 22 API calls 96649->96650 96651 23d803 96650->96651 96652 1da961 22 API calls 96651->96652 96653 23d80e 96652->96653 96654 1da961 22 API calls 96653->96654 96655 23d816 96654->96655 96656 1da961 22 API calls 96655->96656 96657 23d81e 96656->96657 96658 1da961 22 API calls 96657->96658 96659 23d826 96658->96659 96660 1da961 22 API calls 96659->96660 96661 23d82e 96660->96661 96662 1da961 22 API calls 96661->96662 96663 23d836 96662->96663 96664 1d525f 22 API calls 96663->96664 96665 23d84d 96664->96665 96666 1d525f 22 API calls 96665->96666 96667 23d866 96666->96667 96668 1d4c6d 22 API calls 96667->96668 96669 23d872 96668->96669 96670 23d885 96669->96670 96671 1d93b2 22 API calls 96669->96671 96672 1d4c6d 22 API calls 96670->96672 96671->96670 96673 23d88e 96672->96673 96674 1d93b2 22 API calls 96673->96674 96676 23d89e 96673->96676 96674->96676 96675 23d8b0 96678 1d6350 22 API calls 96675->96678 96676->96675 96677 1da8c7 22 API calls 96676->96677 96677->96675 96679 23d8bb 96678->96679 97058 23d978 22 API calls 96679->97058 96681 23d8ca 97059 23d978 22 API calls 96681->97059 96683 23d8dd 96684 1d4c6d 22 API calls 96683->96684 96685 23d8e7 96684->96685 96686 23d8fe 96685->96686 96687 23d8ec 96685->96687 96689 1d4c6d 22 API calls 96686->96689 96688 1d33c6 22 API calls 96687->96688 96690 23d8f9 96688->96690 96691 23d907 96689->96691 96694 1d6350 22 API calls 96690->96694 96692 23d925 96691->96692 96693 1d33c6 22 API calls 96691->96693 96695 1d6350 22 API calls 96692->96695 96693->96690 96694->96692 96695->96696 96696->96112 96698 242954 __wsopen_s 96697->96698 96699 1efe0b 22 API calls 96698->96699 96700 242971 96699->96700 96701 1d5722 22 API calls 96700->96701 96702 24297b 96701->96702 96703 24274e 27 API calls 96702->96703 96704 242986 96703->96704 96705 1d511f 64 API calls 96704->96705 96706 24299b 96705->96706 96707 242a6c 96706->96707 96708 2429bf 96706->96708 96709 242e66 75 API calls 96707->96709 97073 242e66 96708->97073 96725 242a38 96709->96725 96713 1d50f5 40 API calls 96714 242a91 96713->96714 96715 1d50f5 40 API calls 96714->96715 96718 242aa1 96715->96718 96716 242a75 messages 96716->96118 96717 2429ed 97080 1fd583 26 API calls 96717->97080 96719 1d50f5 40 API calls 96718->96719 96721 242abc 96719->96721 96722 1d50f5 40 API calls 96721->96722 96723 242acc 96722->96723 96724 1d50f5 40 API calls 96723->96724 96726 242ae7 96724->96726 96725->96713 96725->96716 96727 1d50f5 40 API calls 96726->96727 96728 242af7 96727->96728 96729 1d50f5 40 API calls 96728->96729 96730 242b07 96729->96730 96731 1d50f5 40 API calls 96730->96731 96732 242b17 96731->96732 97060 243017 GetTempPathW GetTempFileNameW 96732->97060 96734 242b22 96735 1fe5eb 29 API calls 96734->96735 96746 242b33 96735->96746 96736 242bed 96737 1fe678 67 API calls 96736->96737 96738 242bf8 96737->96738 96740 242c12 96738->96740 96741 242bfe DeleteFileW 96738->96741 96739 1d50f5 40 API calls 96739->96746 96742 242c91 CopyFileW 96740->96742 96748 242c18 96740->96748 96741->96716 96743 242ca7 DeleteFileW 96742->96743 96744 242cb9 DeleteFileW 96742->96744 96743->96716 97070 242fd8 CreateFileW 96744->97070 96746->96716 96746->96736 96746->96739 97061 1fdbb3 96746->97061 97081 2422ce 96748->97081 96751 242c80 DeleteFileW 96751->96716 96752->96045 96754 1d33dd 96753->96754 96755 2130bb 96753->96755 97181 1d33ee 96754->97181 96756 1efddb 22 API calls 96755->96756 96758 2130c5 _wcslen 96756->96758 96760 1efe0b 22 API calls 96758->96760 96759 1d33e8 96759->96071 96761 2130fe __fread_nolock 96760->96761 96762->96080 96763->96093 96765 214ba1 96764->96765 96766 1d6b67 _wcslen 96764->96766 96767 1d93b2 22 API calls 96765->96767 96769 1d6b7d 96766->96769 96770 1d6ba2 96766->96770 96768 214baa 96767->96768 96768->96768 97191 1d6f34 22 API calls 96769->97191 96772 1efddb 22 API calls 96770->96772 96774 1d6bae 96772->96774 96773 1d6b85 __fread_nolock 96773->96104 96775 1efe0b 22 API calls 96774->96775 96775->96773 96777 1d4ea8 GetProcAddress 96776->96777 96778 1d4ec6 96776->96778 96779 1d4eb8 96777->96779 96781 1fe5eb 96778->96781 96779->96778 96780 1d4ebf FreeLibrary 96779->96780 96780->96778 96814 1fe52a 96781->96814 96783 1d4eea 96783->96572 96783->96573 96785 1d4e8d 96784->96785 96786 1d4e6e GetProcAddress 96784->96786 96789 1d4f80 96785->96789 96787 1d4e7e 96786->96787 96787->96785 96788 1d4e86 FreeLibrary 96787->96788 96788->96785 96790 1efe0b 22 API calls 96789->96790 96791 1d4f95 96790->96791 96866 1d5722 96791->96866 96793 1d4fa1 __fread_nolock 96794 1d50a5 96793->96794 96795 213d1d 96793->96795 96805 1d4fdc 96793->96805 96869 1d42a2 CreateStreamOnHGlobal 96794->96869 96880 24304d 74 API calls 96795->96880 96798 213d22 96800 1d511f 64 API calls 96798->96800 96799 1d50f5 40 API calls 96799->96805 96801 213d45 96800->96801 96802 1d50f5 40 API calls 96801->96802 96804 1d506e messages 96802->96804 96804->96580 96805->96798 96805->96799 96805->96804 96875 1d511f 96805->96875 96807 213d70 96806->96807 96808 1d5107 96806->96808 96902 1fe8c4 96808->96902 96811 2428fe 97023 24274e 96811->97023 96813 242919 96813->96588 96817 1fe536 __FrameHandler3::FrameUnwindToState 96814->96817 96815 1fe544 96839 1ff2d9 20 API calls __dosmaperr 96815->96839 96817->96815 96819 1fe574 96817->96819 96818 1fe549 96840 2027ec 26 API calls __fread_nolock 96818->96840 96821 1fe579 96819->96821 96822 1fe586 96819->96822 96841 1ff2d9 20 API calls __dosmaperr 96821->96841 96831 208061 96822->96831 96825 1fe58f 96826 1fe595 96825->96826 96827 1fe5a2 96825->96827 96842 1ff2d9 20 API calls __dosmaperr 96826->96842 96843 1fe5d4 LeaveCriticalSection __fread_nolock 96827->96843 96829 1fe554 __fread_nolock 96829->96783 96832 20806d __FrameHandler3::FrameUnwindToState 96831->96832 96844 202f5e EnterCriticalSection 96832->96844 96834 20807b 96845 2080fb 96834->96845 96838 2080ac __fread_nolock 96838->96825 96839->96818 96840->96829 96841->96829 96842->96829 96843->96829 96844->96834 96852 20811e 96845->96852 96846 208088 96858 2080b7 96846->96858 96847 208177 96848 204c7d __FrameHandler3::FrameUnwindToState 20 API calls 96847->96848 96849 208180 96848->96849 96851 2029c8 _free 20 API calls 96849->96851 96853 208189 96851->96853 96852->96846 96852->96847 96861 1f918d EnterCriticalSection 96852->96861 96862 1f91a1 LeaveCriticalSection 96852->96862 96853->96846 96863 203405 11 API calls 2 library calls 96853->96863 96855 2081a8 96864 1f918d EnterCriticalSection 96855->96864 96865 202fa6 LeaveCriticalSection 96858->96865 96860 2080be 96860->96838 96861->96852 96862->96852 96863->96855 96864->96846 96865->96860 96867 1efddb 22 API calls 96866->96867 96868 1d5734 96867->96868 96868->96793 96870 1d42bc FindResourceExW 96869->96870 96871 1d42d9 96869->96871 96870->96871 96872 2135ba LoadResource 96870->96872 96871->96805 96872->96871 96873 2135cf SizeofResource 96872->96873 96873->96871 96874 2135e3 LockResource 96873->96874 96874->96871 96876 213d90 96875->96876 96877 1d512e 96875->96877 96881 1fece3 96877->96881 96880->96798 96884 1feaaa 96881->96884 96883 1d513c 96883->96805 96885 1feab6 __FrameHandler3::FrameUnwindToState 96884->96885 96886 1feac2 96885->96886 96887 1feae8 96885->96887 96897 1ff2d9 20 API calls __dosmaperr 96886->96897 96899 1f918d EnterCriticalSection 96887->96899 96890 1feac7 96898 2027ec 26 API calls __fread_nolock 96890->96898 96891 1feaf4 96900 1fec0a 62 API calls 2 library calls 96891->96900 96894 1feb08 96901 1feb27 LeaveCriticalSection __fread_nolock 96894->96901 96896 1fead2 __fread_nolock 96896->96883 96897->96890 96898->96896 96899->96891 96900->96894 96901->96896 96905 1fe8e1 96902->96905 96904 1d5118 96904->96811 96906 1fe8ed __FrameHandler3::FrameUnwindToState 96905->96906 96907 1fe92d 96906->96907 96908 1fe900 ___scrt_fastfail 96906->96908 96909 1fe925 __fread_nolock 96906->96909 96918 1f918d EnterCriticalSection 96907->96918 96932 1ff2d9 20 API calls __dosmaperr 96908->96932 96909->96904 96912 1fe937 96919 1fe6f8 96912->96919 96913 1fe91a 96933 2027ec 26 API calls __fread_nolock 96913->96933 96918->96912 96920 1fe70a ___scrt_fastfail 96919->96920 96925 1fe727 96919->96925 96921 1fe717 96920->96921 96920->96925 96930 1fe76a __fread_nolock 96920->96930 97000 1ff2d9 20 API calls __dosmaperr 96921->97000 96923 1fe71c 97001 2027ec 26 API calls __fread_nolock 96923->97001 96934 1fe96c LeaveCriticalSection __fread_nolock 96925->96934 96926 1fe886 ___scrt_fastfail 97003 1ff2d9 20 API calls __dosmaperr 96926->97003 96928 1fd955 __fread_nolock 26 API calls 96928->96930 96930->96925 96930->96926 96930->96928 96935 208d45 96930->96935 97002 1fcf78 26 API calls 3 library calls 96930->97002 96932->96913 96933->96909 96934->96909 96936 208d57 96935->96936 96937 208d6f 96935->96937 97004 1ff2c6 20 API calls __dosmaperr 96936->97004 96939 2090d9 96937->96939 96944 208db4 96937->96944 97020 1ff2c6 20 API calls __dosmaperr 96939->97020 96940 208d5c 97005 1ff2d9 20 API calls __dosmaperr 96940->97005 96943 2090de 97021 1ff2d9 20 API calls __dosmaperr 96943->97021 96945 208d64 96944->96945 96947 208dbf 96944->96947 96952 208def 96944->96952 96945->96930 97006 1ff2c6 20 API calls __dosmaperr 96947->97006 96948 208dcc 97022 2027ec 26 API calls __fread_nolock 96948->97022 96950 208dc4 97007 1ff2d9 20 API calls __dosmaperr 96950->97007 96954 208e08 96952->96954 96955 208e4a 96952->96955 96956 208e2e 96952->96956 96954->96956 96988 208e15 96954->96988 97011 203820 21 API calls 2 library calls 96955->97011 97008 1ff2c6 20 API calls __dosmaperr 96956->97008 96959 208e33 97009 1ff2d9 20 API calls __dosmaperr 96959->97009 96960 208e61 96963 2029c8 _free 20 API calls 96960->96963 96961 20f89b __fread_nolock 26 API calls 96966 208fb3 96961->96966 96965 208e6a 96963->96965 96964 208e3a 97010 2027ec 26 API calls __fread_nolock 96964->97010 96970 2029c8 _free 20 API calls 96965->96970 96967 209029 96966->96967 96969 208fcc GetConsoleMode 96966->96969 96971 20902d ReadFile 96967->96971 96969->96967 96972 208fdd 96969->96972 96973 208e71 96970->96973 96974 2090a1 GetLastError 96971->96974 96975 209047 96971->96975 96972->96971 96976 208fe3 ReadConsoleW 96972->96976 96977 208e96 96973->96977 96978 208e7b 96973->96978 96979 209005 96974->96979 96980 2090ae 96974->96980 96975->96974 96981 20901e 96975->96981 96976->96981 96983 208fff GetLastError 96976->96983 97014 209424 28 API calls __wsopen_s 96977->97014 97012 1ff2d9 20 API calls __dosmaperr 96978->97012 96997 208e45 __fread_nolock 96979->96997 97015 1ff2a3 20 API calls __dosmaperr 96979->97015 97018 1ff2d9 20 API calls __dosmaperr 96980->97018 96992 209083 96981->96992 96993 20906c 96981->96993 96981->96997 96983->96979 96984 2029c8 _free 20 API calls 96984->96945 96987 2090b3 97019 1ff2c6 20 API calls __dosmaperr 96987->97019 96988->96961 96990 208e80 97013 1ff2c6 20 API calls __dosmaperr 96990->97013 96996 20909a 96992->96996 96992->96997 97016 208a61 31 API calls 3 library calls 96993->97016 97017 2088a1 29 API calls __wsopen_s 96996->97017 96997->96984 96999 20909f 96999->96997 97000->96923 97001->96925 97002->96930 97003->96923 97004->96940 97005->96945 97006->96950 97007->96948 97008->96959 97009->96964 97010->96997 97011->96960 97012->96990 97013->96997 97014->96988 97015->96997 97016->96997 97017->96999 97018->96987 97019->96997 97020->96943 97021->96948 97022->96945 97026 1fe4e8 97023->97026 97025 24275d 97025->96813 97029 1fe469 97026->97029 97028 1fe505 97028->97025 97030 1fe48c 97029->97030 97031 1fe478 97029->97031 97036 1fe488 __alldvrm 97030->97036 97039 20333f 11 API calls 2 library calls 97030->97039 97037 1ff2d9 20 API calls __dosmaperr 97031->97037 97033 1fe47d 97038 2027ec 26 API calls __fread_nolock 97033->97038 97036->97028 97037->97033 97038->97036 97039->97036 97041 1da6dd 97040->97041 97042 1da6d0 97040->97042 97043 1efddb 22 API calls 97041->97043 97042->96607 97044 1da6e7 97043->97044 97045 1efe0b 22 API calls 97044->97045 97045->97042 97046->96628 97048 1d6382 97047->97048 97054 1d63b6 __fread_nolock 97047->97054 97049 214a82 97048->97049 97050 1d63a9 97048->97050 97048->97054 97052 1efddb 22 API calls 97049->97052 97051 1da587 22 API calls 97050->97051 97051->97054 97053 214a91 97052->97053 97055 1efe0b 22 API calls 97053->97055 97054->96639 97056 214ac5 __fread_nolock 97055->97056 97057->96640 97058->96681 97059->96683 97060->96734 97062 1fdbdd 97061->97062 97063 1fdbc1 97061->97063 97062->96746 97063->97062 97064 1fdbcd 97063->97064 97065 1fdbe3 97063->97065 97113 1ff2d9 20 API calls __dosmaperr 97064->97113 97110 1fd9cc 97065->97110 97068 1fdbd2 97114 2027ec 26 API calls __fread_nolock 97068->97114 97071 243013 97070->97071 97072 242fff SetFileTime CloseHandle 97070->97072 97071->96716 97072->97071 97078 242e7a 97073->97078 97074 2429c4 97074->96716 97079 1fd583 26 API calls 97074->97079 97075 1d50f5 40 API calls 97075->97078 97076 2428fe 27 API calls 97076->97078 97077 1d511f 64 API calls 97077->97078 97078->97074 97078->97075 97078->97076 97078->97077 97079->96717 97080->96725 97082 2422e7 97081->97082 97083 2422d9 97081->97083 97085 24232c 97082->97085 97086 1fe5eb 29 API calls 97082->97086 97096 2422f0 97082->97096 97084 1fe5eb 29 API calls 97083->97084 97084->97082 97156 242557 97085->97156 97088 242311 97086->97088 97088->97085 97090 24231a 97088->97090 97089 242370 97091 242374 97089->97091 97092 242395 97089->97092 97095 1fe678 67 API calls 97090->97095 97090->97096 97094 242381 97091->97094 97098 1fe678 67 API calls 97091->97098 97160 242171 97092->97160 97094->97096 97101 1fe678 67 API calls 97094->97101 97095->97096 97096->96744 97096->96751 97097 24239d 97099 2423c3 97097->97099 97100 2423a3 97097->97100 97098->97094 97167 2423f3 97099->97167 97102 2423b0 97100->97102 97104 1fe678 67 API calls 97100->97104 97101->97096 97102->97096 97105 1fe678 67 API calls 97102->97105 97104->97102 97105->97096 97106 2423ca 97107 2423de 97106->97107 97108 1fe678 67 API calls 97106->97108 97107->97096 97109 1fe678 67 API calls 97107->97109 97108->97107 97109->97096 97115 1fd97b 97110->97115 97112 1fd9f0 97112->97062 97113->97068 97114->97062 97116 1fd987 __FrameHandler3::FrameUnwindToState 97115->97116 97123 1f918d EnterCriticalSection 97116->97123 97118 1fd995 97124 1fd9f4 97118->97124 97122 1fd9b3 __fread_nolock 97122->97112 97123->97118 97132 2049a1 97124->97132 97130 1fd9a2 97131 1fd9c0 LeaveCriticalSection __fread_nolock 97130->97131 97131->97122 97133 1fd955 __fread_nolock 26 API calls 97132->97133 97134 2049b0 97133->97134 97135 20f89b __fread_nolock 26 API calls 97134->97135 97137 2049b6 97135->97137 97136 1fda09 97141 1fda3a 97136->97141 97137->97136 97153 203820 21 API calls 2 library calls 97137->97153 97139 204a15 97140 2029c8 _free 20 API calls 97139->97140 97140->97136 97144 1fda4c 97141->97144 97147 1fda24 97141->97147 97142 1fda5a 97154 1ff2d9 20 API calls __dosmaperr 97142->97154 97144->97142 97144->97147 97148 1fda85 __fread_nolock 97144->97148 97145 1fda5f 97155 2027ec 26 API calls __fread_nolock 97145->97155 97152 204a56 62 API calls 97147->97152 97148->97147 97149 1fdc0b 62 API calls 97148->97149 97150 1fd955 __fread_nolock 26 API calls 97148->97150 97151 2059be __wsopen_s 62 API calls 97148->97151 97149->97148 97150->97148 97151->97148 97152->97130 97153->97139 97154->97145 97155->97147 97157 24257c 97156->97157 97159 242565 __fread_nolock 97156->97159 97158 1fe8c4 __fread_nolock 40 API calls 97157->97158 97158->97159 97159->97089 97161 1fea0c ___std_exception_copy 21 API calls 97160->97161 97162 24217f 97161->97162 97163 1fea0c ___std_exception_copy 21 API calls 97162->97163 97164 242190 97163->97164 97165 1fea0c ___std_exception_copy 21 API calls 97164->97165 97166 24219c 97165->97166 97166->97097 97171 242408 97167->97171 97168 2424c0 97175 242724 97168->97175 97170 2421cc 40 API calls 97170->97171 97171->97168 97171->97170 97174 2424c7 97171->97174 97179 242269 40 API calls 97171->97179 97180 242606 65 API calls 97171->97180 97174->97106 97176 242731 97175->97176 97177 242742 97175->97177 97178 1fdbb3 65 API calls 97176->97178 97177->97174 97178->97177 97179->97171 97180->97171 97182 1d33fe _wcslen 97181->97182 97183 21311d 97182->97183 97184 1d3411 97182->97184 97185 1efddb 22 API calls 97183->97185 97186 1da587 22 API calls 97184->97186 97188 213127 97185->97188 97187 1d341e __fread_nolock 97186->97187 97187->96759 97189 1efe0b 22 API calls 97188->97189 97190 213157 __fread_nolock 97189->97190 97191->96773 97192 1df7bf 97193 1dfcb6 97192->97193 97194 1df7d3 97192->97194 97229 1daceb 23 API calls messages 97193->97229 97196 1dfcc2 97194->97196 97197 1efddb 22 API calls 97194->97197 97230 1daceb 23 API calls messages 97196->97230 97199 1df7e5 97197->97199 97199->97196 97200 1df83e 97199->97200 97201 1dfd3d 97199->97201 97203 1e1310 235 API calls 97200->97203 97219 1ded9d messages 97200->97219 97231 241155 22 API calls 97201->97231 97212 1dec76 messages 97203->97212 97204 224beb 97235 24359c 82 API calls __wsopen_s 97204->97235 97205 1efddb 22 API calls 97205->97212 97207 1dfef7 97214 1da8c7 22 API calls 97207->97214 97207->97219 97208 1df3ae messages 97208->97219 97232 24359c 82 API calls __wsopen_s 97208->97232 97210 1da8c7 22 API calls 97210->97212 97211 224600 97217 1da8c7 22 API calls 97211->97217 97211->97219 97212->97204 97212->97205 97212->97207 97212->97208 97212->97210 97212->97211 97213 224b0b 97212->97213 97212->97219 97220 1dfbe3 97212->97220 97221 1da961 22 API calls 97212->97221 97223 1f00a3 29 API calls pre_c_initialization 97212->97223 97225 1f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97212->97225 97226 1f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97212->97226 97227 1e01e0 235 API calls 2 library calls 97212->97227 97228 1e06a0 41 API calls messages 97212->97228 97233 24359c 82 API calls __wsopen_s 97213->97233 97214->97219 97217->97219 97220->97208 97220->97219 97222 224bdc 97220->97222 97221->97212 97234 24359c 82 API calls __wsopen_s 97222->97234 97223->97212 97225->97212 97226->97212 97227->97212 97228->97212 97229->97196 97230->97201 97231->97219 97232->97219 97233->97219 97234->97204 97235->97219 97236 212ba5 97237 1d2b25 97236->97237 97238 212baf 97236->97238 97264 1d2b83 7 API calls 97237->97264 97279 1d3a5a 97238->97279 97242 212bb8 97244 1d9cb3 22 API calls 97242->97244 97246 212bc6 97244->97246 97245 1d2b2f 97247 1d2b44 97245->97247 97268 1d3837 97245->97268 97248 212bf5 97246->97248 97249 212bce 97246->97249 97257 1d2b5f 97247->97257 97278 1d30f2 Shell_NotifyIconW ___scrt_fastfail 97247->97278 97250 1d33c6 22 API calls 97248->97250 97252 1d33c6 22 API calls 97249->97252 97262 212bf1 GetForegroundWindow ShellExecuteW 97250->97262 97253 212bd9 97252->97253 97255 1d6350 22 API calls 97253->97255 97259 212be7 97255->97259 97260 1d2b66 SetCurrentDirectoryW 97257->97260 97258 212c26 97258->97257 97261 1d33c6 22 API calls 97259->97261 97263 1d2b7a 97260->97263 97261->97262 97262->97258 97286 1d2cd4 7 API calls 97264->97286 97266 1d2b2a 97267 1d2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97266->97267 97267->97245 97269 1d3862 ___scrt_fastfail 97268->97269 97287 1d4212 97269->97287 97271 1d38e8 97274 213386 Shell_NotifyIconW 97271->97274 97275 1d3906 Shell_NotifyIconW 97271->97275 97291 1d3923 97275->97291 97277 1d391c 97277->97247 97278->97257 97314 211f50 97279->97314 97282 1d9cb3 22 API calls 97283 1d3a8d 97282->97283 97316 1d3aa2 97283->97316 97285 1d3a97 97285->97242 97286->97266 97288 2135a4 97287->97288 97289 1d38b7 97287->97289 97288->97289 97290 2135ad DestroyIcon 97288->97290 97289->97271 97313 23c874 42 API calls _strftime 97289->97313 97290->97289 97292 1d393f 97291->97292 97293 1d3a13 97291->97293 97294 1d6270 22 API calls 97292->97294 97293->97277 97295 1d394d 97294->97295 97296 213393 LoadStringW 97295->97296 97297 1d395a 97295->97297 97299 2133ad 97296->97299 97298 1d6b57 22 API calls 97297->97298 97300 1d396f 97298->97300 97303 1da8c7 22 API calls 97299->97303 97307 1d3994 ___scrt_fastfail 97299->97307 97301 1d397c 97300->97301 97302 2133c9 97300->97302 97301->97299 97304 1d3986 97301->97304 97305 1d6350 22 API calls 97302->97305 97303->97307 97306 1d6350 22 API calls 97304->97306 97308 2133d7 97305->97308 97306->97307 97310 1d39f9 Shell_NotifyIconW 97307->97310 97308->97307 97309 1d33c6 22 API calls 97308->97309 97311 2133f9 97309->97311 97310->97293 97312 1d33c6 22 API calls 97311->97312 97312->97307 97313->97271 97315 1d3a67 GetModuleFileNameW 97314->97315 97315->97282 97317 211f50 __wsopen_s 97316->97317 97318 1d3aaf GetFullPathNameW 97317->97318 97319 1d3ace 97318->97319 97320 1d3ae9 97318->97320 97321 1d6b57 22 API calls 97319->97321 97322 1da6c3 22 API calls 97320->97322 97323 1d3ada 97321->97323 97322->97323 97326 1d37a0 97323->97326 97327 1d37ae 97326->97327 97328 1d93b2 22 API calls 97327->97328 97329 1d37c2 97328->97329 97329->97285 97330 1f03fb 97331 1f0407 __FrameHandler3::FrameUnwindToState 97330->97331 97359 1efeb1 97331->97359 97333 1f040e 97334 1f0561 97333->97334 97337 1f0438 97333->97337 97386 1f083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97334->97386 97336 1f0568 97387 1f4e52 28 API calls _abort 97336->97387 97348 1f0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97337->97348 97370 20247d 97337->97370 97339 1f056e 97388 1f4e04 28 API calls _abort 97339->97388 97342 1f0576 97344 1f0457 97346 1f04d8 97378 1f0959 97346->97378 97348->97346 97382 1f4e1a 38 API calls 3 library calls 97348->97382 97350 1f04de 97351 1f04f3 97350->97351 97383 1f0992 GetModuleHandleW 97351->97383 97353 1f04fa 97353->97336 97354 1f04fe 97353->97354 97355 1f0507 97354->97355 97384 1f4df5 28 API calls _abort 97354->97384 97385 1f0040 13 API calls 2 library calls 97355->97385 97358 1f050f 97358->97344 97360 1efeba 97359->97360 97389 1f0698 IsProcessorFeaturePresent 97360->97389 97362 1efec6 97390 1f2c94 10 API calls 3 library calls 97362->97390 97364 1efecb 97365 1efecf 97364->97365 97391 202317 97364->97391 97365->97333 97368 1efee6 97368->97333 97371 202494 97370->97371 97372 1f0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97371->97372 97373 1f0451 97372->97373 97373->97344 97374 202421 97373->97374 97375 202450 97374->97375 97376 1f0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97375->97376 97377 202479 97376->97377 97377->97348 97434 1f2340 97378->97434 97381 1f097f 97381->97350 97382->97346 97383->97353 97384->97355 97385->97358 97386->97336 97387->97339 97388->97342 97389->97362 97390->97364 97395 20d1f6 97391->97395 97394 1f2cbd 8 API calls 3 library calls 97394->97365 97398 20d213 97395->97398 97399 20d20f 97395->97399 97396 1f0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97397 1efed8 97396->97397 97397->97368 97397->97394 97398->97399 97401 204bfb 97398->97401 97399->97396 97402 204c07 __FrameHandler3::FrameUnwindToState 97401->97402 97413 202f5e EnterCriticalSection 97402->97413 97404 204c0e 97414 2050af 97404->97414 97406 204c1d 97411 204c2c 97406->97411 97427 204a8f 29 API calls 97406->97427 97409 204c27 97428 204b45 GetStdHandle GetFileType 97409->97428 97429 204c48 LeaveCriticalSection _abort 97411->97429 97412 204c3d __fread_nolock 97412->97398 97413->97404 97415 2050bb __FrameHandler3::FrameUnwindToState 97414->97415 97416 2050c8 97415->97416 97417 2050df 97415->97417 97431 1ff2d9 20 API calls __dosmaperr 97416->97431 97430 202f5e EnterCriticalSection 97417->97430 97420 2050cd 97432 2027ec 26 API calls __fread_nolock 97420->97432 97422 2050d7 __fread_nolock 97422->97406 97423 205117 97433 20513e LeaveCriticalSection _abort 97423->97433 97425 2050eb 97425->97423 97426 205000 __wsopen_s 21 API calls 97425->97426 97426->97425 97427->97409 97428->97411 97429->97412 97430->97425 97431->97420 97432->97422 97433->97422 97435 1f096c GetStartupInfoW 97434->97435 97435->97381 97436 1d1098 97441 1d42de 97436->97441 97440 1d10a7 97442 1da961 22 API calls 97441->97442 97443 1d42f5 GetVersionExW 97442->97443 97444 1d6b57 22 API calls 97443->97444 97445 1d4342 97444->97445 97446 1d93b2 22 API calls 97445->97446 97458 1d4378 97445->97458 97447 1d436c 97446->97447 97449 1d37a0 22 API calls 97447->97449 97448 1d441b GetCurrentProcess IsWow64Process 97450 1d4437 97448->97450 97449->97458 97451 1d444f LoadLibraryA 97450->97451 97452 213824 GetSystemInfo 97450->97452 97453 1d449c GetSystemInfo 97451->97453 97454 1d4460 GetProcAddress 97451->97454 97457 1d4476 97453->97457 97454->97453 97456 1d4470 GetNativeSystemInfo 97454->97456 97455 2137df 97456->97457 97459 1d447a FreeLibrary 97457->97459 97460 1d109d 97457->97460 97458->97448 97458->97455 97459->97460 97461 1f00a3 29 API calls __onexit 97460->97461 97461->97440 97462 1d105b 97467 1d344d 97462->97467 97464 1d106a 97498 1f00a3 29 API calls __onexit 97464->97498 97466 1d1074 97468 1d345d __wsopen_s 97467->97468 97469 1da961 22 API calls 97468->97469 97470 1d3513 97469->97470 97471 1d3a5a 24 API calls 97470->97471 97472 1d351c 97471->97472 97499 1d3357 97472->97499 97475 1d33c6 22 API calls 97476 1d3535 97475->97476 97505 1d515f 97476->97505 97479 1da961 22 API calls 97480 1d354d 97479->97480 97481 1da6c3 22 API calls 97480->97481 97482 1d3556 RegOpenKeyExW 97481->97482 97483 1d3578 97482->97483 97484 213176 RegQueryValueExW 97482->97484 97483->97464 97485 213193 97484->97485 97486 21320c RegCloseKey 97484->97486 97487 1efe0b 22 API calls 97485->97487 97486->97483 97497 21321e _wcslen 97486->97497 97488 2131ac 97487->97488 97490 1d5722 22 API calls 97488->97490 97489 1d4c6d 22 API calls 97489->97497 97491 2131b7 RegQueryValueExW 97490->97491 97492 2131d4 97491->97492 97494 2131ee messages 97491->97494 97493 1d6b57 22 API calls 97492->97493 97493->97494 97494->97486 97495 1d9cb3 22 API calls 97495->97497 97496 1d515f 22 API calls 97496->97497 97497->97483 97497->97489 97497->97495 97497->97496 97498->97466 97500 211f50 __wsopen_s 97499->97500 97501 1d3364 GetFullPathNameW 97500->97501 97502 1d3386 97501->97502 97503 1d6b57 22 API calls 97502->97503 97504 1d33a4 97503->97504 97504->97475 97506 1d516e 97505->97506 97510 1d518f __fread_nolock 97505->97510 97508 1efe0b 22 API calls 97506->97508 97507 1efddb 22 API calls 97509 1d3544 97507->97509 97508->97510 97509->97479 97510->97507 97511 1d2e37 97512 1da961 22 API calls 97511->97512 97513 1d2e4d 97512->97513 97590 1d4ae3 97513->97590 97515 1d2e6b 97516 1d3a5a 24 API calls 97515->97516 97517 1d2e7f 97516->97517 97518 1d9cb3 22 API calls 97517->97518 97519 1d2e8c 97518->97519 97520 1d4ecb 94 API calls 97519->97520 97521 1d2ea5 97520->97521 97522 1d2ead 97521->97522 97523 212cb0 97521->97523 97527 1da8c7 22 API calls 97522->97527 97620 242cf9 97523->97620 97525 212cc3 97526 212ccf 97525->97526 97528 1d4f39 68 API calls 97525->97528 97531 1d4f39 68 API calls 97526->97531 97529 1d2ec3 97527->97529 97528->97526 97604 1d6f88 22 API calls 97529->97604 97536 212ce5 97531->97536 97532 1d2ecf 97533 1d9cb3 22 API calls 97532->97533 97534 1d2edc 97533->97534 97605 1da81b 41 API calls 97534->97605 97646 1d3084 22 API calls 97536->97646 97537 1d2eec 97540 1d9cb3 22 API calls 97537->97540 97539 212d02 97647 1d3084 22 API calls 97539->97647 97542 1d2f12 97540->97542 97606 1da81b 41 API calls 97542->97606 97543 212d1e 97545 1d3a5a 24 API calls 97543->97545 97546 212d44 97545->97546 97648 1d3084 22 API calls 97546->97648 97547 1d2f21 97550 1da961 22 API calls 97547->97550 97549 212d50 97551 1da8c7 22 API calls 97549->97551 97552 1d2f3f 97550->97552 97553 212d5e 97551->97553 97607 1d3084 22 API calls 97552->97607 97649 1d3084 22 API calls 97553->97649 97555 1d2f4b 97608 1f4a28 40 API calls 3 library calls 97555->97608 97558 212d6d 97562 1da8c7 22 API calls 97558->97562 97559 1d2f59 97559->97536 97560 1d2f63 97559->97560 97609 1f4a28 40 API calls 3 library calls 97560->97609 97563 212d83 97562->97563 97650 1d3084 22 API calls 97563->97650 97564 1d2f6e 97564->97539 97566 1d2f78 97564->97566 97610 1f4a28 40 API calls 3 library calls 97566->97610 97567 212d90 97569 1d2f83 97569->97543 97570 1d2f8d 97569->97570 97611 1f4a28 40 API calls 3 library calls 97570->97611 97572 1d2f98 97573 1d2fdc 97572->97573 97612 1d3084 22 API calls 97572->97612 97573->97558 97574 1d2fe8 97573->97574 97574->97567 97614 1d63eb 22 API calls 97574->97614 97576 1d2fbf 97578 1da8c7 22 API calls 97576->97578 97580 1d2fcd 97578->97580 97579 1d2ff8 97615 1d6a50 22 API calls 97579->97615 97613 1d3084 22 API calls 97580->97613 97583 1d3006 97616 1d70b0 23 API calls 97583->97616 97587 1d3021 97588 1d3065 97587->97588 97617 1d6f88 22 API calls 97587->97617 97618 1d70b0 23 API calls 97587->97618 97619 1d3084 22 API calls 97587->97619 97591 1d4af0 __wsopen_s 97590->97591 97592 1d6b57 22 API calls 97591->97592 97593 1d4b22 97591->97593 97592->97593 97594 1d4c6d 22 API calls 97593->97594 97602 1d4b58 97593->97602 97594->97593 97595 1d9cb3 22 API calls 97597 1d4c52 97595->97597 97596 1d9cb3 22 API calls 97596->97602 97598 1d515f 22 API calls 97597->97598 97601 1d4c5e 97598->97601 97599 1d4c6d 22 API calls 97599->97602 97600 1d515f 22 API calls 97600->97602 97601->97515 97602->97596 97602->97599 97602->97600 97603 1d4c29 97602->97603 97603->97595 97603->97601 97604->97532 97605->97537 97606->97547 97607->97555 97608->97559 97609->97564 97610->97569 97611->97572 97612->97576 97613->97573 97614->97579 97615->97583 97616->97587 97617->97587 97618->97587 97619->97587 97621 242d15 97620->97621 97622 1d511f 64 API calls 97621->97622 97623 242d29 97622->97623 97624 242e66 75 API calls 97623->97624 97625 242d3b 97624->97625 97626 1d50f5 40 API calls 97625->97626 97643 242d3f 97625->97643 97627 242d56 97626->97627 97628 1d50f5 40 API calls 97627->97628 97629 242d66 97628->97629 97630 1d50f5 40 API calls 97629->97630 97631 242d81 97630->97631 97632 1d50f5 40 API calls 97631->97632 97633 242d9c 97632->97633 97634 1d511f 64 API calls 97633->97634 97635 242db3 97634->97635 97636 1fea0c ___std_exception_copy 21 API calls 97635->97636 97637 242dba 97636->97637 97638 1fea0c ___std_exception_copy 21 API calls 97637->97638 97639 242dc4 97638->97639 97640 1d50f5 40 API calls 97639->97640 97641 242dd8 97640->97641 97642 2428fe 27 API calls 97641->97642 97644 242dee 97642->97644 97643->97525 97644->97643 97645 2422ce 79 API calls 97644->97645 97645->97643 97646->97539 97647->97543 97648->97549 97649->97558 97650->97567 97651 1d3156 97654 1d3170 97651->97654 97655 1d3187 97654->97655 97656 1d318c 97655->97656 97657 1d31eb 97655->97657 97694 1d31e9 97655->97694 97661 1d3199 97656->97661 97662 1d3265 PostQuitMessage 97656->97662 97659 212dfb 97657->97659 97660 1d31f1 97657->97660 97658 1d31d0 DefWindowProcW 97696 1d316a 97658->97696 97703 1d18e2 10 API calls 97659->97703 97663 1d321d SetTimer RegisterWindowMessageW 97660->97663 97664 1d31f8 97660->97664 97666 1d31a4 97661->97666 97667 212e7c 97661->97667 97662->97696 97668 1d3246 CreatePopupMenu 97663->97668 97663->97696 97672 1d3201 KillTimer 97664->97672 97673 212d9c 97664->97673 97669 1d31ae 97666->97669 97670 212e68 97666->97670 97708 23bf30 34 API calls ___scrt_fastfail 97667->97708 97668->97696 97676 1d31b9 97669->97676 97677 212e4d 97669->97677 97707 23c161 27 API calls ___scrt_fastfail 97670->97707 97699 1d30f2 Shell_NotifyIconW ___scrt_fastfail 97672->97699 97679 212da1 97673->97679 97680 212dd7 MoveWindow 97673->97680 97674 212e1c 97704 1ee499 42 API calls 97674->97704 97683 1d31c4 97676->97683 97684 1d3253 97676->97684 97677->97658 97706 230ad7 22 API calls 97677->97706 97678 212e8e 97678->97658 97678->97696 97685 212da7 97679->97685 97686 212dc6 SetFocus 97679->97686 97680->97696 97683->97658 97705 1d30f2 Shell_NotifyIconW ___scrt_fastfail 97683->97705 97701 1d326f 44 API calls ___scrt_fastfail 97684->97701 97685->97683 97690 212db0 97685->97690 97686->97696 97687 1d3214 97700 1d3c50 DeleteObject DestroyWindow 97687->97700 97688 1d3263 97688->97696 97702 1d18e2 10 API calls 97690->97702 97694->97658 97697 212e41 97698 1d3837 49 API calls 97697->97698 97698->97694 97699->97687 97700->97696 97701->97688 97702->97696 97703->97674 97704->97683 97705->97697 97706->97694 97707->97688 97708->97678 97709 1d1033 97714 1d4c91 97709->97714 97713 1d1042 97715 1da961 22 API calls 97714->97715 97716 1d4cff 97715->97716 97722 1d3af0 97716->97722 97718 1d4d9c 97720 1d1038 97718->97720 97725 1d51f7 22 API calls __fread_nolock 97718->97725 97721 1f00a3 29 API calls __onexit 97720->97721 97721->97713 97726 1d3b1c 97722->97726 97725->97718 97727 1d3b0f 97726->97727 97728 1d3b29 97726->97728 97727->97718 97728->97727 97729 1d3b30 RegOpenKeyExW 97728->97729 97729->97727 97730 1d3b4a RegQueryValueExW 97729->97730 97731 1d3b6b 97730->97731 97732 1d3b80 RegCloseKey 97730->97732 97731->97732 97732->97727 97733 1dfe73 97740 1eceb1 97733->97740 97735 1dfe89 97749 1ecf92 97735->97749 97737 1dfeb3 97761 24359c 82 API calls __wsopen_s 97737->97761 97739 224ab8 97741 1ecebf 97740->97741 97742 1eced2 97740->97742 97762 1daceb 23 API calls messages 97741->97762 97743 1eced7 97742->97743 97744 1ecf05 97742->97744 97746 1efddb 22 API calls 97743->97746 97763 1daceb 23 API calls messages 97744->97763 97748 1ecec9 97746->97748 97748->97735 97750 1d6270 22 API calls 97749->97750 97751 1ecfc9 97750->97751 97752 1ecffa 97751->97752 97753 1d9cb3 22 API calls 97751->97753 97752->97737 97754 22d166 97753->97754 97755 1d6350 22 API calls 97754->97755 97756 22d171 97755->97756 97764 1ed2f0 40 API calls 97756->97764 97758 22d184 97760 22d188 97758->97760 97765 1daceb 23 API calls messages 97758->97765 97760->97760 97761->97739 97762->97748 97763->97748 97764->97758 97765->97760 97766 1d1cad SystemParametersInfoW 97767 1d1044 97772 1d10f3 97767->97772 97769 1d104a 97808 1f00a3 29 API calls __onexit 97769->97808 97771 1d1054 97809 1d1398 97772->97809 97776 1d116a 97777 1da961 22 API calls 97776->97777 97778 1d1174 97777->97778 97779 1da961 22 API calls 97778->97779 97780 1d117e 97779->97780 97781 1da961 22 API calls 97780->97781 97782 1d1188 97781->97782 97783 1da961 22 API calls 97782->97783 97784 1d11c6 97783->97784 97785 1da961 22 API calls 97784->97785 97786 1d1292 97785->97786 97819 1d171c 97786->97819 97790 1d12c4 97791 1da961 22 API calls 97790->97791 97792 1d12ce 97791->97792 97793 1e1940 9 API calls 97792->97793 97794 1d12f9 97793->97794 97840 1d1aab 97794->97840 97796 1d1315 97797 1d1325 GetStdHandle 97796->97797 97798 212485 97797->97798 97799 1d137a 97797->97799 97798->97799 97800 21248e 97798->97800 97803 1d1387 OleInitialize 97799->97803 97801 1efddb 22 API calls 97800->97801 97802 212495 97801->97802 97847 24011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97802->97847 97803->97769 97805 21249e 97848 240944 CreateThread 97805->97848 97807 2124aa CloseHandle 97807->97799 97808->97771 97849 1d13f1 97809->97849 97812 1d13f1 22 API calls 97813 1d13d0 97812->97813 97814 1da961 22 API calls 97813->97814 97815 1d13dc 97814->97815 97816 1d6b57 22 API calls 97815->97816 97817 1d1129 97816->97817 97818 1d1bc3 6 API calls 97817->97818 97818->97776 97820 1da961 22 API calls 97819->97820 97821 1d172c 97820->97821 97822 1da961 22 API calls 97821->97822 97823 1d1734 97822->97823 97824 1da961 22 API calls 97823->97824 97825 1d174f 97824->97825 97826 1efddb 22 API calls 97825->97826 97827 1d129c 97826->97827 97828 1d1b4a 97827->97828 97829 1d1b58 97828->97829 97830 1da961 22 API calls 97829->97830 97831 1d1b63 97830->97831 97832 1da961 22 API calls 97831->97832 97833 1d1b6e 97832->97833 97834 1da961 22 API calls 97833->97834 97835 1d1b79 97834->97835 97836 1da961 22 API calls 97835->97836 97837 1d1b84 97836->97837 97838 1efddb 22 API calls 97837->97838 97839 1d1b96 RegisterWindowMessageW 97838->97839 97839->97790 97841 1d1abb 97840->97841 97842 21272d 97840->97842 97843 1efddb 22 API calls 97841->97843 97856 243209 23 API calls 97842->97856 97845 1d1ac3 97843->97845 97845->97796 97846 212738 97847->97805 97848->97807 97857 24092a 28 API calls 97848->97857 97850 1da961 22 API calls 97849->97850 97851 1d13fc 97850->97851 97852 1da961 22 API calls 97851->97852 97853 1d1404 97852->97853 97854 1da961 22 API calls 97853->97854 97855 1d13c6 97854->97855 97855->97812 97856->97846 97858 2090fa 97859 209107 97858->97859 97860 20911f 97858->97860 97908 1ff2d9 20 API calls __dosmaperr 97859->97908 97864 20917a 97860->97864 97872 209117 97860->97872 97910 20fdc4 21 API calls 2 library calls 97860->97910 97862 20910c 97909 2027ec 26 API calls __fread_nolock 97862->97909 97866 1fd955 __fread_nolock 26 API calls 97864->97866 97867 209192 97866->97867 97878 208c32 97867->97878 97869 209199 97870 1fd955 __fread_nolock 26 API calls 97869->97870 97869->97872 97871 2091c5 97870->97871 97871->97872 97873 1fd955 __fread_nolock 26 API calls 97871->97873 97874 2091d3 97873->97874 97874->97872 97875 1fd955 __fread_nolock 26 API calls 97874->97875 97876 2091e3 97875->97876 97877 1fd955 __fread_nolock 26 API calls 97876->97877 97877->97872 97879 208c3e __FrameHandler3::FrameUnwindToState 97878->97879 97880 208c46 97879->97880 97881 208c5e 97879->97881 97912 1ff2c6 20 API calls __dosmaperr 97880->97912 97882 208d24 97881->97882 97886 208c97 97881->97886 97919 1ff2c6 20 API calls __dosmaperr 97882->97919 97885 208c4b 97913 1ff2d9 20 API calls __dosmaperr 97885->97913 97889 208ca6 97886->97889 97890 208cbb 97886->97890 97887 208d29 97920 1ff2d9 20 API calls __dosmaperr 97887->97920 97914 1ff2c6 20 API calls __dosmaperr 97889->97914 97911 205147 EnterCriticalSection 97890->97911 97894 208cb3 97921 2027ec 26 API calls __fread_nolock 97894->97921 97895 208cab 97915 1ff2d9 20 API calls __dosmaperr 97895->97915 97896 208cc1 97898 208cf2 97896->97898 97899 208cdd 97896->97899 97902 208d45 __fread_nolock 38 API calls 97898->97902 97916 1ff2d9 20 API calls __dosmaperr 97899->97916 97901 208c53 __fread_nolock 97901->97869 97904 208ced 97902->97904 97918 208d1c LeaveCriticalSection __wsopen_s 97904->97918 97905 208ce2 97917 1ff2c6 20 API calls __dosmaperr 97905->97917 97908->97862 97909->97872 97910->97864 97911->97896 97912->97885 97913->97901 97914->97895 97915->97894 97916->97905 97917->97904 97918->97901 97919->97887 97920->97894 97921->97901 97922 22e23b0 97936 22e0000 97922->97936 97924 22e248c 97939 22e22a0 97924->97939 97926 22e24b5 CreateFileW 97928 22e2509 97926->97928 97929 22e2504 97926->97929 97928->97929 97930 22e2520 VirtualAlloc 97928->97930 97930->97929 97931 22e253e ReadFile 97930->97931 97931->97929 97932 22e2559 97931->97932 97933 22e12a0 13 API calls 97932->97933 97934 22e258c 97933->97934 97935 22e25af ExitProcess 97934->97935 97935->97929 97942 22e34b0 GetPEB 97936->97942 97938 22e068b 97938->97924 97940 22e22a9 Sleep 97939->97940 97941 22e22b7 97940->97941 97943 22e34da 97942->97943 97943->97938 97944 1d2de3 97945 1d2df0 __wsopen_s 97944->97945 97946 1d2e09 97945->97946 97947 212c2b ___scrt_fastfail 97945->97947 97948 1d3aa2 23 API calls 97946->97948 97950 212c47 GetOpenFileNameW 97947->97950 97949 1d2e12 97948->97949 97960 1d2da5 97949->97960 97952 212c96 97950->97952 97953 1d6b57 22 API calls 97952->97953 97955 212cab 97953->97955 97955->97955 97957 1d2e27 97978 1d44a8 97957->97978 97961 211f50 __wsopen_s 97960->97961 97962 1d2db2 GetLongPathNameW 97961->97962 97963 1d6b57 22 API calls 97962->97963 97964 1d2dda 97963->97964 97965 1d3598 97964->97965 97966 1da961 22 API calls 97965->97966 97967 1d35aa 97966->97967 97968 1d3aa2 23 API calls 97967->97968 97969 1d35b5 97968->97969 97970 2132eb 97969->97970 97971 1d35c0 97969->97971 97975 21330d 97970->97975 98013 1ece60 41 API calls 97970->98013 97973 1d515f 22 API calls 97971->97973 97974 1d35cc 97973->97974 98007 1d35f3 97974->98007 97977 1d35df 97977->97957 97979 1d4ecb 94 API calls 97978->97979 97980 1d44cd 97979->97980 97981 213833 97980->97981 97982 1d4ecb 94 API calls 97980->97982 97983 242cf9 80 API calls 97981->97983 97984 1d44e1 97982->97984 97985 213848 97983->97985 97984->97981 97986 1d44e9 97984->97986 97987 213869 97985->97987 97988 21384c 97985->97988 97990 213854 97986->97990 97991 1d44f5 97986->97991 97989 1efe0b 22 API calls 97987->97989 97992 1d4f39 68 API calls 97988->97992 98006 2138ae 97989->98006 98021 23da5a 82 API calls 97990->98021 98020 1d940c 136 API calls 2 library calls 97991->98020 97992->97990 97995 213862 97995->97987 97996 1d2e31 97997 1d4f39 68 API calls 98000 213a5f 97997->98000 97998 1da4a1 22 API calls 97998->98006 98000->97997 98025 23989b 82 API calls __wsopen_s 98000->98025 98003 1d9cb3 22 API calls 98003->98006 98006->97998 98006->98000 98006->98003 98014 1d3ff7 98006->98014 98022 23967e 22 API calls __fread_nolock 98006->98022 98023 2395ad 42 API calls _wcslen 98006->98023 98024 240b5a 22 API calls 98006->98024 98008 1d3605 98007->98008 98012 1d3624 __fread_nolock 98007->98012 98011 1efe0b 22 API calls 98008->98011 98009 1efddb 22 API calls 98010 1d363b 98009->98010 98010->97977 98011->98012 98012->98009 98013->97970 98015 1d400a 98014->98015 98019 1d40ae 98014->98019 98017 1efe0b 22 API calls 98015->98017 98018 1d403c 98015->98018 98016 1efddb 22 API calls 98016->98018 98017->98018 98018->98016 98018->98019 98019->98006 98020->97996 98021->97995 98022->98006 98023->98006 98024->98006 98025->98000

            Executed Functions

            Function 001D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 1d42de-1d434d call 1da961 GetVersionExW call 1d6b57 239 213617-21362a 234->239 240 1d4353 234->240 242 21362b-21362f 239->242 241 1d4355-1d4357 240->241 243 1d435d-1d43bc call 1d93b2 call 1d37a0 241->243 244 213656 241->244 245 213631 242->245 246 213632-21363e 242->246 263 2137df-2137e6 243->263 264 1d43c2-1d43c4 243->264 250 21365d-213660 244->250 245->246 246->242 247 213640-213642 246->247 247->241 249 213648-21364f 247->249 249->239 252 213651 249->252 253 1d441b-1d4435 GetCurrentProcess IsWow64Process 250->253 254 213666-2136a8 250->254 252->244 256 1d4494-1d449a 253->256 257 1d4437 253->257 254->253 258 2136ae-2136b1 254->258 260 1d443d-1d4449 256->260 257->260 261 2136b3-2136bd 258->261 262 2136db-2136e5 258->262 265 1d444f-1d445e LoadLibraryA 260->265 266 213824-213828 GetSystemInfo 260->266 267 2136ca-2136d6 261->267 268 2136bf-2136c5 261->268 270 2136e7-2136f3 262->270 271 2136f8-213702 262->271 272 213806-213809 263->272 273 2137e8 263->273 264->250 269 1d43ca-1d43dd 264->269 278 1d449c-1d44a6 GetSystemInfo 265->278 279 1d4460-1d446e GetProcAddress 265->279 267->253 268->253 280 213726-21372f 269->280 281 1d43e3-1d43e5 269->281 270->253 274 213715-213721 271->274 275 213704-213710 271->275 276 2137f4-2137fc 272->276 277 21380b-21381a 272->277 282 2137ee 273->282 274->253 275->253 276->272 277->282 285 21381c-213822 277->285 287 1d4476-1d4478 278->287 279->278 286 1d4470-1d4474 GetNativeSystemInfo 279->286 283 213731-213737 280->283 284 21373c-213748 280->284 288 1d43eb-1d43ee 281->288 289 21374d-213762 281->289 282->276 283->253 284->253 285->276 286->287 294 1d447a-1d447b FreeLibrary 287->294 295 1d4481-1d4493 287->295 290 213791-213794 288->290 291 1d43f4-1d440f 288->291 292 213764-21376a 289->292 293 21376f-21377b 289->293 290->253 298 21379a-2137c1 290->298 296 213780-21378c 291->296 297 1d4415 291->297 292->253 293->253 294->295 296->253 297->253 299 2137c3-2137c9 298->299 300 2137ce-2137da 298->300 299->253 300->253
            APIs
            • GetVersionExW.KERNEL32(?), ref: 001D430D
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
            • GetCurrentProcess.KERNEL32(?,0026CB64,00000000,?,?), ref: 001D4422
            • IsWow64Process.KERNEL32(00000000,?,?), ref: 001D4429
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001D4454
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001D4466
            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001D4474
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 001D447B
            • GetSystemInfo.KERNEL32(?,?,?), ref: 001D44A0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
            • String ID: GetNativeSystemInfo$kernel32.dll$|O
            • API String ID: 3290436268-3101561225
            • Opcode ID: 5fc57394bd8b06b306fcb9fd44d2c4f24b8f26c3ccec7f852444997bdaa45c45
            • Instruction ID: 274a1a24306d8b979b533b9517d577c9d3b3194c226628f7b263a9bdcb29a0e5
            • Opcode Fuzzy Hash: 5fc57394bd8b06b306fcb9fd44d2c4f24b8f26c3ccec7f852444997bdaa45c45
            • Instruction Fuzzy Hash: F7A1BD6691A3C0DFCF15DF6978481E97FE56B37360F1848DAE08193B62DB3049A9CB21
            Function 001D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1378 1d42a2-1d42ba CreateStreamOnHGlobal 1379 1d42bc-1d42d3 FindResourceExW 1378->1379 1380 1d42da-1d42dd 1378->1380 1381 1d42d9 1379->1381 1382 2135ba-2135c9 LoadResource 1379->1382 1381->1380 1382->1381 1383 2135cf-2135dd SizeofResource 1382->1383 1383->1381 1384 2135e3-2135ee LockResource 1383->1384 1384->1381 1385 2135f4-213612 1384->1385 1385->1381
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001D50AA,?,?,00000000,00000000), ref: 001D42B2
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001D50AA,?,?,00000000,00000000), ref: 001D42C9
            • LoadResource.KERNEL32(?,00000000,?,?,001D50AA,?,?,00000000,00000000,?,?,?,?,?,?,001D4F20), ref: 002135BE
            • SizeofResource.KERNEL32(?,00000000,?,?,001D50AA,?,?,00000000,00000000,?,?,?,?,?,?,001D4F20), ref: 002135D3
            • LockResource.KERNEL32(001D50AA,?,?,001D50AA,?,?,00000000,00000000,?,?,?,?,?,?,001D4F20,?), ref: 002135E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: 1c900efbf65f727cec6feee8f930b7bc6eff8f5f331c842e6dbff3b5d9f3c2c1
            • Instruction ID: 515391b234e66e8d929bd927c41f7d985f5fc5e51c0c5711b7368d6bc61c9228
            • Opcode Fuzzy Hash: 1c900efbf65f727cec6feee8f930b7bc6eff8f5f331c842e6dbff3b5d9f3c2c1
            • Instruction Fuzzy Hash: 83115E71200701BFE721AB69EC49F677BBAEBC5B51F24816AF886D6250DBB1DC108670
            Function 00212BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • SetCurrentDirectoryW.KERNEL32(?), ref: 001D2B6B
              • Part of subcall function 001D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002A1418,?,001D2E7F,?,?,?,00000000), ref: 001D3A78
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00292224), ref: 00212C10
            • ShellExecuteW.SHELL32(00000000,?,?,00292224), ref: 00212C17
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
            • String ID: runas
            • API String ID: 448630720-4000483414
            • Opcode ID: 454104e543b5f7ca8ac30af80133a17904414dfa9707b77876b1643537b1577d
            • Instruction ID: bae409cdbc083afe0ebd55e6e803c87945494eb46a1f839a452392c569fbe2ac
            • Opcode Fuzzy Hash: 454104e543b5f7ca8ac30af80133a17904414dfa9707b77876b1643537b1577d
            • Instruction Fuzzy Hash: A6112931208301ABC704FF64E8559BEBBA4AFB6750F04042FF0A2532A2CF709A69D713
            Function 0023DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,00215222), ref: 0023DBCE
            • GetFileAttributesW.KERNELBASE(?), ref: 0023DBDD
            • FindFirstFileW.KERNELBASE(?,?), ref: 0023DBEE
            • FindClose.KERNEL32(00000000), ref: 0023DBFA
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirstlstrlen
            • String ID:
            • API String ID: 2695905019-0
            • Opcode ID: ee75b8442cc5cf4ecaf05d66b4cba044681b2116e23356b0c8e800dc945e7e66
            • Instruction ID: 0525e5e4afa2575b0ca18945c9926ca53f697d7db0f0c2a6f2e6bd57894acf11
            • Opcode Fuzzy Hash: ee75b8442cc5cf4ecaf05d66b4cba044681b2116e23356b0c8e800dc945e7e66
            • Instruction Fuzzy Hash: 4FF0A0B08309105782207F7CBC0D8BA776C9E02334FA08B03FCB6C20E0EBF099648695
            Function 001DD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 001DD807
            • timeGetTime.WINMM ref: 001DDA07
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001DDB28
            • TranslateMessage.USER32(?), ref: 001DDB7B
            • DispatchMessageW.USER32(?), ref: 001DDB89
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001DDB9F
            • Sleep.KERNEL32(0000000A), ref: 001DDBB1
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
            • String ID:
            • API String ID: 2189390790-0
            • Opcode ID: 18ca0a70e6b4242688a84f1e0363e75dd0232262a736551960ea928a9da0805d
            • Instruction ID: a7f72bbb049d8a6e47f9509d84a870325575e7ca6d4215f6cc3eecdcb0e31b20
            • Opcode Fuzzy Hash: 18ca0a70e6b4242688a84f1e0363e75dd0232262a736551960ea928a9da0805d
            • Instruction Fuzzy Hash: 3B422530618352EFD728CF24E898BAAB7E0BF56304F15855EF49587391C7B1E858CB82
            Function 001D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 001D2D07
            • RegisterClassExW.USER32(00000030), ref: 001D2D31
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001D2D42
            • InitCommonControlsEx.COMCTL32(?), ref: 001D2D5F
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001D2D6F
            • LoadIconW.USER32(000000A9), ref: 001D2D85
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001D2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 181eef81f981cdf704a42f216f29248fe4af6a267b90af52d0820e2984aea043
            • Instruction ID: 3de2550396f6b36219873ef7d2c58d6578ad4983a135264b264b14a9cc545c03
            • Opcode Fuzzy Hash: 181eef81f981cdf704a42f216f29248fe4af6a267b90af52d0820e2984aea043
            • Instruction Fuzzy Hash: 372113B0901319AFDB00EFA4E88CBEEBBB8FB09710F10811AF551A62A0DBB10554CF90
            Function 0021065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 302 21065b-21068b call 21042f 305 2106a6-2106b2 call 205221 302->305 306 21068d-210698 call 1ff2c6 302->306 312 2106b4-2106c9 call 1ff2c6 call 1ff2d9 305->312 313 2106cb-210714 call 21039a 305->313 311 21069a-2106a1 call 1ff2d9 306->311 323 21097d-210983 311->323 312->311 321 210781-21078a GetFileType 313->321 322 210716-21071f 313->322 327 2107d3-2107d6 321->327 328 21078c-2107bd GetLastError call 1ff2a3 CloseHandle 321->328 325 210721-210725 322->325 326 210756-21077c GetLastError call 1ff2a3 322->326 325->326 332 210727-210754 call 21039a 325->332 326->311 330 2107d8-2107dd 327->330 331 2107df-2107e5 327->331 328->311 339 2107c3-2107ce call 1ff2d9 328->339 335 2107e9-210837 call 20516a 330->335 331->335 336 2107e7 331->336 332->321 332->326 345 210847-21086b call 21014d 335->345 346 210839-210845 call 2105ab 335->346 336->335 339->311 351 21086d 345->351 352 21087e-2108c1 345->352 346->345 353 21086f-210879 call 2086ae 346->353 351->353 355 2108c3-2108c7 352->355 356 2108e2-2108f0 352->356 353->323 355->356 358 2108c9-2108dd 355->358 359 2108f6-2108fa 356->359 360 21097b 356->360 358->356 359->360 361 2108fc-21092f CloseHandle call 21039a 359->361 360->323 364 210931-21095d GetLastError call 1ff2a3 call 205333 361->364 365 210963-210977 361->365 364->365 365->360
            APIs
              • Part of subcall function 0021039A: CreateFileW.KERNELBASE(00000000,00000000,?,00210704,?,?,00000000,?,00210704,00000000,0000000C), ref: 002103B7
            • GetLastError.KERNEL32 ref: 0021076F
            • __dosmaperr.LIBCMT ref: 00210776
            • GetFileType.KERNELBASE(00000000), ref: 00210782
            • GetLastError.KERNEL32 ref: 0021078C
            • __dosmaperr.LIBCMT ref: 00210795
            • CloseHandle.KERNEL32(00000000), ref: 002107B5
            • CloseHandle.KERNEL32(?), ref: 002108FF
            • GetLastError.KERNEL32 ref: 00210931
            • __dosmaperr.LIBCMT ref: 00210938
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID: H
            • API String ID: 4237864984-2852464175
            • Opcode ID: f20a9deebb0f21625f4e4391ed6a4ce831eb1539e63fd328567cd99a091d44cc
            • Instruction ID: bdfa5efa74a830fa1a7d04694bbff05b37f711c8e7058f7660422b600d769a3d
            • Opcode Fuzzy Hash: f20a9deebb0f21625f4e4391ed6a4ce831eb1539e63fd328567cd99a091d44cc
            • Instruction Fuzzy Hash: 77A137329241498FDF19AF68D8957ED7BE0AB16320F14015DF815EB2D1CBB198A3CF51
            Function 001D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 001D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002A1418,?,001D2E7F,?,?,?,00000000), ref: 001D3A78
              • Part of subcall function 001D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001D3379
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001D356A
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0021318D
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002131CE
            • RegCloseKey.ADVAPI32(?), ref: 00213210
            • _wcslen.LIBCMT ref: 00213277
            • _wcslen.LIBCMT ref: 00213286
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 98802146-2727554177
            • Opcode ID: 609bba26c12bc51b493f330d7571a9424a0bcab2e03c9ffb8122ba37f12cffcf
            • Instruction ID: e72aabd1896631ea0014c0080d58ac5c9fd3305da76760e40c003f53d5fffca2
            • Opcode Fuzzy Hash: 609bba26c12bc51b493f330d7571a9424a0bcab2e03c9ffb8122ba37f12cffcf
            • Instruction Fuzzy Hash: E471A071514301DFC704EF69EC859ABBBE8FFA6340F50446EF545932A0EB749A88CB52
            Function 001D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 001D2B8E
            • LoadCursorW.USER32(00000000,00007F00), ref: 001D2B9D
            • LoadIconW.USER32(00000063), ref: 001D2BB3
            • LoadIconW.USER32(000000A4), ref: 001D2BC5
            • LoadIconW.USER32(000000A2), ref: 001D2BD7
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001D2BEF
            • RegisterClassExW.USER32(?), ref: 001D2C40
              • Part of subcall function 001D2CD4: GetSysColorBrush.USER32(0000000F), ref: 001D2D07
              • Part of subcall function 001D2CD4: RegisterClassExW.USER32(00000030), ref: 001D2D31
              • Part of subcall function 001D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001D2D42
              • Part of subcall function 001D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001D2D5F
              • Part of subcall function 001D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001D2D6F
              • Part of subcall function 001D2CD4: LoadIconW.USER32(000000A9), ref: 001D2D85
              • Part of subcall function 001D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001D2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 072f90cf6040cf2ff176c7ea28862d56bc8fc93b92c4e0cded260317c597c86f
            • Instruction ID: 30583c086bd1d6bad36ea4974f8a3d040962ad609dda3aab071b167aea4115be
            • Opcode Fuzzy Hash: 072f90cf6040cf2ff176c7ea28862d56bc8fc93b92c4e0cded260317c597c86f
            • Instruction Fuzzy Hash: 1B213A74E40314AFDF109FA5FC4DAA9BFF4FB09B60F10409AE504A66A0DBB10560CF90
            Function 001DB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 001DBB4E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: p#*$p#*$p#*$p#*$p%*$p%*$x#*$x#*
            • API String ID: 1385522511-2187480829
            • Opcode ID: 83f5accd1ed518aebc4055552a792ec3b2ecd1af2acf0aa73e7680363b8d8983
            • Instruction ID: 77184f1f549b405bf709be7b2973dcfd897aeb293eda03499e5a26aa1196d64d
            • Opcode Fuzzy Hash: 83f5accd1ed518aebc4055552a792ec3b2ecd1af2acf0aa73e7680363b8d8983
            • Instruction Fuzzy Hash: 9F32CE70A08219EFCF24CF98D8D4ABEB7B5EF45304F16805AE906AB352C774AD51CB51
            Function 001D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 650 1d3170-1d3185 651 1d31e5-1d31e7 650->651 652 1d3187-1d318a 650->652 651->652 653 1d31e9 651->653 654 1d318c-1d3193 652->654 655 1d31eb 652->655 656 1d31d0-1d31d8 DefWindowProcW 653->656 659 1d3199-1d319e 654->659 660 1d3265-1d326d PostQuitMessage 654->660 657 212dfb-212e23 call 1d18e2 call 1ee499 655->657 658 1d31f1-1d31f6 655->658 661 1d31de-1d31e4 656->661 693 212e28-212e2f 657->693 663 1d321d-1d3244 SetTimer RegisterWindowMessageW 658->663 664 1d31f8-1d31fb 658->664 666 1d31a4-1d31a8 659->666 667 212e7c-212e90 call 23bf30 659->667 662 1d3219-1d321b 660->662 662->661 663->662 668 1d3246-1d3251 CreatePopupMenu 663->668 672 1d3201-1d3214 KillTimer call 1d30f2 call 1d3c50 664->672 673 212d9c-212d9f 664->673 669 1d31ae-1d31b3 666->669 670 212e68-212e77 call 23c161 666->670 667->662 686 212e96 667->686 668->662 676 1d31b9-1d31be 669->676 677 212e4d-212e54 669->677 670->662 672->662 679 212da1-212da5 673->679 680 212dd7-212df6 MoveWindow 673->680 684 1d31c4-1d31ca 676->684 685 1d3253-1d3263 call 1d326f 676->685 677->656 689 212e5a-212e63 call 230ad7 677->689 687 212da7-212daa 679->687 688 212dc6-212dd2 SetFocus 679->688 680->662 684->656 684->693 685->662 686->656 687->684 694 212db0-212dc1 call 1d18e2 687->694 688->662 689->656 693->656 698 212e35-212e48 call 1d30f2 call 1d3837 693->698 694->662 698->656
            APIs
            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001D316A,?,?), ref: 001D31D8
            • KillTimer.USER32(?,00000001,?,?,?,?,?,001D316A,?,?), ref: 001D3204
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001D3227
            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001D316A,?,?), ref: 001D3232
            • CreatePopupMenu.USER32 ref: 001D3246
            • PostQuitMessage.USER32(00000000), ref: 001D3267
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: 0bc0cb63f0215c2eac9a882037de2c8385ba19708c89994ab267d343d7e6dd3d
            • Instruction ID: b66eef75c415de3aaeaaa043e8d4b3821f121fd8bfc8f5c3c7d80931152b0f4b
            • Opcode Fuzzy Hash: 0bc0cb63f0215c2eac9a882037de2c8385ba19708c89994ab267d343d7e6dd3d
            • Instruction Fuzzy Hash: 8E413A39610206A7DF192F78FC0DBBA3A59E716350F144127F561853A1CFA19A70D763
            Function 001DDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: D%*$D%*$D%*$D%*$D%*D%*$Variable must be of type 'Object'.
            • API String ID: 0-1753019893
            • Opcode ID: 9e2df60a0598dbc9afdb92752cce6be6bd5fc12f855a3ff0dcfc7d614ac9b35e
            • Instruction ID: 6896365e706ca963a15cb0b7e5a154d14bae7b724b0a43eafdde98b24a37433f
            • Opcode Fuzzy Hash: 9e2df60a0598dbc9afdb92752cce6be6bd5fc12f855a3ff0dcfc7d614ac9b35e
            • Instruction Fuzzy Hash: FEC2AA71A00215DFCB28EF98D880AADB7F1BF19301F24816AE906AF391D775ED51CB91
            Function 00208D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1216 208d45-208d55 1217 208d57-208d6a call 1ff2c6 call 1ff2d9 1216->1217 1218 208d6f-208d71 1216->1218 1234 2090f1 1217->1234 1220 208d77-208d7d 1218->1220 1221 2090d9-2090e6 call 1ff2c6 call 1ff2d9 1218->1221 1220->1221 1224 208d83-208dae 1220->1224 1239 2090ec call 2027ec 1221->1239 1224->1221 1227 208db4-208dbd 1224->1227 1230 208dd7-208dd9 1227->1230 1231 208dbf-208dd2 call 1ff2c6 call 1ff2d9 1227->1231 1232 2090d5-2090d7 1230->1232 1233 208ddf-208de3 1230->1233 1231->1239 1238 2090f4-2090f9 1232->1238 1233->1232 1237 208de9-208ded 1233->1237 1234->1238 1237->1231 1242 208def-208e06 1237->1242 1239->1234 1245 208e23-208e2c 1242->1245 1246 208e08-208e0b 1242->1246 1249 208e4a-208e54 1245->1249 1250 208e2e-208e45 call 1ff2c6 call 1ff2d9 call 2027ec 1245->1250 1247 208e15-208e1e 1246->1247 1248 208e0d-208e13 1246->1248 1253 208ebf-208ed9 1247->1253 1248->1247 1248->1250 1251 208e56-208e58 1249->1251 1252 208e5b-208e79 call 203820 call 2029c8 * 2 1249->1252 1278 20900c 1250->1278 1251->1252 1286 208e96-208ebc call 209424 1252->1286 1287 208e7b-208e91 call 1ff2d9 call 1ff2c6 1252->1287 1255 208fad-208fb6 call 20f89b 1253->1255 1256 208edf-208eef 1253->1256 1269 208fb8-208fca 1255->1269 1270 209029 1255->1270 1256->1255 1259 208ef5-208ef7 1256->1259 1259->1255 1263 208efd-208f23 1259->1263 1263->1255 1267 208f29-208f3c 1263->1267 1267->1255 1274 208f3e-208f40 1267->1274 1269->1270 1272 208fcc-208fdb GetConsoleMode 1269->1272 1276 20902d-209045 ReadFile 1270->1276 1272->1270 1277 208fdd-208fe1 1272->1277 1274->1255 1279 208f42-208f6d 1274->1279 1281 2090a1-2090ac GetLastError 1276->1281 1282 209047-20904d 1276->1282 1277->1276 1283 208fe3-208ffd ReadConsoleW 1277->1283 1284 20900f-209019 call 2029c8 1278->1284 1279->1255 1285 208f6f-208f82 1279->1285 1288 2090c5-2090c8 1281->1288 1289 2090ae-2090c0 call 1ff2d9 call 1ff2c6 1281->1289 1282->1281 1290 20904f 1282->1290 1293 20901e-209027 1283->1293 1294 208fff GetLastError 1283->1294 1284->1238 1285->1255 1298 208f84-208f86 1285->1298 1286->1253 1287->1278 1295 209005-20900b call 1ff2a3 1288->1295 1296 2090ce-2090d0 1288->1296 1289->1278 1292 209052-209064 1290->1292 1292->1284 1303 209066-20906a 1292->1303 1293->1292 1294->1295 1295->1278 1296->1284 1298->1255 1306 208f88-208fa8 1298->1306 1309 209083-20908e 1303->1309 1310 20906c-20907c call 208a61 1303->1310 1306->1255 1315 209090 call 208bb1 1309->1315 1316 20909a-20909f call 2088a1 1309->1316 1321 20907f-209081 1310->1321 1322 209095-209098 1315->1322 1316->1322 1321->1284 1322->1321
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d0f77de233c83b507a53401aca738ac4112495815b1e63ae17117b39712391df
            • Instruction ID: 1f57872321b5dc77734b3401176c1fd2804fb265136301610ca5576fc0cacfd8
            • Opcode Fuzzy Hash: d0f77de233c83b507a53401aca738ac4112495815b1e63ae17117b39712391df
            • Instruction Fuzzy Hash: 99C1F074A1434AAFDB11DFA8D844BAEBBB1AF19310F144099F555A73D3CB708991CF60
            Function 022E2600 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1324 22e2600-22e26ae call 22e0000 1327 22e26b5-22e26db call 22e3510 CreateFileW 1324->1327 1330 22e26dd 1327->1330 1331 22e26e2-22e26f2 1327->1331 1332 22e282d-22e2831 1330->1332 1339 22e26f9-22e2713 VirtualAlloc 1331->1339 1340 22e26f4 1331->1340 1333 22e2873-22e2876 1332->1333 1334 22e2833-22e2837 1332->1334 1336 22e2879-22e2880 1333->1336 1337 22e2839-22e283c 1334->1337 1338 22e2843-22e2847 1334->1338 1341 22e28d5-22e28ea 1336->1341 1342 22e2882-22e288d 1336->1342 1337->1338 1343 22e2849-22e2853 1338->1343 1344 22e2857-22e285b 1338->1344 1345 22e271a-22e2731 ReadFile 1339->1345 1346 22e2715 1339->1346 1340->1332 1351 22e28ec-22e28f7 VirtualFree 1341->1351 1352 22e28fa-22e2902 1341->1352 1349 22e288f 1342->1349 1350 22e2891-22e289d 1342->1350 1343->1344 1353 22e285d-22e2867 1344->1353 1354 22e286b 1344->1354 1347 22e2738-22e2778 VirtualAlloc 1345->1347 1348 22e2733 1345->1348 1346->1332 1355 22e277f-22e279a call 22e3760 1347->1355 1356 22e277a 1347->1356 1348->1332 1349->1341 1357 22e289f-22e28af 1350->1357 1358 22e28b1-22e28bd 1350->1358 1351->1352 1353->1354 1354->1333 1364 22e27a5-22e27af 1355->1364 1356->1332 1360 22e28d3 1357->1360 1361 22e28bf-22e28c8 1358->1361 1362 22e28ca-22e28d0 1358->1362 1360->1336 1361->1360 1362->1360 1365 22e27e2-22e27f6 call 22e3570 1364->1365 1366 22e27b1-22e27e0 call 22e3760 1364->1366 1372 22e27fa-22e27fe 1365->1372 1373 22e27f8 1365->1373 1366->1364 1374 22e280a-22e280e 1372->1374 1375 22e2800-22e2804 FindCloseChangeNotification 1372->1375 1373->1332 1376 22e281e-22e2827 1374->1376 1377 22e2810-22e281b VirtualFree 1374->1377 1375->1374 1376->1327 1376->1332 1377->1376
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 022E26D1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 022E28F7
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
            • Instruction ID: 7dc8a2c472ee486037962b4c461f975d3564ce9b314b7d25b1b66628e84bdea5
            • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
            • Instruction Fuzzy Hash: 65A10770E10209EBDF14CFE4C854BEEBBB9BF48304F608259E516BB284D7759A40DB64
            Function 001D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1388 1d2c63-1d2cd3 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001D2C91
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001D2CB2
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,001D1CAD,?), ref: 001D2CC6
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,001D1CAD,?), ref: 001D2CCF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: 73a28e8b4e03a2c84525353079668053b8b4ddf3112e430d116c5741ccb5b76c
            • Instruction ID: 0284916e04e79228c27e2c02181b3c290cf7d0255f73828d6e040df7c9e7e106
            • Opcode Fuzzy Hash: 73a28e8b4e03a2c84525353079668053b8b4ddf3112e430d116c5741ccb5b76c
            • Instruction Fuzzy Hash: DCF0DA765402A07BEB312B17BC4CE776EBDD7C7F70F10409AF900A25A0CAA51860DAB0
            Function 022E23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1503 22e23b0-22e2502 call 22e0000 call 22e22a0 CreateFileW 1510 22e2509-22e2519 1503->1510 1511 22e2504 1503->1511 1514 22e251b 1510->1514 1515 22e2520-22e253a VirtualAlloc 1510->1515 1512 22e25b9-22e25be 1511->1512 1514->1512 1516 22e253e-22e2555 ReadFile 1515->1516 1517 22e253c 1515->1517 1518 22e2559-22e2593 call 22e22e0 call 22e12a0 1516->1518 1519 22e2557 1516->1519 1517->1512 1524 22e25af-22e25b7 ExitProcess 1518->1524 1525 22e2595-22e25aa call 22e2330 1518->1525 1519->1512 1524->1512 1525->1524
            APIs
              • Part of subcall function 022E22A0: Sleep.KERNELBASE(000001F4), ref: 022E22B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 022E24F8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: 4ZTF9F8GOH
            • API String ID: 2694422964-674436684
            • Opcode ID: 2401b80411156f34117c07667bcd1e8681c9c3572fd409fe81953eda30e60086
            • Instruction ID: 4abbfaa71f0a643e6f2142941f116a2a7baa7d4fe9d7b0e0e179ffc7ff2667de
            • Opcode Fuzzy Hash: 2401b80411156f34117c07667bcd1e8681c9c3572fd409fe81953eda30e60086
            • Instruction Fuzzy Hash: 5F518170D20208DBEF10DBE4C864BEEB779AF58300F004259E60ABB2C0D7B91B45CBA5
            Function 00242947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1527 242947-2429b9 call 211f50 call 2425d6 call 1efe0b call 1d5722 call 24274e call 1d511f call 1f5232 1542 242a6c-242a73 call 242e66 1527->1542 1543 2429bf-2429c6 call 242e66 1527->1543 1548 242a75-242a77 1542->1548 1549 242a7c 1542->1549 1543->1548 1550 2429cc-242a6a call 1fd583 call 1f4983 call 1f9038 call 1fd583 call 1f9038 * 2 1543->1550 1551 242cb6-242cb7 1548->1551 1553 242a7f-242b3a call 1d50f5 * 8 call 243017 call 1fe5eb 1549->1553 1550->1553 1554 242cd5-242cdb 1551->1554 1592 242b43-242b5e call 242792 1553->1592 1593 242b3c-242b3e 1553->1593 1557 242cf0-242cf6 1554->1557 1558 242cdd-242ced call 1efdcd call 1efe14 1554->1558 1558->1557 1596 242b64-242b6c 1592->1596 1597 242bf0-242bfc call 1fe678 1592->1597 1593->1551 1598 242b74 1596->1598 1599 242b6e-242b72 1596->1599 1604 242c12-242c16 1597->1604 1605 242bfe-242c0d DeleteFileW 1597->1605 1601 242b79-242b97 call 1d50f5 1598->1601 1599->1601 1611 242bc1-242bd7 call 24211d call 1fdbb3 1601->1611 1612 242b99-242b9e 1601->1612 1607 242c91-242ca5 CopyFileW 1604->1607 1608 242c18-242c7e call 2425d6 call 1fd2eb * 2 call 2422ce 1604->1608 1605->1551 1609 242ca7-242cb4 DeleteFileW 1607->1609 1610 242cb9-242ccf DeleteFileW call 242fd8 1607->1610 1608->1610 1632 242c80-242c8f DeleteFileW 1608->1632 1609->1551 1619 242cd4 1610->1619 1627 242bdc-242be7 1611->1627 1616 242ba1-242bb4 call 2428d2 1612->1616 1625 242bb6-242bbf 1616->1625 1619->1554 1625->1611 1627->1596 1629 242bed 1627->1629 1629->1597 1632->1551
            APIs
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00242C05
            • DeleteFileW.KERNEL32(?), ref: 00242C87
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00242C9D
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00242CAE
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00242CC0
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: File$Delete$Copy
            • String ID:
            • API String ID: 3226157194-0
            • Opcode ID: 97e290b349b6db6bbd43fc6d9d6d1a92370a32d953fb11d77dab748465a76522
            • Instruction ID: 78dd602ccd306b1bbba03eedcc5177cbc60c5443a9bafad426f12f4dd79482ad
            • Opcode Fuzzy Hash: 97e290b349b6db6bbd43fc6d9d6d1a92370a32d953fb11d77dab748465a76522
            • Instruction Fuzzy Hash: 76B16F72910119ABDF15DFA5CC85EEEBBBDEF58300F5040A6FA09E6141EB309A588F60
            Function 001D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1943 1d3b1c-1d3b27 1944 1d3b99-1d3b9b 1943->1944 1945 1d3b29-1d3b2e 1943->1945 1947 1d3b8c-1d3b8f 1944->1947 1945->1944 1946 1d3b30-1d3b48 RegOpenKeyExW 1945->1946 1946->1944 1948 1d3b4a-1d3b69 RegQueryValueExW 1946->1948 1949 1d3b6b-1d3b76 1948->1949 1950 1d3b80-1d3b8b RegCloseKey 1948->1950 1951 1d3b78-1d3b7a 1949->1951 1952 1d3b90-1d3b97 1949->1952 1950->1947 1953 1d3b7e 1951->1953 1952->1953 1953->1950
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001D3B0F,SwapMouseButtons,00000004,?), ref: 001D3B40
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001D3B0F,SwapMouseButtons,00000004,?), ref: 001D3B61
            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001D3B0F,SwapMouseButtons,00000004,?), ref: 001D3B83
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 7108ca4bc68cf3410dd0c8c6c69714633d1a1d835b01e6a4862dcef69c1dfda1
            • Instruction ID: 40be1a816f29cc86e7579bee3693415b29bf1920c97688ee1f1d561ad2be7309
            • Opcode Fuzzy Hash: 7108ca4bc68cf3410dd0c8c6c69714633d1a1d835b01e6a4862dcef69c1dfda1
            • Instruction Fuzzy Hash: FD1127B5610208FFDB219FA5DC88ABEBBB8EF04744B10846BE855D7210E3719E409BA1
            Function 022E12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 022E1A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 022E1AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 022E1B13
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
            • Instruction ID: 36bc7faac2334bd18b053bfcf0a0462b8b824c660ea0e3d0db58a92de6f31f1d
            • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
            • Instruction Fuzzy Hash: A2622F30A24218DBEB24DFA4C840BDEB376EF58300F5091A9E10DEB394E7759E81DB59
            Function 001D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002133A2
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 001D3A04
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_wcslen
            • String ID: Line:
            • API String ID: 2289894680-1585850449
            • Opcode ID: 99afe764daee20c30ce7eac32d40fb0c7673bdad6f7a4b8da56e65094a1ce593
            • Instruction ID: ac6cd0ad979ac87534ca916b7e84ae740827fd5857b5550eed673903e33ef5a4
            • Opcode Fuzzy Hash: 99afe764daee20c30ce7eac32d40fb0c7673bdad6f7a4b8da56e65094a1ce593
            • Instruction Fuzzy Hash: 2431E071508304ABC724EF20EC49BEBB3D8AB51724F00456BF5A983291DF709A58C7D3
            Function 001D2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • GetOpenFileNameW.COMDLG32(?), ref: 00212C8C
              • Part of subcall function 001D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001D3A97,?,?,001D2E7F,?,?,?,00000000), ref: 001D3AC2
              • Part of subcall function 001D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001D2DC4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen
            • String ID: X$`e)
            • API String ID: 779396738-4093544400
            • Opcode ID: 59bd64382c61e562628026219df46e3d2f8ce0c5a5931b52e97f2969041f4935
            • Instruction ID: c33902ba3ff051550057d63df87f631660e94ca826d6cca65902a19c04f4f6ee
            • Opcode Fuzzy Hash: 59bd64382c61e562628026219df46e3d2f8ce0c5a5931b52e97f2969041f4935
            • Instruction Fuzzy Hash: C221D270A102589FCF01EF94C809BEE7BF8AF59304F00805AE515F7341EBB85A998FA1
            Function 001EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • __CxxThrowException@8.LIBVCRUNTIME ref: 001F0668
              • Part of subcall function 001F32A4: RaiseException.KERNEL32(?,?,?,001F068A,?,002A1444,?,?,?,?,?,?,001F068A,001D1129,00298738,001D1129), ref: 001F3304
            • __CxxThrowException@8.LIBVCRUNTIME ref: 001F0685
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Exception@8Throw$ExceptionRaise
            • String ID: Unknown exception
            • API String ID: 3476068407-410509341
            • Opcode ID: 3116b2bab28a02bca057332bcd975442348f1a211e4db383faa362aeea873166
            • Instruction ID: 4bb065930c822e35acaf985c190bbb014049342af362ad7e788280000cf6e88d
            • Opcode Fuzzy Hash: 3116b2bab28a02bca057332bcd975442348f1a211e4db383faa362aeea873166
            • Instruction Fuzzy Hash: 96F0223490020C73CF00BAA4EC46CBE7B6C6E51310B604135BA28C64A3EF71EA66C680
            Function 00243017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0024302F
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00243044
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 88db96b1d84e1f4a78cb039cbd1eb10e4d608505f6d1bbe6fa2a395d54cfb14b
            • Instruction ID: 2ef0aa567bd1c47d8ac60f8abce3a4b708799a6c8b9cad76fc9feccd965ed3fb
            • Opcode Fuzzy Hash: 88db96b1d84e1f4a78cb039cbd1eb10e4d608505f6d1bbe6fa2a395d54cfb14b
            • Instruction Fuzzy Hash: 0DD05E7250032867DA20A7A4EC0EFDB3A6CDB05750F0042A2BE95E2091DAF49984CAD0
            Function 00257F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 002582F5
            • TerminateProcess.KERNEL32(00000000), ref: 002582FC
            • FreeLibrary.KERNEL32(?,?,?,?), ref: 002584DD
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$CurrentFreeLibraryTerminate
            • String ID:
            • API String ID: 146820519-0
            • Opcode ID: 4af7c1ca2d7c12c214841a37c8dc79ff88a267939a10aaad4e03f5ac5e749613
            • Instruction ID: 0f57f432feb00d8c86cdb7396e6a3a128b74575e153c0fc3861d6f7a8a022af7
            • Opcode Fuzzy Hash: 4af7c1ca2d7c12c214841a37c8dc79ff88a267939a10aaad4e03f5ac5e749613
            • Instruction Fuzzy Hash: BC127B71A183419FC714DF28C484B2ABBE1BF88315F14895DE8899B392DB71ED49CF92
            Function 00205AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1296669f40d1dcb990c2f92fd85fedb0766fd3fbcaa8f40159c583b85c766d82
            • Instruction ID: 20a91818d0b51530a3cae27b58312eaad94c73dfb9f98d38d7434fe66d830dd2
            • Opcode Fuzzy Hash: 1296669f40d1dcb990c2f92fd85fedb0766fd3fbcaa8f40159c583b85c766d82
            • Instruction Fuzzy Hash: FF51AE71920B2A9FDB219FA4C849BBFBBB8AF15314F14005AF405A72D3D7B19921CF61
            Function 001D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001D1BF4
              • Part of subcall function 001D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001D1BFC
              • Part of subcall function 001D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001D1C07
              • Part of subcall function 001D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001D1C12
              • Part of subcall function 001D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001D1C1A
              • Part of subcall function 001D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001D1C22
              • Part of subcall function 001D1B4A: RegisterWindowMessageW.USER32(00000004,?,001D12C4), ref: 001D1BA2
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001D136A
            • OleInitialize.OLE32 ref: 001D1388
            • CloseHandle.KERNEL32(00000000,00000000), ref: 002124AB
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 1986988660-0
            • Opcode ID: 98eac8bb9f10623e5984daf0b31cb7022f67f1accb1a863af1904a323b862f38
            • Instruction ID: e9363d318ff9cb6323e4b1d7c327cce30f2380a26e5e7618004acca91da02711
            • Opcode Fuzzy Hash: 98eac8bb9f10623e5984daf0b31cb7022f67f1accb1a863af1904a323b862f38
            • Instruction Fuzzy Hash: 877199B8D112509FD388EF79B8496657BE4BB9B3B4B94822AD44AC73A1EF344474CF40
            Function 002086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,002085CC,?,00298CC8,0000000C), ref: 00208704
            • GetLastError.KERNEL32(?,002085CC,?,00298CC8,0000000C), ref: 0020870E
            • __dosmaperr.LIBCMT ref: 00208739
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
            • String ID:
            • API String ID: 490808831-0
            • Opcode ID: b646b586d9b2d154281415ad01e13746d94840314d86413329dc7768fd09eb6a
            • Instruction ID: 0aafa9d363b3b902f8d438b5757e3732cff7c9fecfffd2073202f47168a2859c
            • Opcode Fuzzy Hash: b646b586d9b2d154281415ad01e13746d94840314d86413329dc7768fd09eb6a
            • Instruction Fuzzy Hash: 0F016B32A343301BC7206734A88977F6B4D4B92774F3A0159F9489B1D3DEA2CCA18A50
            Function 00242FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00242CD4,?,?,?,00000004,00000001), ref: 00242FF2
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00242CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00243006
            • CloseHandle.KERNEL32(00000000,?,00242CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0024300D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: b8986ffaeaf900fab2f9136c0d01c1a482f5aa62bee0b0940b0b33af7dec1daf
            • Instruction ID: 61684bd52eec50c817f5280ee9d41bcd0a5d98f93e37c82e465c11861e97e147
            • Opcode Fuzzy Hash: b8986ffaeaf900fab2f9136c0d01c1a482f5aa62bee0b0940b0b33af7dec1daf
            • Instruction Fuzzy Hash: C4E0863228021077D6313755BC0DF9B3A5CD786B71F208250F7A9751D086E1251142A8
            Function 001E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 001E17F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: CALL
            • API String ID: 1385522511-4196123274
            • Opcode ID: 3d52da46688cac6bfa4dd2d85cb67c92da7a1cc05822402e4832dffae4e066ab
            • Instruction ID: d2a885ff73bdf17903a24f0ce5ff2eb78b0ff648c5632857fdf50e08f63958f3
            • Opcode Fuzzy Hash: 3d52da46688cac6bfa4dd2d85cb67c92da7a1cc05822402e4832dffae4e066ab
            • Instruction Fuzzy Hash: D822BB70608681EFC714DF15D484A2EBBF1BF99314F28895DF8868B3A1D771E851CB82
            Function 00246EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00246F6B
              • Part of subcall function 001D4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4EFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LibraryLoad_wcslen
            • String ID: >>>AUTOIT SCRIPT<<<
            • API String ID: 3312870042-2806939583
            • Opcode ID: cf8c4c07d40d7ec09de42cb2b57fb7c10b26630e859f434e7e70870afa4152e6
            • Instruction ID: d8288b273d9dbc0a038dff765d1865385f2538e17c69e9a35ea73b9a7d4f1cb0
            • Opcode Fuzzy Hash: cf8c4c07d40d7ec09de42cb2b57fb7c10b26630e859f434e7e70870afa4152e6
            • Instruction Fuzzy Hash: 9FB1A5311182029FCB18EF24D49196EB7E5FFA4304F44495EF896973A2EB70ED49CB92
            Function 00242557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID: EA06
            • API String ID: 2638373210-3962188686
            • Opcode ID: 0c915eaf4fb80f3b8d45d30c6bf0ea4bd199a18144f0470a448f49c385f29af5
            • Instruction ID: 0627a278de8d6eef00f4f9579b62dd21487751a3aeadfbddffc5c4c2c5c516c7
            • Opcode Fuzzy Hash: 0c915eaf4fb80f3b8d45d30c6bf0ea4bd199a18144f0470a448f49c385f29af5
            • Instruction Fuzzy Hash: DB01B572914258BEDF28C7A8CC56EBEBBF89B15305F00455AF252D21C1E5B4E7188B60
            Function 001D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 001D3908
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: IconNotifyShell_
            • String ID:
            • API String ID: 1144537725-0
            • Opcode ID: 1e47373f721a1605f62342c7fd60879e91c3bafbaa894115dc81a108d784b4cf
            • Instruction ID: aff777ce55750dcdcbd49566da87e9dc4fa8ae44f15e1c37220d00a4e5e6610b
            • Opcode Fuzzy Hash: 1e47373f721a1605f62342c7fd60879e91c3bafbaa894115dc81a108d784b4cf
            • Instruction Fuzzy Hash: 7C31A5B05043019FD721DF24D888797BBE4FB49718F00096EF5E997380EBB1AA54CB52
            Function 022E129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 022E1A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 022E1AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 022E1B13
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
            • Instruction ID: 25514a03b61528298d379ee303c202ecc3d9f1606910c8a0091cdcbe5c6b7e00
            • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
            • Instruction Fuzzy Hash: DD12DD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A4F91CF5A
            Function 001D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001D4EDD,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4E9C
              • Part of subcall function 001D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001D4EAE
              • Part of subcall function 001D4E90: FreeLibrary.KERNEL32(00000000,?,?,001D4EDD,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4EC0
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4EFD
              • Part of subcall function 001D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00213CDE,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4E62
              • Part of subcall function 001D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001D4E74
              • Part of subcall function 001D4E59: FreeLibrary.KERNEL32(00000000,?,?,00213CDE,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4E87
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Library$Load$AddressFreeProc
            • String ID:
            • API String ID: 2632591731-0
            • Opcode ID: 190b47da061b533d553f757a5231eff81925774348be6c76b682fcbf096a8991
            • Instruction ID: 00a16d06602bafb85fa8797ead705a6e77b65f89675eda552402f98317994232
            • Opcode Fuzzy Hash: 190b47da061b533d553f757a5231eff81925774348be6c76b682fcbf096a8991
            • Instruction Fuzzy Hash: BF110632610205ABDF14FF64DC06FAD77E5AF60710F20842FF542A62E1EF74AA559B90
            Function 00208402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: __wsopen_s
            • String ID:
            • API String ID: 3347428461-0
            • Opcode ID: fabc3f58bfd4e6c343d837bcccb24d100d5316a7c778f50e1524cca3c792aa1f
            • Instruction ID: a4e08d9366199d742f7baf0b50f005cabb34dc8e87109ee21753e43e0f48e210
            • Opcode Fuzzy Hash: fabc3f58bfd4e6c343d837bcccb24d100d5316a7c778f50e1524cca3c792aa1f
            • Instruction Fuzzy Hash: 8711157590420AAFCB05DF58E9419DF7BF9EF48314F1040A9F808AB352DA31EA21CBA5
            Function 00205000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00204C7D: RtlAllocateHeap.NTDLL(00000008,001D1129,00000000,?,00202E29,00000001,00000364,?,?,?,001FF2DE,00203863,002A1444,?,001EFDF5,?), ref: 00204CBE
            • _free.LIBCMT ref: 0020506C
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
            • Instruction ID: 4b685fa60623c1ab5a6af17b38e25034957cbd799731da0fe7741f8325a2d080
            • Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
            • Instruction Fuzzy Hash: 76012672214705ABE3218E659885A5AFBEDFB89370F25091DE184832C1EA70A805CAB4
            Function 001FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
            • Instruction ID: 118f521f9adbb3fb2fd769c975e1531ad7fcd3d26fe46ab0ddd936d4e3246a6a
            • Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
            • Instruction Fuzzy Hash: 30F0D132520B1C96CB323E699C09B7A33D99FA2334F11071AF625D61E2DB7098068AA5
            Function 00204C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000008,001D1129,00000000,?,00202E29,00000001,00000364,?,?,?,001FF2DE,00203863,002A1444,?,001EFDF5,?), ref: 00204CBE
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: ec6d52b8a53eb7f09a2c3a60f09971d38efef8d8855bf0c6c97cfc3fdb0c352a
            • Instruction ID: c3d0b3ed5a28b09b57c66dafc21efc7b4750b1464602885eb3e4aa95d5e8894a
            • Opcode Fuzzy Hash: ec6d52b8a53eb7f09a2c3a60f09971d38efef8d8855bf0c6c97cfc3fdb0c352a
            • Instruction Fuzzy Hash: E3F0B47162232967FB217F629C09B6B3798AF517A0F14C127FA19A61D2CB70D82146E0
            Function 00203820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,002A1444,?,001EFDF5,?,?,001DA976,00000010,002A1440,001D13FC,?,001D13C6,?,001D1129), ref: 00203852
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: c626d2bc494aa8177ff30e3f49f13ce2a39c6d047625be8092c73171161e4f39
            • Instruction ID: 7e8b7842a93dcb8d06c2885d1555bd70263415519b6329d48c426ea9b3e2c47d
            • Opcode Fuzzy Hash: c626d2bc494aa8177ff30e3f49f13ce2a39c6d047625be8092c73171161e4f39
            • Instruction Fuzzy Hash: C3E0E53212032A57D7216E669C04BAB364DAF427B0F1580A0FD05924C3CB51DE2181E0
            Function 00204D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00204D9C
              • Part of subcall function 002029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000), ref: 002029DE
              • Part of subcall function 002029C8: GetLastError.KERNEL32(00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000,00000000), ref: 002029F0
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorFreeHeapLast_free
            • String ID:
            • API String ID: 1353095263-0
            • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
            • Instruction ID: 3e239a2358ebfe9578ab89b5ef3f21f5ee84e82efbda75e9c514708ac2523fa0
            • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
            • Instruction Fuzzy Hash: 81E09276110305DFC720DF6CD400A82B7F4EF84320720852AE99DD3352D331E822CB80
            Function 001D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4F6D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 5646e8ac213a1a95b8bf0e7250bebe98c485850a3d1277c9ee4a7e6f4773c577
            • Instruction ID: 2b88b496196cf814899bcd4b994564cb65772b883d5ceaccf77bac2b119d5563
            • Opcode Fuzzy Hash: 5646e8ac213a1a95b8bf0e7250bebe98c485850a3d1277c9ee4a7e6f4773c577
            • Instruction Fuzzy Hash: 52F03971105752CFDB389F68E494822BBF4AF14329320897FE2EA82631CB31A844DF50
            Function 001D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001D2DC4
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LongNamePath_wcslen
            • String ID:
            • API String ID: 541455249-0
            • Opcode ID: 555493f84ad301d21064d30a5f6aecc660be7b4e0a3cc0e1add730f4f2ee5557
            • Instruction ID: 088177ba8690fa1cb9c19dd7fc5107381d27f147bd08a33ec56d348ea4c2e56f
            • Opcode Fuzzy Hash: 555493f84ad301d21064d30a5f6aecc660be7b4e0a3cc0e1add730f4f2ee5557
            • Instruction Fuzzy Hash: FDE0CD727042245BC720A2589C05FEA77DDDFC8790F044072FD09D7248DA70AD808550
            Function 00242693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction ID: b1c7d1db12c06cfe570b97375f3cc5195875e58fb62a5ee42db578846970be4a
            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction Fuzzy Hash: D7E04FB0609B009FDF3D6E28A8517B677E99F4A340F00086EF69B83252E67268558A4D
            Function 001D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001D3908
              • Part of subcall function 001DD730: GetInputState.USER32 ref: 001DD807
            • SetCurrentDirectoryW.KERNEL32(?), ref: 001D2B6B
              • Part of subcall function 001D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001D314E
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: IconNotifyShell_$CurrentDirectoryInputState
            • String ID:
            • API String ID: 3667716007-0
            • Opcode ID: a7fcfe0a19ba653e833e98d7c6044ffbdeac9de4ba395f1d55074a591b92f5e0
            • Instruction ID: 4f8dc320bb1199f48434dfd5cbb719187f3079fbfb9394813f1025394702fb19
            • Opcode Fuzzy Hash: a7fcfe0a19ba653e833e98d7c6044ffbdeac9de4ba395f1d55074a591b92f5e0
            • Instruction Fuzzy Hash: 1CE07D3230020403C604BB74B81647DB7498BF6361F40057FF06283363CF6449558313
            Function 0021039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,00000000,?,00210704,?,?,00000000,?,00210704,00000000,0000000C), ref: 002103B7
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 6fd34a2015da3629e4a11778315817239f21ad3aa57b11b1584ac444ed35d8b0
            • Instruction ID: 59e28fbe6c39f098d867d00ea3c5a38bc23f5138b3b7055a2a1d0908d45066ed
            • Opcode Fuzzy Hash: 6fd34a2015da3629e4a11778315817239f21ad3aa57b11b1584ac444ed35d8b0
            • Instruction Fuzzy Hash: 5FD06C3204010DBBDF029F84ED06EDA3BAAFB48714F118040FE5856060C772E821AB90
            Function 001D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001D1CBC
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: InfoParametersSystem
            • String ID:
            • API String ID: 3098949447-0
            • Opcode ID: 05ce83981db0c2292dc852bfde62c92b77e88473dac219d318c4724f6852028a
            • Instruction ID: ce4497ba56993f54ed51824fcc578f0fda995a6cd1ecaac55c1c77aae143d714
            • Opcode Fuzzy Hash: 05ce83981db0c2292dc852bfde62c92b77e88473dac219d318c4724f6852028a
            • Instruction Fuzzy Hash: FBC09B35280304DFF6145B84BC4EF107754F349B10F548001F649755E3C7E11420DA50
            Function 001EFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 4057fc99ec4c123f62ac7dc6bb8b9d191d1c1b5948e608f48c214ab2767ca04d
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: 3F311574A00549DBD718CF5AD48096DFBA1FF49310B7486A9E80ACB651E731EDC2DBC0
            Function 022E22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 022E22B1
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: c9c957957fc69a73fe26fcb68fbf2ac4da46cf509c5ca5f6ea4431a460010c5e
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 0AE0BF7494010EDFDB00EFA4D94969E7BB4EF04301F100261FD0292280D67099509A62

            Non-executed Functions

            Function 00269576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0026961A
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0026965B
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0026969F
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002696C9
            • SendMessageW.USER32 ref: 002696F2
            • GetKeyState.USER32(00000011), ref: 0026978B
            • GetKeyState.USER32(00000009), ref: 00269798
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002697AE
            • GetKeyState.USER32(00000010), ref: 002697B8
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002697E9
            • SendMessageW.USER32 ref: 00269810
            • SendMessageW.USER32(?,00001030,?,00267E95), ref: 00269918
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0026992E
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00269941
            • SetCapture.USER32(?), ref: 0026994A
            • ClientToScreen.USER32(?,?), ref: 002699AF
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002699BC
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002699D6
            • ReleaseCapture.USER32 ref: 002699E1
            • GetCursorPos.USER32(?), ref: 00269A19
            • ScreenToClient.USER32(?,?), ref: 00269A26
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00269A80
            • SendMessageW.USER32 ref: 00269AAE
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00269AEB
            • SendMessageW.USER32 ref: 00269B1A
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00269B3B
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00269B4A
            • GetCursorPos.USER32(?), ref: 00269B68
            • ScreenToClient.USER32(?,?), ref: 00269B75
            • GetParent.USER32(?), ref: 00269B93
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00269BFA
            • SendMessageW.USER32 ref: 00269C2B
            • ClientToScreen.USER32(?,?), ref: 00269C84
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00269CB4
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00269CDE
            • SendMessageW.USER32 ref: 00269D01
            • ClientToScreen.USER32(?,?), ref: 00269D4E
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00269D82
              • Part of subcall function 001E9944: GetWindowLongW.USER32(?,000000EB), ref: 001E9952
            • GetWindowLongW.USER32(?,000000F0), ref: 00269E05
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
            • String ID: @GUI_DRAGID$F$p#*
            • API String ID: 3429851547-816991323
            • Opcode ID: bbcf9928e584c9b6b5040707522a32f8ac29bbac5f419b5d2fccab19edd7add5
            • Instruction ID: 3bc95cd16d54f2df4ff7d44f0b919e6f79a473c3e27a1960f2261226ccfefaf8
            • Opcode Fuzzy Hash: bbcf9928e584c9b6b5040707522a32f8ac29bbac5f419b5d2fccab19edd7add5
            • Instruction Fuzzy Hash: AE429E34614342AFDB25DF28DC48AAABBEDFF59320F10461AF595872A1DB7198E0CF41
            Function 00264873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002648F3
            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00264908
            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00264927
            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0026494B
            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0026495C
            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0026497B
            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002649AE
            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002649D4
            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00264A0F
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00264A56
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00264A7E
            • IsMenu.USER32(?), ref: 00264A97
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00264AF2
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00264B20
            • GetWindowLongW.USER32(?,000000F0), ref: 00264B94
            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00264BE3
            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00264C82
            • wsprintfW.USER32 ref: 00264CAE
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00264CC9
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00264CF1
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00264D13
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00264D33
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00264D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
            • String ID: %d/%02d/%02d
            • API String ID: 4054740463-328681919
            • Opcode ID: 8a4443b6440d578b7d3229670a08364e4bb9c03a0a615c11e8784c1a6272f168
            • Instruction ID: 5d3c5fcc2c3fa492ad0937b697693bf277dd3e6c7e2fc17929e67b2d10897fcf
            • Opcode Fuzzy Hash: 8a4443b6440d578b7d3229670a08364e4bb9c03a0a615c11e8784c1a6272f168
            • Instruction Fuzzy Hash: 4E123431610245ABEB24AF24DC49FBE7BF8EF85310F104119F996DB2E0DBB49991CB50
            Function 001EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001EF998
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0022F474
            • IsIconic.USER32(00000000), ref: 0022F47D
            • ShowWindow.USER32(00000000,00000009), ref: 0022F48A
            • SetForegroundWindow.USER32(00000000), ref: 0022F494
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0022F4AA
            • GetCurrentThreadId.KERNEL32 ref: 0022F4B1
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0022F4BD
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0022F4CE
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0022F4D6
            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0022F4DE
            • SetForegroundWindow.USER32(00000000), ref: 0022F4E1
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0022F4F6
            • keybd_event.USER32(00000012,00000000), ref: 0022F501
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0022F50B
            • keybd_event.USER32(00000012,00000000), ref: 0022F510
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0022F519
            • keybd_event.USER32(00000012,00000000), ref: 0022F51E
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0022F528
            • keybd_event.USER32(00000012,00000000), ref: 0022F52D
            • SetForegroundWindow.USER32(00000000), ref: 0022F530
            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0022F557
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: 173081c101b618e54cb330eca056b29f77d5cb5d926b0d70e3302a4a9838acba
            • Instruction ID: 2e08f9215d784eb4a01d4e6e51cf4c1a4627c04b6bf78fc4e872b00d9ae2a0a5
            • Opcode Fuzzy Hash: 173081c101b618e54cb330eca056b29f77d5cb5d926b0d70e3302a4a9838acba
            • Instruction Fuzzy Hash: FB315271A502187AEB217FB56C49FBF7E7CEB44B50F204065FA01F61D1C6F15910AAA0
            Function 00231201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023170D
              • Part of subcall function 002316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0023173A
              • Part of subcall function 002316C3: GetLastError.KERNEL32 ref: 0023174A
            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00231286
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002312A8
            • CloseHandle.KERNEL32(?), ref: 002312B9
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002312D1
            • GetProcessWindowStation.USER32 ref: 002312EA
            • SetProcessWindowStation.USER32(00000000), ref: 002312F4
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00231310
              • Part of subcall function 002310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002311FC), ref: 002310D4
              • Part of subcall function 002310BF: CloseHandle.KERNEL32(?,?,002311FC), ref: 002310E9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
            • String ID: $default$winsta0$Z)
            • API String ID: 22674027-2977468400
            • Opcode ID: ec08ec07254c2f2e70c157833ab7c8c4c1edfbd094e581efdeb0c45c0e83be3e
            • Instruction ID: 1bfd0964914e193d1490fd1072ffe1194234ce0121444c8b0711118dab8ed428
            • Opcode Fuzzy Hash: ec08ec07254c2f2e70c157833ab7c8c4c1edfbd094e581efdeb0c45c0e83be3e
            • Instruction Fuzzy Hash: 918191B1A10349AFDF11AFA4DC49FFE7BB9EF04704F148129FA11A61A0DB758964CB24
            Function 00230B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00231114
              • Part of subcall function 002310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 00231120
              • Part of subcall function 002310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 0023112F
              • Part of subcall function 002310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 00231136
              • Part of subcall function 002310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0023114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00230BCC
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00230C00
            • GetLengthSid.ADVAPI32(?), ref: 00230C17
            • GetAce.ADVAPI32(?,00000000,?), ref: 00230C51
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00230C6D
            • GetLengthSid.ADVAPI32(?), ref: 00230C84
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00230C8C
            • HeapAlloc.KERNEL32(00000000), ref: 00230C93
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00230CB4
            • CopySid.ADVAPI32(00000000), ref: 00230CBB
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00230CEA
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00230D0C
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00230D1E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00230D45
            • HeapFree.KERNEL32(00000000), ref: 00230D4C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00230D55
            • HeapFree.KERNEL32(00000000), ref: 00230D5C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00230D65
            • HeapFree.KERNEL32(00000000), ref: 00230D6C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00230D78
            • HeapFree.KERNEL32(00000000), ref: 00230D7F
              • Part of subcall function 00231193: GetProcessHeap.KERNEL32(00000008,00230BB1,?,00000000,?,00230BB1,?), ref: 002311A1
              • Part of subcall function 00231193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00230BB1,?), ref: 002311A8
              • Part of subcall function 00231193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00230BB1,?), ref: 002311B7
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 9d31a2fdf2268f4d9bc2fa2f25ddf48d6c73df7fbb4c411452769ed15e7de3f2
            • Instruction ID: 993a6ceb9f2d1d8a7e95dfb6f3d35021ca6bb6dbe4be26e33a51afc7126b2e47
            • Opcode Fuzzy Hash: 9d31a2fdf2268f4d9bc2fa2f25ddf48d6c73df7fbb4c411452769ed15e7de3f2
            • Instruction Fuzzy Hash: 22715DB191020AABDF10EFA4EC88FAEBBB8FF05310F148565E954A6191D7B1E915CB70
            Function 0024EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(0026CC08), ref: 0024EB29
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0024EB37
            • GetClipboardData.USER32(0000000D), ref: 0024EB43
            • CloseClipboard.USER32 ref: 0024EB4F
            • GlobalLock.KERNEL32(00000000), ref: 0024EB87
            • CloseClipboard.USER32 ref: 0024EB91
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0024EBBC
            • IsClipboardFormatAvailable.USER32(00000001), ref: 0024EBC9
            • GetClipboardData.USER32(00000001), ref: 0024EBD1
            • GlobalLock.KERNEL32(00000000), ref: 0024EBE2
            • GlobalUnlock.KERNEL32(00000000,?), ref: 0024EC22
            • IsClipboardFormatAvailable.USER32(0000000F), ref: 0024EC38
            • GetClipboardData.USER32(0000000F), ref: 0024EC44
            • GlobalLock.KERNEL32(00000000), ref: 0024EC55
            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0024EC77
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0024EC94
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0024ECD2
            • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0024ECF3
            • CountClipboardFormats.USER32 ref: 0024ED14
            • CloseClipboard.USER32 ref: 0024ED59
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
            • String ID:
            • API String ID: 420908878-0
            • Opcode ID: d2847d57e23ae56ea71295b51fdc8038d289072bd9d3376b6c66aeb0c991db4a
            • Instruction ID: b1d01f87b0e7544a3eb4b55764d93321956e72b58f57feedb919f42d2288e423
            • Opcode Fuzzy Hash: d2847d57e23ae56ea71295b51fdc8038d289072bd9d3376b6c66aeb0c991db4a
            • Instruction Fuzzy Hash: E861E6742142029FE704EF24E898F3A77A8FF94714F15851EF896872A1CB71ED05CBA2
            Function 0024698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 002469BE
            • FindClose.KERNEL32(00000000), ref: 00246A12
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00246A4E
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00246A75
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00246AB2
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00246ADF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
            • API String ID: 3830820486-3289030164
            • Opcode ID: 6e974411b80c14eefab9b4f629c1f1841ebd05cb02e0f88d45c76a61a9c5d72a
            • Instruction ID: 006ccb1f6bc5b2ad0841d2a289a22f71b2f8c25c22f2d5a9895c8c0f17c292c2
            • Opcode Fuzzy Hash: 6e974411b80c14eefab9b4f629c1f1841ebd05cb02e0f88d45c76a61a9c5d72a
            • Instruction Fuzzy Hash: E6D18072508340AEC304EFA4D895EAFB7ECAF99704F00491EF985D7291EB74DA04CB62
            Function 00249642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00249663
            • GetFileAttributesW.KERNEL32(?), ref: 002496A1
            • SetFileAttributesW.KERNEL32(?,?), ref: 002496BB
            • FindNextFileW.KERNEL32(00000000,?), ref: 002496D3
            • FindClose.KERNEL32(00000000), ref: 002496DE
            • FindFirstFileW.KERNEL32(*.*,?), ref: 002496FA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 0024974A
            • SetCurrentDirectoryW.KERNEL32(00296B7C), ref: 00249768
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00249772
            • FindClose.KERNEL32(00000000), ref: 0024977F
            • FindClose.KERNEL32(00000000), ref: 0024978F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1409584000-438819550
            • Opcode ID: 9d85fea188c39fec92ffaf50769584ad3ea89969c43c96abb991d8cccfebf978
            • Instruction ID: 3c15fd77a0fbcbe6806afa9fd4e3b32b3b23101b4492ef9c1c47b77f266ad024
            • Opcode Fuzzy Hash: 9d85fea188c39fec92ffaf50769584ad3ea89969c43c96abb991d8cccfebf978
            • Instruction Fuzzy Hash: E131E67261021A6EDF18EFB4EC1CAEF77AC9F09320F108156F955E2190EB70DDA08B14
            Function 0024979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002497BE
            • FindNextFileW.KERNEL32(00000000,?), ref: 00249819
            • FindClose.KERNEL32(00000000), ref: 00249824
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00249840
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00249890
            • SetCurrentDirectoryW.KERNEL32(00296B7C), ref: 002498AE
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 002498B8
            • FindClose.KERNEL32(00000000), ref: 002498C5
            • FindClose.KERNEL32(00000000), ref: 002498D5
              • Part of subcall function 0023DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0023DB00
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 2640511053-438819550
            • Opcode ID: 2443c90649ae81326ad0f68c3ae22ade60568b180852697450022d4a0d491a3d
            • Instruction ID: afcdd7c108b06e18922c9a2c9646fc32463e8c91ac27278c29789b233133e66f
            • Opcode Fuzzy Hash: 2443c90649ae81326ad0f68c3ae22ade60568b180852697450022d4a0d491a3d
            • Instruction Fuzzy Hash: EA31D23151121A6EDF18EFB8EC48AEF77AC9F06320F208156F950A2191DB70DEA4CB20
            Function 00248195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00248257
            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00248267
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00248273
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00248310
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00248324
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00248356
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0024838C
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00248395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CurrentDirectoryTime$File$Local$System
            • String ID: *.*
            • API String ID: 1464919966-438819550
            • Opcode ID: 84d8114e28e293c33d8a6d75382e25d1e118f865e8b7b29d3a1cd71533566b4e
            • Instruction ID: f3c1dda04652a791ad1f562f837d4933c3ec381a0a8c7217149760522d1f3603
            • Opcode Fuzzy Hash: 84d8114e28e293c33d8a6d75382e25d1e118f865e8b7b29d3a1cd71533566b4e
            • Instruction Fuzzy Hash: 07618AB21283459FCB14EF60D8449AFB3E8FF89310F04891EF98983251EB31E915CB92
            Function 0023D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001D3A97,?,?,001D2E7F,?,?,?,00000000), ref: 001D3AC2
              • Part of subcall function 0023E199: GetFileAttributesW.KERNEL32(?,0023CF95), ref: 0023E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 0023D122
            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0023D1DD
            • MoveFileW.KERNEL32(?,?), ref: 0023D1F0
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0023D20D
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0023D237
              • Part of subcall function 0023D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0023D21C,?,?), ref: 0023D2B2
            • FindClose.KERNEL32(00000000,?,?,?), ref: 0023D253
            • FindClose.KERNEL32(00000000), ref: 0023D264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 1946585618-1173974218
            • Opcode ID: f541b29eb62964d24071a93f47640650a3f0295e8f4aa8ad561dd655cb806185
            • Instruction ID: 2451b449a4333a1db460ee4a42659b3462a6fa5edde6830208e268551cf29995
            • Opcode Fuzzy Hash: f541b29eb62964d24071a93f47640650a3f0295e8f4aa8ad561dd655cb806185
            • Instruction Fuzzy Hash: D7618E7190110DABCF05EFE0EA929FEB775AF25300F244166E84577292EB306F19DB61
            Function 0024ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: a7207f041a62ae6307fdaddfaed556ff846572339cd69667f805849b652eb518
            • Instruction ID: ca1b28ad405f8a5153af0cf4b210eb5815f2f07c217ef63fdc5fddfaee0ecfee
            • Opcode Fuzzy Hash: a7207f041a62ae6307fdaddfaed556ff846572339cd69667f805849b652eb518
            • Instruction Fuzzy Hash: F641BF31614612DFEB14DF15E848B2ABBE5FF44328F15C099E8568B6A2C7B1EC41CBD0
            Function 0023E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023170D
              • Part of subcall function 002316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0023173A
              • Part of subcall function 002316C3: GetLastError.KERNEL32 ref: 0023174A
            • ExitWindowsEx.USER32(?,00000000), ref: 0023E932
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $ $@$SeShutdownPrivilege
            • API String ID: 2234035333-3163812486
            • Opcode ID: b248dc72cb3adb6bd271e6bb54f6e38e5a665184d0d1063299c87c26d22fa55a
            • Instruction ID: 37d3dcb255afcba0d2d2d58065f2653b8153e2813ef6989ae9d58714d71dc5ea
            • Opcode Fuzzy Hash: b248dc72cb3adb6bd271e6bb54f6e38e5a665184d0d1063299c87c26d22fa55a
            • Instruction Fuzzy Hash: E501D6F2630211ABEF5436B4AC8ABBB725C9714750F264422FC03F21D2D5E09C688790
            Function 00251204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006), ref: 00251276
            • WSAGetLastError.WSOCK32 ref: 00251283
            • bind.WSOCK32(00000000,?,00000010), ref: 002512BA
            • WSAGetLastError.WSOCK32 ref: 002512C5
            • closesocket.WSOCK32(00000000), ref: 002512F4
            • listen.WSOCK32(00000000,00000005), ref: 00251303
            • WSAGetLastError.WSOCK32 ref: 0025130D
            • closesocket.WSOCK32(00000000), ref: 0025133C
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLast$closesocket$bindlistensocket
            • String ID:
            • API String ID: 540024437-0
            • Opcode ID: d168ed6fe96734558f96c427bc45038990ccd352358fffc8e66de56fdfa03de1
            • Instruction ID: ae209708ac4ee49017aad56122881b9429b9367049fea57169e7fb4f03ed38f5
            • Opcode Fuzzy Hash: d168ed6fe96734558f96c427bc45038990ccd352358fffc8e66de56fdfa03de1
            • Instruction Fuzzy Hash: DF41A1316001119FD720EF24D498B2ABBE5AF86319F288189DC568F3D6C771EC95CBE1
            Function 0020B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 0020B9D4
            • _free.LIBCMT ref: 0020B9F8
            • _free.LIBCMT ref: 0020BB7F
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00273700), ref: 0020BB91
            • WideCharToMultiByte.KERNEL32(00000000,00000000,002A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0020BC09
            • WideCharToMultiByte.KERNEL32(00000000,00000000,002A1270,000000FF,?,0000003F,00000000,?), ref: 0020BC36
            • _free.LIBCMT ref: 0020BD4B
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$ByteCharMultiWide$InformationTimeZone
            • String ID:
            • API String ID: 314583886-0
            • Opcode ID: 46bd21374f874f701a2dc5f948324001ac782bd56292bce026c6c8df73e6570d
            • Instruction ID: fdfecc09afacdf69069be2815fa283fbf08d254954cfd1ced3dd26a25455db73
            • Opcode Fuzzy Hash: 46bd21374f874f701a2dc5f948324001ac782bd56292bce026c6c8df73e6570d
            • Instruction Fuzzy Hash: 75C11B71A2430A9FDB32DF649C45BA9BBB8EF42310F24419AE954D72D3DB309E61CB50
            Function 0023D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001D3A97,?,?,001D2E7F,?,?,?,00000000), ref: 001D3AC2
              • Part of subcall function 0023E199: GetFileAttributesW.KERNEL32(?,0023CF95), ref: 0023E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 0023D420
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0023D470
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0023D481
            • FindClose.KERNEL32(00000000), ref: 0023D498
            • FindClose.KERNEL32(00000000), ref: 0023D4A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
            • String ID: \*.*
            • API String ID: 2649000838-1173974218
            • Opcode ID: 9ba7e52dca12841dae81d1a29a79c2a3ed514e257042bbbd1823ed4e5a83a175
            • Instruction ID: 381b300d364c6e2f5ae6a90e3e18d5ca3b834090bedbfc5a93c9c22fe0c450a9
            • Opcode Fuzzy Hash: 9ba7e52dca12841dae81d1a29a79c2a3ed514e257042bbbd1823ed4e5a83a175
            • Instruction Fuzzy Hash: CB31A3710183459FC304EF60E8958AFB7E8BEA1314F444A1EF8D193291EB30EA19D763
            Function 0020E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: __floor_pentium4
            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
            • API String ID: 4168288129-2761157908
            • Opcode ID: d171b6ef47c7c41aa70784dc1f2b3e29c480778a4b74c73cf2fc452e504aa0de
            • Instruction ID: aa72f2cef2a0956c6b07e65b22f544c52d3eb3dcd310b4c30bb3e8c5fb556443
            • Opcode Fuzzy Hash: d171b6ef47c7c41aa70784dc1f2b3e29c480778a4b74c73cf2fc452e504aa0de
            • Instruction Fuzzy Hash: 3DC25A71E242298FDF75CE289D407EAB7B5EB48304F1545EAD80DE7282E774AE918F40
            Function 0024648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 002464DC
            • CoInitialize.OLE32(00000000), ref: 00246639
            • CoCreateInstance.OLE32(0026FCF8,00000000,00000001,0026FB68,?), ref: 00246650
            • CoUninitialize.OLE32 ref: 002468D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 886957087-24824748
            • Opcode ID: 93c803e32953ea4405f409181a6edbfabf9a9231cbe1962f59421353af0ab003
            • Instruction ID: e0fc53fca9bdedcfd46337b284add57f5cbe18e1187b11776c8e850ec486dd9a
            • Opcode Fuzzy Hash: 93c803e32953ea4405f409181a6edbfabf9a9231cbe1962f59421353af0ab003
            • Instruction Fuzzy Hash: DDD14971518201AFC304EF24C88596BB7E9FF99704F50496EF5958B2A1EB70ED09CB92
            Function 002522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,00000000), ref: 002522E8
              • Part of subcall function 0024E4EC: GetWindowRect.USER32(?,?), ref: 0024E504
            • GetDesktopWindow.USER32 ref: 00252312
            • GetWindowRect.USER32(00000000), ref: 00252319
            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00252355
            • GetCursorPos.USER32(?), ref: 00252381
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002523DF
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForeground
            • String ID:
            • API String ID: 2387181109-0
            • Opcode ID: e75951cbaedc17c2443010a3501316d165d2a50fdb03debd6d76339bcedebd21
            • Instruction ID: c673cde3246e01fcebd244e3db02ac3ebcbff90369d50724053d92be081d4b21
            • Opcode Fuzzy Hash: e75951cbaedc17c2443010a3501316d165d2a50fdb03debd6d76339bcedebd21
            • Instruction Fuzzy Hash: C7310072504306AFDB20EF54DC49B6BBBA9FF85310F100919F985A7181DB74EA1CCB96
            Function 00249B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00249B78
            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00249C8B
              • Part of subcall function 00243874: GetInputState.USER32 ref: 002438CB
              • Part of subcall function 00243874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00243966
            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00249BA8
            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00249C75
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
            • String ID: *.*
            • API String ID: 1972594611-438819550
            • Opcode ID: 71323a429dff61e9d9bae7155822e11a96f269ab85a23ec0afb5932b95cbd7d6
            • Instruction ID: 545e08b71d6d1e28dd901af9fe4ad875ebd7e1836aa5541a6e522b79b39173ae
            • Opcode Fuzzy Hash: 71323a429dff61e9d9bae7155822e11a96f269ab85a23ec0afb5932b95cbd7d6
            • Instruction Fuzzy Hash: F641847191020AAFCF18EF64D989AEF7BF4FF19310F244156E815A2291EB309E94CF60
            Function 001D8060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
            Download Yara Rule
            Strings
            • ERCP, xrefs: 001D813C
            • 6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> , xrefs: 00215D43
            • VUUU, xrefs: 001D843C
            • VUUU, xrefs: 001D83FA
            • VUUU, xrefs: 001D83E8
            • VUUU, xrefs: 00215DF0
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: 6595b64144ccf1df"/> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> $ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-4188607644
            • Opcode ID: c0dec7a6dc31e0b635823bd5afbfc4c08018139e12b54cd3c2999035930d3279
            • Instruction ID: 05e11adcca1113662a6fc1749ee6fc8e04f3f41ce54062ad4a37068b666b36f6
            • Opcode Fuzzy Hash: c0dec7a6dc31e0b635823bd5afbfc4c08018139e12b54cd3c2999035930d3279
            • Instruction Fuzzy Hash: D9A26C71E1062ACBDF24CF58C8447EEB7B1BB64314F2581AAE815A7385EB709DD1CB90
            Function 001E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 001E9A4E
            • GetSysColor.USER32(0000000F), ref: 001E9B23
            • SetBkColor.GDI32(?,00000000), ref: 001E9B36
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Color$LongProcWindow
            • String ID:
            • API String ID: 3131106179-0
            • Opcode ID: db3939d08e21d9aaca5f854bb905d175ef160eb080804adf14a0b4b2cf1cdfef
            • Instruction ID: 3583471eeabf5ad84452271c152fbc668e84307e23a5606134ad20ae41d78a09
            • Opcode Fuzzy Hash: db3939d08e21d9aaca5f854bb905d175ef160eb080804adf14a0b4b2cf1cdfef
            • Instruction Fuzzy Hash: 9FA1467012C9A0BFE728AE6EAC48E7F269DDF82314F150229F402C7691CB259D61C672
            Function 00251806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0025304E: inet_addr.WSOCK32(?), ref: 0025307A
              • Part of subcall function 0025304E: _wcslen.LIBCMT ref: 0025309B
            • socket.WSOCK32(00000002,00000002,00000011), ref: 0025185D
            • WSAGetLastError.WSOCK32 ref: 00251884
            • bind.WSOCK32(00000000,?,00000010), ref: 002518DB
            • WSAGetLastError.WSOCK32 ref: 002518E6
            • closesocket.WSOCK32(00000000), ref: 00251915
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 1601658205-0
            • Opcode ID: 8ab07753a2f7b47a970774cab1f045a01c6c7a644cb89e12e3d417f83e1756a4
            • Instruction ID: 6f84e38d0c1bb7209d02fdda2547f40b53c7ff68aa0b1327611a992d35b6946a
            • Opcode Fuzzy Hash: 8ab07753a2f7b47a970774cab1f045a01c6c7a644cb89e12e3d417f83e1756a4
            • Instruction Fuzzy Hash: 6A51E571A00200AFE721AF24D88AF6A77E5AB58718F14845DF9459F3C3C771AD51CBE1
            Function 00261C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: 6797efc36bce738e2e08aa5a3157187c75a3b44f8f1cd382e27177a76be62b26
            • Instruction ID: ee7a6f8a394387dd5210ca3acdaf62e27532c708d5f795209a1f94623b806c13
            • Opcode Fuzzy Hash: 6797efc36bce738e2e08aa5a3157187c75a3b44f8f1cd382e27177a76be62b26
            • Instruction Fuzzy Hash: BC21E5317506029FD7209F1AD884B6A7BE5EF95314F1C845AE846CB351CBB1ECA2CB91
            Function 00238298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002382AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($tb)$|
            • API String ID: 1659193697-4290328572
            • Opcode ID: cf04fd7ce2f8957d96122518d02847b7aee43d1559481dd2197a7cb2299f7888
            • Instruction ID: 6e645cd2c7160693a143e4729cb683d393385402e656d9e3d3124fe41cb2fa4e
            • Opcode Fuzzy Hash: cf04fd7ce2f8957d96122518d02847b7aee43d1559481dd2197a7cb2299f7888
            • Instruction Fuzzy Hash: CC3236B5A107069FCB28CF19C481A6AB7F0FF48710B15C56EE59ADB3A1EB70E951CB40
            Function 0025A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 0025A6AC
            • Process32FirstW.KERNEL32(00000000,?), ref: 0025A6BA
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • Process32NextW.KERNEL32(00000000,?), ref: 0025A79C
            • CloseHandle.KERNEL32(00000000), ref: 0025A7AB
              • Part of subcall function 001ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00213303,?), ref: 001ECE8A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
            • String ID:
            • API String ID: 1991900642-0
            • Opcode ID: 6ebb0cfab4d508e2b5215f2551cf6cfb693b52ad5fe80160a223086d594e6a65
            • Instruction ID: 3c9218c1221d63a4899d430bb1bc6ec58e69dd72788bf7f2b54f396412f83256
            • Opcode Fuzzy Hash: 6ebb0cfab4d508e2b5215f2551cf6cfb693b52ad5fe80160a223086d594e6a65
            • Instruction Fuzzy Hash: BF517E71508301AFD710EF24D886A6FBBE8FF99754F00891EF98997291EB70D904CB92
            Function 0023AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0023AAAC
            • SetKeyboardState.USER32(00000080), ref: 0023AAC8
            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0023AB36
            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0023AB88
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: f98c3c1597d8fb4357f10f00c08e1d79be1e769916ac257e3db388eaddf5f775
            • Instruction ID: e5d7bc711c828481ffd8fffb01c6e01121c401787332d3cb03be8356c800a084
            • Opcode Fuzzy Hash: f98c3c1597d8fb4357f10f00c08e1d79be1e769916ac257e3db388eaddf5f775
            • Instruction Fuzzy Hash: 17312AB1A60249AEFB35CF64CC05BFAB7ABAB65314F14422AF0C1561D1D3B4C9A1C762
            Function 0024CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
            Download Yara Rule
            APIs
            • InternetReadFile.WININET(?,?,00000400,?), ref: 0024CE89
            • GetLastError.KERNEL32(?,00000000), ref: 0024CEEA
            • SetEvent.KERNEL32(?,?,00000000), ref: 0024CEFE
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorEventFileInternetLastRead
            • String ID:
            • API String ID: 234945975-0
            • Opcode ID: 1eb4faaca7296734a405dffcd7ad278356c7dbf49841ded800d45e5f96bf0b1d
            • Instruction ID: d48beb02a4fe42fc4ca3a493f0e1ba529095e0d9451d658092dc76f22588fae5
            • Opcode Fuzzy Hash: 1eb4faaca7296734a405dffcd7ad278356c7dbf49841ded800d45e5f96bf0b1d
            • Instruction Fuzzy Hash: D421FFB16113069BDB70DFA9D948BA7B7FCEB10314F20842EE646D2151E7B4EE188B50
            Function 00245C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00245CC1
            • FindNextFileW.KERNEL32(00000000,?), ref: 00245D17
            • FindClose.KERNEL32(?), ref: 00245D5F
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Find$File$CloseFirstNext
            • String ID:
            • API String ID: 3541575487-0
            • Opcode ID: 894e440393d22f474fb175c36f5de51156421288543b1b7f80eb38eb29d9bebb
            • Instruction ID: e9f2cc0253c078f13f76ad05632a0f38d13a5de7bc3cf12f68d39cf5824537c4
            • Opcode Fuzzy Hash: 894e440393d22f474fb175c36f5de51156421288543b1b7f80eb38eb29d9bebb
            • Instruction Fuzzy Hash: 26518A34A14A02DFC718DF28C494A9AB7E4FF59314F14855EE99A8B3A2DB30ED14CB91
            Function 00202622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 0020271A
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00202724
            • UnhandledExceptionFilter.KERNEL32(?), ref: 00202731
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 4a4119fc9d4e2e2c29fee8f2c358f82aefaf125f3e68f92c7523811ab3ee6b83
            • Instruction ID: d82c88fe34377f873ea8dc0969c52918145974a958c59b69dc4f5d5f301acee5
            • Opcode Fuzzy Hash: 4a4119fc9d4e2e2c29fee8f2c358f82aefaf125f3e68f92c7523811ab3ee6b83
            • Instruction Fuzzy Hash: 1A31C47491132C9BCB21DF64DC88798B7B8BF18310F5041EAE90CA7261E7709F858F44
            Function 002451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 002451DA
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00245238
            • SetErrorMode.KERNEL32(00000000), ref: 002452A1
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: eb0f9e5775df76dc1efc6f1ad86cc7c3f72e8a9024d7d45f55285efba4a7bb97
            • Instruction ID: 32f1cfc4c7b95f26eb8170c9c626aac62e45f4aa4cef8479d55c120b750531a5
            • Opcode Fuzzy Hash: eb0f9e5775df76dc1efc6f1ad86cc7c3f72e8a9024d7d45f55285efba4a7bb97
            • Instruction Fuzzy Hash: 7A318075A10519DFDB00DF54D888EADBBB4FF09314F14809AE8459B352DB71EC55CB90
            Function 002316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001F0668
              • Part of subcall function 001EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 001F0685
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023170D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0023173A
            • GetLastError.KERNEL32 ref: 0023174A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
            • String ID:
            • API String ID: 577356006-0
            • Opcode ID: f29ccc5372ca05017c3482cc66ff36af738f0606d6d4c01f77412bdf4bab6ba4
            • Instruction ID: f5dbc7da8b08d913d30b56201b3fcda65d44a3f575ed88e9731d486322ed6b6e
            • Opcode Fuzzy Hash: f29ccc5372ca05017c3482cc66ff36af738f0606d6d4c01f77412bdf4bab6ba4
            • Instruction Fuzzy Hash: FF11C1B2414305AFD718AF54EC86E6ABBBDFB44754B24852EE45653241EB70FC528A20
            Function 0023D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0023D608
            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0023D645
            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0023D650
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: d0a9aecf42433c264b54b0b028d7af4400c8fc9ad13072b2a419a2bed61e8328
            • Instruction ID: 8ff185a2a88c6c78501a3958289d99d701b80d31a1380eb102fb00135ad2e079
            • Opcode Fuzzy Hash: d0a9aecf42433c264b54b0b028d7af4400c8fc9ad13072b2a419a2bed61e8328
            • Instruction Fuzzy Hash: 6411A1B5E01228BFDB109F95EC49FAFBFBCEB45B50F108151F914E7290C2B04A058BA1
            Function 00231663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0023168C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002316A1
            • FreeSid.ADVAPI32(?), ref: 002316B1
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: a32f4f4880a188bccecde86ad28fa4efc0eb0d1b1ad19460f125e953bdc694e0
            • Instruction ID: 72c76de12ef613021ba36f10e870838eb742e83a5ecef2a5311fb813670cea97
            • Opcode Fuzzy Hash: a32f4f4880a188bccecde86ad28fa4efc0eb0d1b1ad19460f125e953bdc694e0
            • Instruction Fuzzy Hash: B0F0F471950309FBDB00EFE49D89AAEBBBCEB08604F608565E501E2181E774AA448A50
            Function 001F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(002028E9,?,001F4CBE,002028E9,002988B8,0000000C,001F4E15,002028E9,00000002,00000000,?,002028E9), ref: 001F4D09
            • TerminateProcess.KERNEL32(00000000,?,001F4CBE,002028E9,002988B8,0000000C,001F4E15,002028E9,00000002,00000000,?,002028E9), ref: 001F4D10
            • ExitProcess.KERNEL32 ref: 001F4D22
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: eb5c72d6bbc936a56e5afa1cb956415fbb343db0c00aadd06eb47cea08f920d7
            • Instruction ID: 6eb79076221db7a3e0cdf8d44be101578a13c987435fbdb42a5369ea96d330c9
            • Opcode Fuzzy Hash: eb5c72d6bbc936a56e5afa1cb956415fbb343db0c00aadd06eb47cea08f920d7
            • Instruction Fuzzy Hash: 80E0B671000248ABDF11BF94ED0DA6A3F69EB95781B208054FD598A222DB75DD52CA80
            Function 0020C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: /
            • API String ID: 0-2043925204
            • Opcode ID: 33ccfeb789af65388fe05fc668239bad224c8964e8adea110abf58251b560987
            • Instruction ID: cf65292be32ff16f90797645140f3592240cc23230d7720d5beaa6ba7a7cf28b
            • Opcode Fuzzy Hash: 33ccfeb789af65388fe05fc668239bad224c8964e8adea110abf58251b560987
            • Instruction Fuzzy Hash: C04129B6910319AFCB24AFB9DC49EBB7778EB84314F2082A9F905D71C2E6709D518B50
            Function 0022D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 0022D28C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: NameUser
            • String ID: X64
            • API String ID: 2645101109-893830106
            • Opcode ID: 34ea7b20a8cc23d1ed15e17d5cda536a8475c2f4b0ca7f58cb97d2dfc2cf5cc3
            • Instruction ID: 7e91dc042e3810af4ee1fbbbb2079cf9055f912274767d3a22a810d610d89285
            • Opcode Fuzzy Hash: 34ea7b20a8cc23d1ed15e17d5cda536a8475c2f4b0ca7f58cb97d2dfc2cf5cc3
            • Instruction Fuzzy Hash: E5D0C9B481112DFACB94DB90EC88DDEB37CBB04305F104251F506A2000DB7495488F20
            Function 001FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction ID: 9afa5b1b19db8e12aae6ee84a35ce7e6c32e1f541f1ec17b3f669023cc7ab261
            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction Fuzzy Hash: 9E021A71E0021D9BDF14CFA9C9806AEFBF1EF88314F25816AD919E7381D731AA419BD0
            Function 001DCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: Variable is not of type 'Object'.$p#*
            • API String ID: 0-2322104059
            • Opcode ID: 89fbcdc755a41c00c952c54460eae4e1aef4af2418b1732599d71939f565cf5a
            • Instruction ID: bf15263d8bda7b812bbeb1c47e6ce2cee01d3c682654ec55a7b74eee33c92916
            • Opcode Fuzzy Hash: 89fbcdc755a41c00c952c54460eae4e1aef4af2418b1732599d71939f565cf5a
            • Instruction Fuzzy Hash: 0B32AD7091022AEFCF14DF94D880AEDB7B5FF15304F24445AE806AB392DB75AE45CBA0
            Function 002468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00246918
            • FindClose.KERNEL32(00000000), ref: 00246961
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: b5d57e57da38130a1ef0a67119e35d016cf403d4a77cad6e3d892c1c59d27333
            • Instruction ID: 26eb7bd1578a9cb6eae64ff15db6c699faf9f2b667fdcf73cd2c585e7a3ef47e
            • Opcode Fuzzy Hash: b5d57e57da38130a1ef0a67119e35d016cf403d4a77cad6e3d892c1c59d27333
            • Instruction Fuzzy Hash: FC1190316142419FC714DF29D488A26BBE5FF85328F14C69AE8698F7A2C770EC05CB91
            Function 002437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00254891,?,?,00000035,?), ref: 002437E4
            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00254891,?,?,00000035,?), ref: 002437F4
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: e654ca65aad4ea77ca0401113df4047d9a6229717ba122aaffc45b4f60a8a503
            • Instruction ID: 1680ddc9f374f37dfcfb7c653eb06d489bee5060714ac0841e5d66ea1b21d484
            • Opcode Fuzzy Hash: e654ca65aad4ea77ca0401113df4047d9a6229717ba122aaffc45b4f60a8a503
            • Instruction Fuzzy Hash: 99F0E5B06153292AE72067669C4DFEB7AAEEFC4761F004165F509D2281DAA09944C6B0
            Function 0023B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0023B25D
            • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0023B270
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: InputSendkeybd_event
            • String ID:
            • API String ID: 3536248340-0
            • Opcode ID: faca248623836e064fdea62a75480ba15dcd3bac5411ebf4e3b30eff4635f2cb
            • Instruction ID: da7f54f3e7a727040cb5e1481b5a8226bd90840285729225bb42fe6292d86e60
            • Opcode Fuzzy Hash: faca248623836e064fdea62a75480ba15dcd3bac5411ebf4e3b30eff4635f2cb
            • Instruction Fuzzy Hash: E9F01D7181428EABDB069FA1D806BBE7BB4FF04309F10800AF965A5192C7B98611DF94
            Function 002310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002311FC), ref: 002310D4
            • CloseHandle.KERNEL32(?,?,002311FC), ref: 002310E9
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: 5edd2e99985b14631deffe72c5546a1da7595779ef3603bcf3c7d7a6a79b0cb7
            • Instruction ID: 549deb4a76fe291d6410e30a00d33d03294a95f9076508d90b8d989d2ac6951a
            • Opcode Fuzzy Hash: 5edd2e99985b14631deffe72c5546a1da7595779ef3603bcf3c7d7a6a79b0cb7
            • Instruction Fuzzy Hash: 92E0BF72018A51AEE7252B52FC09F777BE9EB04710F24C82DF9A5804B1DBA26CA1DB50
            Function 0020676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00206766,?,?,00000008,?,?,0020FEFE,00000000), ref: 00206998
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ExceptionRaise
            • String ID:
            • API String ID: 3997070919-0
            • Opcode ID: dde33190b7345915b313d0b442fe008eef6e3077cb0bf37c7b306910849e4f2a
            • Instruction ID: 68d176f9be363995748b8e86dd57bc5a950fa52d04087e2ae027a2df4801814c
            • Opcode Fuzzy Hash: dde33190b7345915b313d0b442fe008eef6e3077cb0bf37c7b306910849e4f2a
            • Instruction Fuzzy Hash: 45B117316206099FD715CF28C48AB657BE0FF45364F25C658E899CF2E2C375E9A5CB40
            Function 001EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: b3133ce1dfb8e945397f2dc5108f31b73ce80740e664025610e25199ee6d8335
            • Instruction ID: fc1a6401e2f15d39c2682504d5b6e4e39490b3866c7126d0315989f186fd2540
            • Opcode Fuzzy Hash: b3133ce1dfb8e945397f2dc5108f31b73ce80740e664025610e25199ee6d8335
            • Instruction Fuzzy Hash: 1F128F71914629DBCB24CF99D8816EEB7F5FF48710F10819AE809EB251EB309E91CF90
            Function 0024EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 0024EABD
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: 04964746481c98a43dcddee5acb5c83494bc1fe7b7775508c4b25e9a383ea92b
            • Instruction ID: ce81e7db93e3a004eb0f1f5a2b958bc8963198c659e95c2a77d37ceb05b14b38
            • Opcode Fuzzy Hash: 04964746481c98a43dcddee5acb5c83494bc1fe7b7775508c4b25e9a383ea92b
            • Instruction Fuzzy Hash: EAE01A312142159FD710EF59E844E9AB7E9BFA8760F018416FD4AC7361DBB0E8408B90
            Function 001F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001F03EE), ref: 001F09DA
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 1dfe977041ab1742e673a764a494b4519548eb6960e21ddbb6099c74aec13198
            • Instruction ID: d3b9e33d3543338e90a832f5f74d72797b641d25c01072649c357333ca2370ce
            • Opcode Fuzzy Hash: 1dfe977041ab1742e673a764a494b4519548eb6960e21ddbb6099c74aec13198
            • Instruction Fuzzy Hash:
            Function 001F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction ID: cfda6764503049273225b0ca884c0870784d7add92a354e049b902309e0844d8
            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction Fuzzy Hash: B951777160C70D9BDF388968885EBBE6799AB22394F180509EB82D72D2CB55DE02D352
            Function 00242046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: 0&*
            • API String ID: 0-3276764784
            • Opcode ID: 49e28c1bf107f946f03d90e3daa3f05c7b5d487abb2ca947589630e8ede8aea1
            • Instruction ID: 769aef138cc4d3781075bd5ff1ee47f57db5de6fdc1995a2e7aabcce3883b352
            • Opcode Fuzzy Hash: 49e28c1bf107f946f03d90e3daa3f05c7b5d487abb2ca947589630e8ede8aea1
            • Instruction Fuzzy Hash: FE21A532621615CBD72CCF79D82267A73E9A764710F55862EE4A7C37D0DE35A908CB80
            Function 00206DD9 Relevance: .6, Instructions: 637COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 152d69f78cedc7d68a9485204619cd751c2201892ae5f98438d495084015f03a
            • Instruction ID: 0231424788b18639c4b19bb5e0ecdd49f309af8b4790cd475d0c0139e48f823a
            • Opcode Fuzzy Hash: 152d69f78cedc7d68a9485204619cd751c2201892ae5f98438d495084015f03a
            • Instruction Fuzzy Hash: 26322422D39F014ED7239A34DC26336A689AFB73C5F15D737E81AB59A6EB29D4C34100
            Function 001ECC39 Relevance: .6, Instructions: 635COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 71ea58c74d4373d56b7efbbc2a63d68edfec3f35cfd6eeecdf4a0a239b36132c
            • Instruction ID: e025f7bd772a3fccd17decc71e8a38582c0fb94af0c108f691b69458f8a16a2e
            • Opcode Fuzzy Hash: 71ea58c74d4373d56b7efbbc2a63d68edfec3f35cfd6eeecdf4a0a239b36132c
            • Instruction Fuzzy Hash: 05325E31A241A6ABCF38CFA9E494A7D77A1EF45304F388167E449CB291D334DD92DB81
            Function 001D7920 Relevance: .6, Instructions: 563COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dc2eda62abaf279db4fd906ee025368673b1a6450e26d69abaf3e03ed63232d5
            • Instruction ID: 2426c35e6a0d557289160274cb9cea2e8751281cd3f6eb529450a7ff4c9fc69f
            • Opcode Fuzzy Hash: dc2eda62abaf279db4fd906ee025368673b1a6450e26d69abaf3e03ed63232d5
            • Instruction Fuzzy Hash: 5122AE70A1061AEFDF14CF64D881AEEB3F6FF54300F14466AE816A7391EB36A951CB50
            Function 001D91C0 Relevance: .5, Instructions: 475COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0c528b10e2780c49d54d99247dca46dd7635bfb00d2d0d84d072ba2d057476b0
            • Instruction ID: 14e754fa599aa0dcff74691edccf3317958e7195267295b806d7dc4ea4c9cf5f
            • Opcode Fuzzy Hash: 0c528b10e2780c49d54d99247dca46dd7635bfb00d2d0d84d072ba2d057476b0
            • Instruction Fuzzy Hash: 5C02B6B1A1010AEBDF04DF54DC81AADB7F5FF54300F118169E8169B391EB71AE61CB81
            Function 001F1C77 Relevance: .3, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction ID: 459ab699f32bc4d5e919b6924c884db29ea47b8c9f73e1f379c7f7760ea2edda
            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction Fuzzy Hash: E49187732080A79ADB2E467E857807EFFF15A923A131A079DD5F2CA1C5FF20C958D620
            Function 001F19B0 Relevance: .2, Instructions: 240COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction ID: a3a43b8b0f63dc159f110f7f356d44d0f5b917f59829db29e5f6838b541c2fed
            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction Fuzzy Hash: 26913F722090EBDADB2D467A857403EFFF15A923A231A079ED5F2CB1C5FF24C5649620
            Function 001F7A4A Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 841c81953a91a9dcaf711535f6e5bb140d84fc10c47be135a4eb5dc5b254d99b
            • Instruction ID: d60da39734142ad5a4cda5976347b066682cf180a39e54a5f214251c187ddfc0
            • Opcode Fuzzy Hash: 841c81953a91a9dcaf711535f6e5bb140d84fc10c47be135a4eb5dc5b254d99b
            • Instruction Fuzzy Hash: BE615B7120C70E96EE38A92C8CA5BBE6394EF52704F19091EEB43DB2C1D761DE42C355
            Function 001F7CA7 Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5de59f3b530f6e24f67bfc1e930b15be553f00bf6dc6944cff928bc96817b0dd
            • Instruction ID: 1a35e39d5a236d480cea6e52535ebe3bfa28886e032b3efc9f24aa45833dba42
            • Opcode Fuzzy Hash: 5de59f3b530f6e24f67bfc1e930b15be553f00bf6dc6944cff928bc96817b0dd
            • Instruction Fuzzy Hash: E661BB7160C70D67DE398AA85895BFF2389EF52744F90095AEB43CB2C2DB62ED42C311
            Function 001F1706 Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction ID: 33d9b2114609e6d8d719a9b40bdcdd493f5b9d9cd18970e30b974cce75800646
            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction Fuzzy Hash: 0D81A5336080E79EDB2D823A853407EFFE16A923A531A079ED5F6CB1C1EF24C554E660
            Function 022E3620 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction ID: fd644dfdedc987fed03acf0fdb0faeca3bb38bf130c83a75b2e39e3760460c46
            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction Fuzzy Hash: 6D41B5B1D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
            Function 022E34B0 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction ID: 3c10ecd79795669869fe0ac8f40b6dcfaeaf8bc4ea14b61a8a3743ebf857cc41
            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction Fuzzy Hash: F8018078A10209EFCB44DF98C5909AEF7B5FF48310B6085D9D809A7705D730AE41DB80
            Function 022E3510 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction ID: 91af9ef368c9f4634d25ff2f597d102b1d42ceb4ce338847200f2f6412a8e7b6
            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction Fuzzy Hash: 02019278A10209EFCB44DF98C5909AEF7B5FB48310F6085D9D819A7705D730AE41DB80
            Function 022E1E70 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2029686450.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_22e0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
            Function 00252ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00252B30
            • DeleteObject.GDI32(00000000), ref: 00252B43
            • DestroyWindow.USER32 ref: 00252B52
            • GetDesktopWindow.USER32 ref: 00252B6D
            • GetWindowRect.USER32(00000000), ref: 00252B74
            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00252CA3
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00252CB1
            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252CF8
            • GetClientRect.USER32(00000000,?), ref: 00252D04
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00252D40
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252D62
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252D75
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252D80
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252D89
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252D98
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252DA1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252DA8
            • GlobalFree.KERNEL32(00000000), ref: 00252DB3
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252DC5
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0026FC38,00000000), ref: 00252DDB
            • GlobalFree.KERNEL32(00000000), ref: 00252DEB
            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00252E11
            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00252E30
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00252E52
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025303F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: f15215138902efa0704c3333e48ae4845ed6ff9a687b1e93837d3a53b009ef2f
            • Instruction ID: 4ee394712cdf73c2e1199027ef03e1defe9713490e5d40d31e362fda79b0db8a
            • Opcode Fuzzy Hash: f15215138902efa0704c3333e48ae4845ed6ff9a687b1e93837d3a53b009ef2f
            • Instruction Fuzzy Hash: BD028B71A10205EFDB14EF64EC8DEAE7BB9EF49311F108159F915AB2A1CB70AD04CB64
            Function 002670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 0026712F
            • GetSysColorBrush.USER32(0000000F), ref: 00267160
            • GetSysColor.USER32(0000000F), ref: 0026716C
            • SetBkColor.GDI32(?,000000FF), ref: 00267186
            • SelectObject.GDI32(?,?), ref: 00267195
            • InflateRect.USER32(?,000000FF,000000FF), ref: 002671C0
            • GetSysColor.USER32(00000010), ref: 002671C8
            • CreateSolidBrush.GDI32(00000000), ref: 002671CF
            • FrameRect.USER32(?,?,00000000), ref: 002671DE
            • DeleteObject.GDI32(00000000), ref: 002671E5
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00267230
            • FillRect.USER32(?,?,?), ref: 00267262
            • GetWindowLongW.USER32(?,000000F0), ref: 00267284
              • Part of subcall function 002673E8: GetSysColor.USER32(00000012), ref: 00267421
              • Part of subcall function 002673E8: SetTextColor.GDI32(?,?), ref: 00267425
              • Part of subcall function 002673E8: GetSysColorBrush.USER32(0000000F), ref: 0026743B
              • Part of subcall function 002673E8: GetSysColor.USER32(0000000F), ref: 00267446
              • Part of subcall function 002673E8: GetSysColor.USER32(00000011), ref: 00267463
              • Part of subcall function 002673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00267471
              • Part of subcall function 002673E8: SelectObject.GDI32(?,00000000), ref: 00267482
              • Part of subcall function 002673E8: SetBkColor.GDI32(?,00000000), ref: 0026748B
              • Part of subcall function 002673E8: SelectObject.GDI32(?,?), ref: 00267498
              • Part of subcall function 002673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002674B7
              • Part of subcall function 002673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002674CE
              • Part of subcall function 002673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002674DB
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 1dc436c80f2adee89578d948829f688440d0f075c55029ae167f4b43a7593d15
            • Instruction ID: 74ea6223905a6a113ac4fd9f4c36ea20072c6d2f7b2cd72838678c3357ddef68
            • Opcode Fuzzy Hash: 1dc436c80f2adee89578d948829f688440d0f075c55029ae167f4b43a7593d15
            • Instruction Fuzzy Hash: 79A1A372018301AFD700AF60EC4CE6B7BA9FF49324F204A19F9A6961E1D7B5E994CF51
            Function 001E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 001E8E14
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00226AC5
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00226AFE
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00226F43
              • Part of subcall function 001E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001E8BE8,?,00000000,?,?,?,?,001E8BBA,00000000,?), ref: 001E8FC5
            • SendMessageW.USER32(?,00001053), ref: 00226F7F
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00226F96
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00226FAC
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00226FB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 2760611726-4108050209
            • Opcode ID: 81369b1661fa5a9b9eda765dbf8a4fbda6c1ee6d7782b534567abff1f0c84b83
            • Instruction ID: f214b98c91020bda403483d3722049de0943914068336860cadfb3391f85e4ca
            • Opcode Fuzzy Hash: 81369b1661fa5a9b9eda765dbf8a4fbda6c1ee6d7782b534567abff1f0c84b83
            • Instruction Fuzzy Hash: 4812EE31210662EFCB25DF54E84CBBAB7E5FB49310F248069F4899B661CB31EC61CB91
            Function 00252711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 0025273E
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0025286A
            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002528A9
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002528B9
            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00252900
            • GetClientRect.USER32(00000000,?), ref: 0025290C
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00252955
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00252964
            • GetStockObject.GDI32(00000011), ref: 00252974
            • SelectObject.GDI32(00000000,00000000), ref: 00252978
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00252988
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00252991
            • DeleteDC.GDI32(00000000), ref: 0025299A
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002529C6
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 002529DD
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00252A1D
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00252A31
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00252A42
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00252A77
            • GetStockObject.GDI32(00000011), ref: 00252A82
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00252A8D
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00252A97
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: 12152aa4d844b3d6f341d686cb7f7d2f0913e3ccfb0b33d8e38b4657983f746e
            • Instruction ID: 4d9ddc42613273e277e012a5366c22b0129fdbc20a2a44ed1301c5349a4a28f2
            • Opcode Fuzzy Hash: 12152aa4d844b3d6f341d686cb7f7d2f0913e3ccfb0b33d8e38b4657983f746e
            • Instruction Fuzzy Hash: FAB18E71A10215EFEB14DF68EC89FAE7BA9EB09711F108155F914E72D0DBB0AD10CB64
            Function 00244ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00244AED
            • GetDriveTypeW.KERNEL32(?,0026CB68,?,\\.\,0026CC08), ref: 00244BCA
            • SetErrorMode.KERNEL32(00000000,0026CB68,?,\\.\,0026CC08), ref: 00244D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: 9362b89b96a97db5c10c7816a565c0140dee3765d4f47b9e668887591098ebf7
            • Instruction ID: 5b3a93be9221964098d5e36a01f5522c3c931e1a8121fe1b8725852db3848a7d
            • Opcode Fuzzy Hash: 9362b89b96a97db5c10c7816a565c0140dee3765d4f47b9e668887591098ebf7
            • Instruction Fuzzy Hash: CF61BF30635106DBCF0CFF24CACAA68B7A0EB05345B288117F806AB291DBB1ED61DB51
            Function 002673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00267421
            • SetTextColor.GDI32(?,?), ref: 00267425
            • GetSysColorBrush.USER32(0000000F), ref: 0026743B
            • GetSysColor.USER32(0000000F), ref: 00267446
            • CreateSolidBrush.GDI32(?), ref: 0026744B
            • GetSysColor.USER32(00000011), ref: 00267463
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00267471
            • SelectObject.GDI32(?,00000000), ref: 00267482
            • SetBkColor.GDI32(?,00000000), ref: 0026748B
            • SelectObject.GDI32(?,?), ref: 00267498
            • InflateRect.USER32(?,000000FF,000000FF), ref: 002674B7
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002674CE
            • GetWindowLongW.USER32(00000000,000000F0), ref: 002674DB
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0026752A
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00267554
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00267572
            • DrawFocusRect.USER32(?,?), ref: 0026757D
            • GetSysColor.USER32(00000011), ref: 0026758E
            • SetTextColor.GDI32(?,00000000), ref: 00267596
            • DrawTextW.USER32(?,002670F5,000000FF,?,00000000), ref: 002675A8
            • SelectObject.GDI32(?,?), ref: 002675BF
            • DeleteObject.GDI32(?), ref: 002675CA
            • SelectObject.GDI32(?,?), ref: 002675D0
            • DeleteObject.GDI32(?), ref: 002675D5
            • SetTextColor.GDI32(?,?), ref: 002675DB
            • SetBkColor.GDI32(?,?), ref: 002675E5
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 1b7c4e86aaadf9a230306d8f4f523b3dd68296c80d2139b1dbc0674f30be9dd4
            • Instruction ID: 64c2685b6dec43396bd5b2c0c3d6e9467235325730acf995324e094210ade861
            • Opcode Fuzzy Hash: 1b7c4e86aaadf9a230306d8f4f523b3dd68296c80d2139b1dbc0674f30be9dd4
            • Instruction Fuzzy Hash: AA615271900219AFDF01AFA4EC49AAE7F79EB09320F218155F915B72A1D7B49990CF90
            Function 00260FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00261128
            • GetDesktopWindow.USER32 ref: 0026113D
            • GetWindowRect.USER32(00000000), ref: 00261144
            • GetWindowLongW.USER32(?,000000F0), ref: 00261199
            • DestroyWindow.USER32(?), ref: 002611B9
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002611ED
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0026120B
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0026121D
            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00261232
            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00261245
            • IsWindowVisible.USER32(00000000), ref: 002612A1
            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002612BC
            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002612D0
            • GetWindowRect.USER32(00000000,?), ref: 002612E8
            • MonitorFromPoint.USER32(?,?,00000002), ref: 0026130E
            • GetMonitorInfoW.USER32(00000000,?), ref: 00261328
            • CopyRect.USER32(?,?), ref: 0026133F
            • SendMessageW.USER32(00000000,00000412,00000000), ref: 002613AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: f1c37b38964bc93b7d5d09212bb6f39d057fc40dd82df70b0d9d075b6ec78ff9
            • Instruction ID: 2f15ddbfdd213162b9a6e239f4a48fdaf1f09d4bbe2d475026aedd52b3e066b5
            • Opcode Fuzzy Hash: f1c37b38964bc93b7d5d09212bb6f39d057fc40dd82df70b0d9d075b6ec78ff9
            • Instruction Fuzzy Hash: 63B1B071618341AFD704DF64D888B6ABBE4FF84300F14891DF99A9B2A1C771E8A4CB91
            Function 00260241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 002602E5
            • _wcslen.LIBCMT ref: 0026031F
            • _wcslen.LIBCMT ref: 00260389
            • _wcslen.LIBCMT ref: 002603F1
            • _wcslen.LIBCMT ref: 00260475
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002604C5
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00260504
              • Part of subcall function 001EF9F2: _wcslen.LIBCMT ref: 001EF9FD
              • Part of subcall function 0023223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00232258
              • Part of subcall function 0023223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0023228A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 1103490817-719923060
            • Opcode ID: 39951e1490e7f381ec7370ef5b3c088fbd254c11bf45dcd901ccae45afd873d5
            • Instruction ID: 70ff5f1ee9c18b28d80d773fbe714489fd3a7ee88b237bd0b968e091ad09b17e
            • Opcode Fuzzy Hash: 39951e1490e7f381ec7370ef5b3c088fbd254c11bf45dcd901ccae45afd873d5
            • Instruction Fuzzy Hash: 8AE19D312282028BCB24DF24C59083BB3E6BF98714B54495DF8969B3A1DB30EDA5DB81
            Function 001E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001E8968
            • GetSystemMetrics.USER32(00000007), ref: 001E8970
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001E899B
            • GetSystemMetrics.USER32(00000008), ref: 001E89A3
            • GetSystemMetrics.USER32(00000004), ref: 001E89C8
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001E89E5
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001E89F5
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001E8A28
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001E8A3C
            • GetClientRect.USER32(00000000,000000FF), ref: 001E8A5A
            • GetStockObject.GDI32(00000011), ref: 001E8A76
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 001E8A81
              • Part of subcall function 001E912D: GetCursorPos.USER32(?), ref: 001E9141
              • Part of subcall function 001E912D: ScreenToClient.USER32(00000000,?), ref: 001E915E
              • Part of subcall function 001E912D: GetAsyncKeyState.USER32(00000001), ref: 001E9183
              • Part of subcall function 001E912D: GetAsyncKeyState.USER32(00000002), ref: 001E919D
            • SetTimer.USER32(00000000,00000000,00000028,001E90FC), ref: 001E8AA8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: 94158343cb7e0c87b964111c595e4f1d5c5c50759bd84dacd20595019c868555
            • Instruction ID: 65958714922fcdde5665f02b5b1dd3a66e64c5195d9c9935b7df64e5e9c3b14d
            • Opcode Fuzzy Hash: 94158343cb7e0c87b964111c595e4f1d5c5c50759bd84dacd20595019c868555
            • Instruction Fuzzy Hash: 07B17F75A0024AAFDB14DFA8EC49BAE7BB5FB48314F108129FA15A7290DB74E850CF51
            Function 00230D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00231114
              • Part of subcall function 002310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 00231120
              • Part of subcall function 002310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 0023112F
              • Part of subcall function 002310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 00231136
              • Part of subcall function 002310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0023114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00230DF5
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00230E29
            • GetLengthSid.ADVAPI32(?), ref: 00230E40
            • GetAce.ADVAPI32(?,00000000,?), ref: 00230E7A
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00230E96
            • GetLengthSid.ADVAPI32(?), ref: 00230EAD
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00230EB5
            • HeapAlloc.KERNEL32(00000000), ref: 00230EBC
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00230EDD
            • CopySid.ADVAPI32(00000000), ref: 00230EE4
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00230F13
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00230F35
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00230F47
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00230F6E
            • HeapFree.KERNEL32(00000000), ref: 00230F75
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00230F7E
            • HeapFree.KERNEL32(00000000), ref: 00230F85
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00230F8E
            • HeapFree.KERNEL32(00000000), ref: 00230F95
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00230FA1
            • HeapFree.KERNEL32(00000000), ref: 00230FA8
              • Part of subcall function 00231193: GetProcessHeap.KERNEL32(00000008,00230BB1,?,00000000,?,00230BB1,?), ref: 002311A1
              • Part of subcall function 00231193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00230BB1,?), ref: 002311A8
              • Part of subcall function 00231193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00230BB1,?), ref: 002311B7
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 8e302bb1cc67673feb918cb14257d71a34bdd35018d540ccb62e2810493f05d4
            • Instruction ID: 9f3e7e9f43790eeb416c76950d02b8cdbd145c82bd46e5dedc02bf40b80ff510
            • Opcode Fuzzy Hash: 8e302bb1cc67673feb918cb14257d71a34bdd35018d540ccb62e2810493f05d4
            • Instruction Fuzzy Hash: 5C716FB191020AEBDF209FA5EC88FEEBBB8BF05300F148165F959E6151DB719915CB70
            Function 0025C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0025C4BD
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0026CC08,00000000,?,00000000,?,?), ref: 0025C544
            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0025C5A4
            • _wcslen.LIBCMT ref: 0025C5F4
            • _wcslen.LIBCMT ref: 0025C66F
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0025C6B2
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0025C7C1
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0025C84D
            • RegCloseKey.ADVAPI32(?), ref: 0025C881
            • RegCloseKey.ADVAPI32(00000000), ref: 0025C88E
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0025C960
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 9721498-966354055
            • Opcode ID: 8a147f9a074283596efb1e02e98566850aadb4666ffb9d286e4cf05402b1337b
            • Instruction ID: ee2c5b39d2d90db9ad51ac526c7d81d346d13b9df00e35b683a5e6f268d0b6f8
            • Opcode Fuzzy Hash: 8a147f9a074283596efb1e02e98566850aadb4666ffb9d286e4cf05402b1337b
            • Instruction Fuzzy Hash: CC1278352143019FCB14DF24D885A2AB7E5FF88714F14899DF88A9B3A2EB31ED45CB85
            Function 0026091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 002609C6
            • _wcslen.LIBCMT ref: 00260A01
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00260A54
            • _wcslen.LIBCMT ref: 00260A8A
            • _wcslen.LIBCMT ref: 00260B06
            • _wcslen.LIBCMT ref: 00260B81
              • Part of subcall function 001EF9F2: _wcslen.LIBCMT ref: 001EF9FD
              • Part of subcall function 00232BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00232BFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 1103490817-4258414348
            • Opcode ID: d22bd81c7a1bf147af01bdae9eef09acea33976c5829cbb546ed964c09533c0e
            • Instruction ID: 1b055ca56600a8b2e23dcbc3c6f471356661e7e0b309c7b68a6982226196ea76
            • Opcode Fuzzy Hash: d22bd81c7a1bf147af01bdae9eef09acea33976c5829cbb546ed964c09533c0e
            • Instruction Fuzzy Hash: 94E18D312287028FCB14DF25C49092BB7E1FF98358B148A5DF8969B3A2D731ED95DB81
            Function 0025C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 1256254125-909552448
            • Opcode ID: af426b496a3e2ef9539ced95b8bf487349643b91fa00569934d43338d547e28f
            • Instruction ID: 7a00167275b9692e2cbaba9ed0fb71c735f26bbb48d1587b7ac8e8a076bf7414
            • Opcode Fuzzy Hash: af426b496a3e2ef9539ced95b8bf487349643b91fa00569934d43338d547e28f
            • Instruction Fuzzy Hash: 1C71E23263022B8FCF20DE68C9415BA3795AB6075AB350529FC6697284F771CD69C3A8
            Function 0026833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0026835A
            • _wcslen.LIBCMT ref: 0026836E
            • _wcslen.LIBCMT ref: 00268391
            • _wcslen.LIBCMT ref: 002683B4
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002683F2
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00265BF2), ref: 0026844E
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00268487
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002684CA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00268501
            • FreeLibrary.KERNEL32(?), ref: 0026850D
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0026851D
            • DestroyIcon.USER32(?,?,?,?,?,00265BF2), ref: 0026852C
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00268549
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00268555
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
            • String ID: .dll$.exe$.icl
            • API String ID: 799131459-1154884017
            • Opcode ID: 44f1e6effa99a83d78914152ba0bd04836be995c754ad1a67c90c584c599dbe1
            • Instruction ID: c5217558efe863c2b4ae61dd522f38f6f7f73653038f0567739b29bbd4796b7b
            • Opcode Fuzzy Hash: 44f1e6effa99a83d78914152ba0bd04836be995c754ad1a67c90c584c599dbe1
            • Instruction Fuzzy Hash: 0C61F37151021ABBEB14DF64DC85BBF77A8FB08710F10460AF956E61D1DFB499A0C7A0
            Function 001D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 0-1645009161
            • Opcode ID: 5d487b763d995b0ce4eeb5da693fd7f919ec7a7f7abae65b45c9d5435a4fa8c6
            • Instruction ID: 3ae9ec875d392fd706471e78cddd76caf15a32a99d1f16d119816214e87d59e0
            • Opcode Fuzzy Hash: 5d487b763d995b0ce4eeb5da693fd7f919ec7a7f7abae65b45c9d5435a4fa8c6
            • Instruction Fuzzy Hash: 3281F271610615BBDB21AF60DC46FFF37A8AF65300F004466F909AA2D6FB70D9A1C6A1
            Function 00235A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00235A2E
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00235A40
            • SetWindowTextW.USER32(?,?), ref: 00235A57
            • GetDlgItem.USER32(?,000003EA), ref: 00235A6C
            • SetWindowTextW.USER32(00000000,?), ref: 00235A72
            • GetDlgItem.USER32(?,000003E9), ref: 00235A82
            • SetWindowTextW.USER32(00000000,?), ref: 00235A88
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00235AA9
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00235AC3
            • GetWindowRect.USER32(?,?), ref: 00235ACC
            • _wcslen.LIBCMT ref: 00235B33
            • SetWindowTextW.USER32(?,?), ref: 00235B6F
            • GetDesktopWindow.USER32 ref: 00235B75
            • GetWindowRect.USER32(00000000), ref: 00235B7C
            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00235BD3
            • GetClientRect.USER32(?,?), ref: 00235BE0
            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00235C05
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00235C2F
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
            • String ID:
            • API String ID: 895679908-0
            • Opcode ID: c0754f1e6e179a0cab99a3a1f7a03e7d68d06e7602c454b2ef9789a5661ad581
            • Instruction ID: e6b6f1b2caf1aa96343f936d1f42e73aff70a7d7ef17e081b09889d3520f1cfa
            • Opcode Fuzzy Hash: c0754f1e6e179a0cab99a3a1f7a03e7d68d06e7602c454b2ef9789a5661ad581
            • Instruction Fuzzy Hash: 6A71AF71910B1AAFCB20DFA8CE89B6EBBF5FF48704F104518E586A21A4D7B4E950CF50
            Function 002330F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[)
            • API String ID: 176396367-2727137042
            • Opcode ID: 7f607687d70b20a6530b3717f0f7c3c6ba44b3800f986233f84d462a80b6090e
            • Instruction ID: 6e7221dc4a84bf186feb49c1b060388ba552270237477dfa6efd0a29e756d67c
            • Opcode Fuzzy Hash: 7f607687d70b20a6530b3717f0f7c3c6ba44b3800f986233f84d462a80b6090e
            • Instruction Fuzzy Hash: D8E104B2B20616ABCB14DF68C4516FEBBB0BF18710F54811AE956E7240DB70AFA5C790
            Function 001F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
            Download Yara Rule
            APIs
            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001F00C6
              • Part of subcall function 001F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002A070C,00000FA0,2C786418,?,?,?,?,002123B3,000000FF), ref: 001F011C
              • Part of subcall function 001F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002123B3,000000FF), ref: 001F0127
              • Part of subcall function 001F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002123B3,000000FF), ref: 001F0138
              • Part of subcall function 001F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001F014E
              • Part of subcall function 001F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001F015C
              • Part of subcall function 001F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001F016A
              • Part of subcall function 001F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001F0195
              • Part of subcall function 001F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001F01A0
            • ___scrt_fastfail.LIBCMT ref: 001F00E7
              • Part of subcall function 001F00A3: __onexit.LIBCMT ref: 001F00A9
            Strings
            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 001F0122
            • WakeAllConditionVariable, xrefs: 001F0162
            • kernel32.dll, xrefs: 001F0133
            • SleepConditionVariableCS, xrefs: 001F0154
            • InitializeConditionVariable, xrefs: 001F0148
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
            • API String ID: 66158676-1714406822
            • Opcode ID: ca50d2a50e74f8555fa874d7618b623f0bdfb65cd69a7cde1817f5f0158a31bc
            • Instruction ID: 406a135dadb5d92d46722341d4f46582d1655ac4bc986c38acf288eeb74937f9
            • Opcode Fuzzy Hash: ca50d2a50e74f8555fa874d7618b623f0bdfb65cd69a7cde1817f5f0158a31bc
            • Instruction Fuzzy Hash: 972129326487146BDB127BA4BC4DB7A73D4DB0FB50F10416AF905A3292DFB0AC408A90
            Function 002444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(00000000,00000000,0026CC08), ref: 00244527
            • _wcslen.LIBCMT ref: 0024453B
            • _wcslen.LIBCMT ref: 00244599
            • _wcslen.LIBCMT ref: 002445F4
            • _wcslen.LIBCMT ref: 0024463F
            • _wcslen.LIBCMT ref: 002446A7
              • Part of subcall function 001EF9F2: _wcslen.LIBCMT ref: 001EF9FD
            • GetDriveTypeW.KERNEL32(?,00296BF0,00000061), ref: 00244743
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$BuffCharDriveLowerType
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2055661098-1000479233
            • Opcode ID: c3d1711982e8bdd99cea77453b28c27a21e722bcd28b32966879c98944502dd8
            • Instruction ID: b0553dc5aba4a20f5a37cea6c18dec71d38bc9d3d54111b831d03443a65e69fb
            • Opcode Fuzzy Hash: c3d1711982e8bdd99cea77453b28c27a21e722bcd28b32966879c98944502dd8
            • Instruction Fuzzy Hash: 51B120716283029FC718EF28C890A7EB7E4BFA6724F50491DF496C7291E730D865CB92
            Function 0026911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
            • DragQueryPoint.SHELL32(?,?), ref: 00269147
              • Part of subcall function 00267674: ClientToScreen.USER32(?,?), ref: 0026769A
              • Part of subcall function 00267674: GetWindowRect.USER32(?,?), ref: 00267710
              • Part of subcall function 00267674: PtInRect.USER32(?,?,00268B89), ref: 00267720
            • SendMessageW.USER32(?,000000B0,?,?), ref: 002691B0
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002691BB
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002691DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00269225
            • SendMessageW.USER32(?,000000B0,?,?), ref: 0026923E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00269255
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00269277
            • DragFinish.SHELL32(?), ref: 0026927E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00269371
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#*
            • API String ID: 221274066-2884822411
            • Opcode ID: b8b1a932ff85b01d5fb0200a5a05a572a76d3df835d6496c22b174ab675665eb
            • Instruction ID: 7387bcde468f7be355591e84184746ef7600aa8d7f242f98df03eac3c74dd476
            • Opcode Fuzzy Hash: b8b1a932ff85b01d5fb0200a5a05a572a76d3df835d6496c22b174ab675665eb
            • Instruction Fuzzy Hash: 0F61BB71108301AFC704EF64EC89DAFBBE8EF99750F10492EF595932A0DB709A58CB52
            Function 0025AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0025B198
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0025B1B0
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0025B1D4
            • _wcslen.LIBCMT ref: 0025B200
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0025B214
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0025B236
            • _wcslen.LIBCMT ref: 0025B332
              • Part of subcall function 002405A7: GetStdHandle.KERNEL32(000000F6), ref: 002405C6
            • _wcslen.LIBCMT ref: 0025B34B
            • _wcslen.LIBCMT ref: 0025B366
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0025B3B6
            • GetLastError.KERNEL32(00000000), ref: 0025B407
            • CloseHandle.KERNEL32(?), ref: 0025B439
            • CloseHandle.KERNEL32(00000000), ref: 0025B44A
            • CloseHandle.KERNEL32(00000000), ref: 0025B45C
            • CloseHandle.KERNEL32(00000000), ref: 0025B46E
            • CloseHandle.KERNEL32(?), ref: 0025B4E3
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
            • String ID:
            • API String ID: 2178637699-0
            • Opcode ID: a0e209cf61c43e274578635f288bd978e3bb762f7af3f45425d9a85648c122da
            • Instruction ID: 57ffef8d7636653e2d6854a27e130790997ef46165ecff864c9f67cb771175e5
            • Opcode Fuzzy Hash: a0e209cf61c43e274578635f288bd978e3bb762f7af3f45425d9a85648c122da
            • Instruction Fuzzy Hash: CCF1BC316183419FC725EF24D891B6EBBE0AF85310F14855EF8899B3A2DB31EC58CB56
            Function 001D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemCount.USER32(002A1990), ref: 00212F8D
            • GetMenuItemCount.USER32(002A1990), ref: 0021303D
            • GetCursorPos.USER32(?), ref: 00213081
            • SetForegroundWindow.USER32(00000000), ref: 0021308A
            • TrackPopupMenuEx.USER32(002A1990,00000000,?,00000000,00000000,00000000), ref: 0021309D
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002130A9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
            • String ID: 0
            • API String ID: 36266755-4108050209
            • Opcode ID: 32c636b4a2f4a554d84bf0ad64baf5749638adc81d1a3c0bd8f929da02c50609
            • Instruction ID: 9081ee9ee0fa099cb5ab300ca337d47b1a6e0e5589693be1bd8d96724e59ef02
            • Opcode Fuzzy Hash: 32c636b4a2f4a554d84bf0ad64baf5749638adc81d1a3c0bd8f929da02c50609
            • Instruction Fuzzy Hash: B2712770640206BEEB259F64DC49FEABFA5FF15324F204207F5256A2E0C7B1A974CB91
            Function 00266CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 00266DEB
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00266E5F
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00266E81
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00266E94
            • DestroyWindow.USER32(?), ref: 00266EB5
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001D0000,00000000), ref: 00266EE4
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00266EFD
            • GetDesktopWindow.USER32 ref: 00266F16
            • GetWindowRect.USER32(00000000), ref: 00266F1D
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00266F35
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00266F4D
              • Part of subcall function 001E9944: GetWindowLongW.USER32(?,000000EB), ref: 001E9952
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
            • String ID: 0$tooltips_class32
            • API String ID: 2429346358-3619404913
            • Opcode ID: 8f0ff606e6069bb9ff80271ab57537e28a1321d9b60bdabe66669af298974ab0
            • Instruction ID: 3942538959e9b4ff9ae6292edaa78f318a96b31f2ab40fa7264d403ed1539370
            • Opcode Fuzzy Hash: 8f0ff606e6069bb9ff80271ab57537e28a1321d9b60bdabe66669af298974ab0
            • Instruction Fuzzy Hash: 1D718870114242AFDB25DF18EC48EBBBBE9FB99304F14441EF99987260CBB1E965CB11
            Function 0024C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0024C4B0
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0024C4C3
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0024C4D7
            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0024C4F0
            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0024C533
            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0024C549
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0024C554
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0024C584
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0024C5DC
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0024C5F0
            • InternetCloseHandle.WININET(00000000), ref: 0024C5FB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
            • String ID:
            • API String ID: 3800310941-3916222277
            • Opcode ID: 61cd20f4ac5d12cf00391518dbc6d3e209120c0ea92bd918d977b709900b9f63
            • Instruction ID: 3a8b2e3d79360109887a721135aff1b3afbbbdf56957bab87695dc57c933cb71
            • Opcode Fuzzy Hash: 61cd20f4ac5d12cf00391518dbc6d3e209120c0ea92bd918d977b709900b9f63
            • Instruction Fuzzy Hash: 3B517DB0511209BFDB659F68DD48ABB7BFCFF08354F20841AF986A6250DB70E9149F60
            Function 0026856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00268592
            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685A2
            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685AD
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685BA
            • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685C8
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685D7
            • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685E0
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685E7
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002685F8
            • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0026FC38,?), ref: 00268611
            • GlobalFree.KERNEL32(00000000), ref: 00268621
            • GetObjectW.GDI32(?,00000018,?), ref: 00268641
            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00268671
            • DeleteObject.GDI32(?), ref: 00268699
            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002686AF
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
            • String ID:
            • API String ID: 3840717409-0
            • Opcode ID: 2bbe3ee32dd38a9c4c8e5b68a07d41b8159952a9f5b1f9bb245a2da4627c717a
            • Instruction ID: 90df53cf2cb9fbeba8eb45694cea9321bbe44509ab23804023829689eac4eac0
            • Opcode Fuzzy Hash: 2bbe3ee32dd38a9c4c8e5b68a07d41b8159952a9f5b1f9bb245a2da4627c717a
            • Instruction Fuzzy Hash: 4D414B71600205EFDB11EFA5DC4CEAA7BBCEF89711F208159F94AE7260DB709941CB60
            Function 002414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000000), ref: 00241502
            • VariantCopy.OLEAUT32(?,?), ref: 0024150B
            • VariantClear.OLEAUT32(?), ref: 00241517
            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002415FB
            • VarR8FromDec.OLEAUT32(?,?), ref: 00241657
            • VariantInit.OLEAUT32(?), ref: 00241708
            • SysFreeString.OLEAUT32(?), ref: 0024178C
            • VariantClear.OLEAUT32(?), ref: 002417D8
            • VariantClear.OLEAUT32(?), ref: 002417E7
            • VariantInit.OLEAUT32(00000000), ref: 00241823
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
            • String ID: %4d%02d%02d%02d%02d%02d$Default
            • API String ID: 1234038744-3931177956
            • Opcode ID: 4da111b7161988a96307eb5e46588f98ce407703d63154da413c2e018bc3f3be
            • Instruction ID: 2264b9a5043bce238369da500e0034e9232082abce5df480d81abe518d636794
            • Opcode Fuzzy Hash: 4da111b7161988a96307eb5e46588f98ce407703d63154da413c2e018bc3f3be
            • Instruction Fuzzy Hash: 93D12731620505DBDB18EF65E885BBDB7B5BF44700F64805AF446AB280DBB0ECB1DB61
            Function 0025B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
              • Part of subcall function 0025C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0025B6AE,?,?), ref: 0025C9B5
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025C9F1
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025CA68
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0025B6F4
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0025B772
            • RegDeleteValueW.ADVAPI32(?,?), ref: 0025B80A
            • RegCloseKey.ADVAPI32(?), ref: 0025B87E
            • RegCloseKey.ADVAPI32(?), ref: 0025B89C
            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0025B8F2
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0025B904
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0025B922
            • FreeLibrary.KERNEL32(00000000), ref: 0025B983
            • RegCloseKey.ADVAPI32(00000000), ref: 0025B994
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 146587525-4033151799
            • Opcode ID: 9b499bfb0b4f35686be244b447897e136ca3ea1b6c8168386dcfd4967975ae5e
            • Instruction ID: a992e37a8f20f05b95a84961d6f36b3f5966b3780d4bb9a126e2c62e98c5a9e7
            • Opcode Fuzzy Hash: 9b499bfb0b4f35686be244b447897e136ca3ea1b6c8168386dcfd4967975ae5e
            • Instruction Fuzzy Hash: 43C18B31214202AFD715DF14C495F2ABBE5BF84319F14859DF89A8B3A2CB71EC49CB91
            Function 0025255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 002525D8
            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002525E8
            • CreateCompatibleDC.GDI32(?), ref: 002525F4
            • SelectObject.GDI32(00000000,?), ref: 00252601
            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0025266D
            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002526AC
            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002526D0
            • SelectObject.GDI32(?,?), ref: 002526D8
            • DeleteObject.GDI32(?), ref: 002526E1
            • DeleteDC.GDI32(?), ref: 002526E8
            • ReleaseDC.USER32(00000000,?), ref: 002526F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: 92c4d38b1fdf92f1b4e6026fda5ef0e1ebaf1bdda80b95f827ca413e3721cfc9
            • Instruction ID: 631f411a7747ad76405fdaa9269c554e2bfc786b71f3359f9e6dee107fd73d7c
            • Opcode Fuzzy Hash: 92c4d38b1fdf92f1b4e6026fda5ef0e1ebaf1bdda80b95f827ca413e3721cfc9
            • Instruction Fuzzy Hash: 8D611475D10219EFCF04DFA4D884AAEBBF9FF48310F208429E959A7250D370A955CF94
            Function 0020DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___free_lconv_mon.LIBCMT ref: 0020DAA1
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D659
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D66B
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D67D
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D68F
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D6A1
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D6B3
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D6C5
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D6D7
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D6E9
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D6FB
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D70D
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D71F
              • Part of subcall function 0020D63C: _free.LIBCMT ref: 0020D731
            • _free.LIBCMT ref: 0020DA96
              • Part of subcall function 002029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000), ref: 002029DE
              • Part of subcall function 002029C8: GetLastError.KERNEL32(00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000,00000000), ref: 002029F0
            • _free.LIBCMT ref: 0020DAB8
            • _free.LIBCMT ref: 0020DACD
            • _free.LIBCMT ref: 0020DAD8
            • _free.LIBCMT ref: 0020DAFA
            • _free.LIBCMT ref: 0020DB0D
            • _free.LIBCMT ref: 0020DB1B
            • _free.LIBCMT ref: 0020DB26
            • _free.LIBCMT ref: 0020DB5E
            • _free.LIBCMT ref: 0020DB65
            • _free.LIBCMT ref: 0020DB82
            • _free.LIBCMT ref: 0020DB9A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
            • String ID:
            • API String ID: 161543041-0
            • Opcode ID: fc54810aae61c85373ae4935b1e09f0e0a97151388fcd858cc05f4faa8469626
            • Instruction ID: 77a6d64c2c08ea57474b28ec17e7a4eb1fcf9ba4173950f844f99e1f7d7a7755
            • Opcode Fuzzy Hash: fc54810aae61c85373ae4935b1e09f0e0a97151388fcd858cc05f4faa8469626
            • Instruction Fuzzy Hash: A4314A3166530ADFEB21AEB8E845B5677E8FF00310F21541AE449D71D3DE35AC648B20
            Function 0023365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 0023369C
            • _wcslen.LIBCMT ref: 002336A7
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00233797
            • GetClassNameW.USER32(?,?,00000400), ref: 0023380C
            • GetDlgCtrlID.USER32(?), ref: 0023385D
            • GetWindowRect.USER32(?,?), ref: 00233882
            • GetParent.USER32(?), ref: 002338A0
            • ScreenToClient.USER32(00000000), ref: 002338A7
            • GetClassNameW.USER32(?,?,00000100), ref: 00233921
            • GetWindowTextW.USER32(?,?,00000400), ref: 0023395D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
            • String ID: %s%u
            • API String ID: 4010501982-679674701
            • Opcode ID: 70e89c9f4997e5c58b6d50eef47c8c79890ed3e0d1087bedd4f4456038aa45ac
            • Instruction ID: 857cf2c048d03cea544ada9fd2cd103356a28fa68a0b56a08b44137140c82136
            • Opcode Fuzzy Hash: 70e89c9f4997e5c58b6d50eef47c8c79890ed3e0d1087bedd4f4456038aa45ac
            • Instruction Fuzzy Hash: D791B0B1214607EFD719DF24C885BAAF7A8FF44310F008629FA99C2190DB70EB65CB91
            Function 00234954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000400), ref: 00234994
            • GetWindowTextW.USER32(?,?,00000400), ref: 002349DA
            • _wcslen.LIBCMT ref: 002349EB
            • CharUpperBuffW.USER32(?,00000000), ref: 002349F7
            • _wcsstr.LIBVCRUNTIME ref: 00234A2C
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00234A64
            • GetWindowTextW.USER32(?,?,00000400), ref: 00234A9D
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00234AE6
            • GetClassNameW.USER32(?,?,00000400), ref: 00234B20
            • GetWindowRect.USER32(?,?), ref: 00234B8B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
            • String ID: ThumbnailClass
            • API String ID: 1311036022-1241985126
            • Opcode ID: 838b4bf8670461ef0b63397ed873723a3d65f3da70ea3b113bae8753d4506bf5
            • Instruction ID: 7fb292b1f482499068a41506c8fa6840d3b9ca1dc975c4acf768bdf616da0b19
            • Opcode Fuzzy Hash: 838b4bf8670461ef0b63397ed873723a3d65f3da70ea3b113bae8753d4506bf5
            • Instruction Fuzzy Hash: 3D91E0B11142069FDB04EF10D884BBAB7E9FF84308F0484AAFD859A196DB30FD55CBA1
            Function 00268D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00268D5A
            • GetFocus.USER32 ref: 00268D6A
            • GetDlgCtrlID.USER32(00000000), ref: 00268D75
            • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00268E1D
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00268ECF
            • GetMenuItemCount.USER32(?), ref: 00268EEC
            • GetMenuItemID.USER32(?,00000000), ref: 00268EFC
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00268F2E
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00268F70
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00268FA1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
            • String ID: 0
            • API String ID: 1026556194-4108050209
            • Opcode ID: 38224c67ee9ff669214f1ad683f547285565d1582902a7dfa492b0fdc9453762
            • Instruction ID: bf5aee797db0ac4d85e740df4ec5493063f4403ae0a46b297b5b8c07c9946c60
            • Opcode Fuzzy Hash: 38224c67ee9ff669214f1ad683f547285565d1582902a7dfa492b0fdc9453762
            • Instruction Fuzzy Hash: 2781D1715183029FD710DF24D884AAB7BE9FF88314F100A1DF98597291DB71D9A0CBA2
            Function 0023DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
            Download Yara Rule
            APIs
            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0023DC20
            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0023DC46
            • _wcslen.LIBCMT ref: 0023DC50
            • _wcsstr.LIBVCRUNTIME ref: 0023DCA0
            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0023DCBC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
            • API String ID: 1939486746-1459072770
            • Opcode ID: 3b596f1d885eb12ff2bc9d6f2472a22cd4b0e3f61517441e3aa1c7ce829c5b7d
            • Instruction ID: f3d3ea564d348ff42ea76c8d04fda178e989153d65860912c03711aa9c1b6b4a
            • Opcode Fuzzy Hash: 3b596f1d885eb12ff2bc9d6f2472a22cd4b0e3f61517441e3aa1c7ce829c5b7d
            • Instruction Fuzzy Hash: 92414A729502097BDB05BB75EC07EFF77ACEF66710F20406AFA00A6182EB75991187A4
            Function 0025CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0025CC64
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0025CC8D
            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0025CD48
              • Part of subcall function 0025CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0025CCAA
              • Part of subcall function 0025CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0025CCBD
              • Part of subcall function 0025CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0025CCCF
              • Part of subcall function 0025CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0025CD05
              • Part of subcall function 0025CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0025CD28
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0025CCF3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2734957052-4033151799
            • Opcode ID: 95dac19c95543c1fae273163d2b3d82498497c67f8fadc8ec9e58be523f43bec
            • Instruction ID: 11c1cce14eba3e0ebf4da9796b5b122e886bc94f79bef9559f8e98ff66331413
            • Opcode Fuzzy Hash: 95dac19c95543c1fae273163d2b3d82498497c67f8fadc8ec9e58be523f43bec
            • Instruction Fuzzy Hash: 84318071911229BFDB219F90DC8CEFFBB7CEF06751F204165E905E2240E6B09A499AA4
            Function 0023E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 0023E6B4
              • Part of subcall function 001EE551: timeGetTime.WINMM(?,?,0023E6D4), ref: 001EE555
            • Sleep.KERNEL32(0000000A), ref: 0023E6E1
            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0023E705
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0023E727
            • SetActiveWindow.USER32 ref: 0023E746
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0023E754
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0023E773
            • Sleep.KERNEL32(000000FA), ref: 0023E77E
            • IsWindow.USER32 ref: 0023E78A
            • EndDialog.USER32(00000000), ref: 0023E79B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: 67514dcb4a477335b3e7d4a912404908efd39b398ad370ca7651c91cec8e19db
            • Instruction ID: dc2e6fc60401d4e2ff1a8488ed14bfd1cbedc8568e87af7addaedbf1c5ab1f2e
            • Opcode Fuzzy Hash: 67514dcb4a477335b3e7d4a912404908efd39b398ad370ca7651c91cec8e19db
            • Instruction Fuzzy Hash: 60219DF0250201EFEF006F64FC9DA367B6DEB56748F214425F856826A1DFB1AC2C8A24
            Function 0023E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0023EA5D
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0023EA73
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0023EA84
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0023EA96
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0023EAA7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: SendString$_wcslen
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2420728520-1007645807
            • Opcode ID: 74c0ddec35d3208d9e59d93e534549c473192d71836dbf0dc18a630118c7f432
            • Instruction ID: abf89471e354261f8c9a3ee955ec3fb84eac14f45964eb69a3d6f9f58e982aa7
            • Opcode Fuzzy Hash: 74c0ddec35d3208d9e59d93e534549c473192d71836dbf0dc18a630118c7f432
            • Instruction Fuzzy Hash: 7111777166025979EB10A7A2DC4EEFF6ABCEBD2B40F4004267411A21D1DFB05D25C5B0
            Function 00235CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 00235CE2
            • GetWindowRect.USER32(00000000,?), ref: 00235CFB
            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00235D59
            • GetDlgItem.USER32(?,00000002), ref: 00235D69
            • GetWindowRect.USER32(00000000,?), ref: 00235D7B
            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00235DCF
            • GetDlgItem.USER32(?,000003E9), ref: 00235DDD
            • GetWindowRect.USER32(00000000,?), ref: 00235DEF
            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00235E31
            • GetDlgItem.USER32(?,000003EA), ref: 00235E44
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00235E5A
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00235E67
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: 45c201889dbb32ed2b431502de54e2b766eda874443167ef1623b370c6a97848
            • Instruction ID: d6861eac3ac3f9e330cc003ee8163e3d5cf041f70b748b0fe015f582055b1d63
            • Opcode Fuzzy Hash: 45c201889dbb32ed2b431502de54e2b766eda874443167ef1623b370c6a97848
            • Instruction Fuzzy Hash: BC5123B0B10619AFDF14DF68DD89AAEBBB9FB48311F208129F519E7294D7709D10CB50
            Function 001E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001E8BE8,?,00000000,?,?,?,?,001E8BBA,00000000,?), ref: 001E8FC5
            • DestroyWindow.USER32(?), ref: 001E8C81
            • KillTimer.USER32(00000000,?,?,?,?,001E8BBA,00000000,?), ref: 001E8D1B
            • DestroyAcceleratorTable.USER32(00000000), ref: 00226973
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001E8BBA,00000000,?), ref: 002269A1
            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001E8BBA,00000000,?), ref: 002269B8
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001E8BBA,00000000), ref: 002269D4
            • DeleteObject.GDI32(00000000), ref: 002269E6
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: ae339c2c0aea6932ee27abcbd2c2c93ce98674304b6f25ca5de5de600432cf93
            • Instruction ID: d12498af839dc895287607c5195a2ec0d6ae3653dd52d59395c9d533e050cda1
            • Opcode Fuzzy Hash: ae339c2c0aea6932ee27abcbd2c2c93ce98674304b6f25ca5de5de600432cf93
            • Instruction Fuzzy Hash: DD61CF31412B51DFCB259F56E94CB6AB7F1FB42322F24851DE08697560CB71ACA0DF90
            Function 001E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9944: GetWindowLongW.USER32(?,000000EB), ref: 001E9952
            • GetSysColor.USER32(0000000F), ref: 001E9862
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: 7cabc63fec71fb70955fbde15dfcfcdedcc907c8e7bcda3ca8993e86e850efd4
            • Instruction ID: 958a4b3d7943229569e5284098841d17781f26ecad14c0bc3fd3c0b405cafdac
            • Opcode Fuzzy Hash: 7cabc63fec71fb70955fbde15dfcfcdedcc907c8e7bcda3ca8993e86e850efd4
            • Instruction Fuzzy Hash: F741D331104A94AFDB246F39AC88FBD3B65AB17330F248655F9A6872F2C7709C51DB11
            Function 002396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0021F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00239717
            • LoadStringW.USER32(00000000,?,0021F7F8,00000001), ref: 00239720
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0021F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00239742
            • LoadStringW.USER32(00000000,?,0021F7F8,00000001), ref: 00239745
            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00239866
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wcslen
            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
            • API String ID: 747408836-2268648507
            • Opcode ID: a5159929706d4748c41556294ba6faf737d2571de5987f8471237ad33fe37f55
            • Instruction ID: 17ea2084a1a2ea56be86087987ac698f520de63116fea3fef181a7c9f3ee37f0
            • Opcode Fuzzy Hash: a5159929706d4748c41556294ba6faf737d2571de5987f8471237ad33fe37f55
            • Instruction Fuzzy Hash: 73416F72900209AACF04FBE0DE86DEEB378AF65740F100066F60572192EB756F59CB61
            Function 002306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002307A2
            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002307BE
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002307DA
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00230804
            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0023082C
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00230837
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0023083C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
            • API String ID: 323675364-22481851
            • Opcode ID: 8b79ad033704fe13daecde868f4acadb3619633fae1855834d94ed02f5f8f985
            • Instruction ID: 7a65a2d1cae2e79853b3b94b42cc82d12d75a6ec8df1b51543c472a19abbe614
            • Opcode Fuzzy Hash: 8b79ad033704fe13daecde868f4acadb3619633fae1855834d94ed02f5f8f985
            • Instruction Fuzzy Hash: BF412672D10229ABDF15EFA4DC959EDB778FF14340F14412AE901A32A0EB709E14CBA0
            Function 00253C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00253C5C
            • CoInitialize.OLE32(00000000), ref: 00253C8A
            • CoUninitialize.OLE32 ref: 00253C94
            • _wcslen.LIBCMT ref: 00253D2D
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00253DB1
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00253ED5
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00253F0E
            • CoGetObject.OLE32(?,00000000,0026FB98,?), ref: 00253F2D
            • SetErrorMode.KERNEL32(00000000), ref: 00253F40
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00253FC4
            • VariantClear.OLEAUT32(?), ref: 00253FD8
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
            • String ID:
            • API String ID: 429561992-0
            • Opcode ID: d8d3b9444a552cce0fd4e54191509121c2810237a8801e4e537c2ed58ad7e361
            • Instruction ID: a0e47c1492ec8586c62fe6a8736e771433e5b69851d20fa1aa3a37ef374eca9e
            • Opcode Fuzzy Hash: d8d3b9444a552cce0fd4e54191509121c2810237a8801e4e537c2ed58ad7e361
            • Instruction Fuzzy Hash: 91C154716182019FD700DF68C88492BB7F9FF89789F10491DF98A9B210DB70EE19CB62
            Function 00247A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00247AF3
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00247B8F
            • SHGetDesktopFolder.SHELL32(?), ref: 00247BA3
            • CoCreateInstance.OLE32(0026FD08,00000000,00000001,00296E6C,?), ref: 00247BEF
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00247C74
            • CoTaskMemFree.OLE32(?,?), ref: 00247CCC
            • SHBrowseForFolderW.SHELL32(?), ref: 00247D57
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00247D7A
            • CoTaskMemFree.OLE32(00000000), ref: 00247D81
            • CoTaskMemFree.OLE32(00000000), ref: 00247DD6
            • CoUninitialize.OLE32 ref: 00247DDC
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
            • String ID:
            • API String ID: 2762341140-0
            • Opcode ID: 82a66a59cc5842df2ca2933d201277da8a42ef414fbf5feb61b1f9a785af75ba
            • Instruction ID: e88f5c38e06a9f209235617e22fb1fa32bec3fd6890f3ce41837750b8b4da6e7
            • Opcode Fuzzy Hash: 82a66a59cc5842df2ca2933d201277da8a42ef414fbf5feb61b1f9a785af75ba
            • Instruction Fuzzy Hash: 86C12A75A14109EFCB14DFA4D888DAEBBF9FF48304B148499E81A9B361DB30ED45CB90
            Function 0026541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00265504
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00265515
            • CharNextW.USER32(00000158), ref: 00265544
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00265585
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0026559B
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002655AC
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$CharNext
            • String ID:
            • API String ID: 1350042424-0
            • Opcode ID: 89e1e4695d286c005e79044dec22dd696da651d8446b4439084ecfe439914a97
            • Instruction ID: 8eab2e69bf9dde61334389322dd5d28ac305a34b53fd9fbd1d092ecb6393ada1
            • Opcode Fuzzy Hash: 89e1e4695d286c005e79044dec22dd696da651d8446b4439084ecfe439914a97
            • Instruction Fuzzy Hash: 5061903092162AAFDF109F64DC889FE7BB9FB05720F108145F565A6290DBB48AE0DB60
            Function 0022FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0022FAAF
            • SafeArrayAllocData.OLEAUT32(?), ref: 0022FB08
            • VariantInit.OLEAUT32(?), ref: 0022FB1A
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 0022FB3A
            • VariantCopy.OLEAUT32(?,?), ref: 0022FB8D
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 0022FBA1
            • VariantClear.OLEAUT32(?), ref: 0022FBB6
            • SafeArrayDestroyData.OLEAUT32(?), ref: 0022FBC3
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0022FBCC
            • VariantClear.OLEAUT32(?), ref: 0022FBDE
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0022FBE9
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: f5aaa3ec3a9ed8edde6502e64fb72ee9a865d39d6f5116b3d54667f430526e19
            • Instruction ID: d1f954988e704e00d64626ab5665791e6cf06784cd2a13ae9017c28abb06f453
            • Opcode Fuzzy Hash: f5aaa3ec3a9ed8edde6502e64fb72ee9a865d39d6f5116b3d54667f430526e19
            • Instruction Fuzzy Hash: 2D415135A10219AFCB00EFA4E9589BEBBB9EF08344F108075E945A7261DB70E955CFA0
            Function 00239C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00239CA1
            • GetAsyncKeyState.USER32(000000A0), ref: 00239D22
            • GetKeyState.USER32(000000A0), ref: 00239D3D
            • GetAsyncKeyState.USER32(000000A1), ref: 00239D57
            • GetKeyState.USER32(000000A1), ref: 00239D6C
            • GetAsyncKeyState.USER32(00000011), ref: 00239D84
            • GetKeyState.USER32(00000011), ref: 00239D96
            • GetAsyncKeyState.USER32(00000012), ref: 00239DAE
            • GetKeyState.USER32(00000012), ref: 00239DC0
            • GetAsyncKeyState.USER32(0000005B), ref: 00239DD8
            • GetKeyState.USER32(0000005B), ref: 00239DEA
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 07450ab6f5c71b5b2efbeeb17a91c36d30ee272b8c4c5d8a47b6c048cba438f6
            • Instruction ID: 51b3f4b31ab39fbc06778f0488adad0a81a4086ae4619378827bc5e1a9f0722d
            • Opcode Fuzzy Hash: 07450ab6f5c71b5b2efbeeb17a91c36d30ee272b8c4c5d8a47b6c048cba438f6
            • Instruction Fuzzy Hash: 7141E7B45147CB69FF30AE6488053B6BEA0AF17304F44805BCAC6562C2DBE499E4CB92
            Function 0025055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 002505BC
            • inet_addr.WSOCK32(?), ref: 0025061C
            • gethostbyname.WSOCK32(?), ref: 00250628
            • IcmpCreateFile.IPHLPAPI ref: 00250636
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002506C6
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002506E5
            • IcmpCloseHandle.IPHLPAPI(?), ref: 002507B9
            • WSACleanup.WSOCK32 ref: 002507BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: 52b39aa6ad5c95148112ca9ac7d7440ed7cb6ea6efd7808df4bf69229c48f07a
            • Instruction ID: e1244927a9f1d78efe1c11bba2dd89961f463ab127b6c9bf301aa5cace12c07a
            • Opcode Fuzzy Hash: 52b39aa6ad5c95148112ca9ac7d7440ed7cb6ea6efd7808df4bf69229c48f07a
            • Instruction Fuzzy Hash: E5918D756142029FD320DF15D8C8F1ABBE4AF48318F1485A9E86A8B7A2D770ED59CF81
            Function 00258CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$BuffCharLower
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 707087890-567219261
            • Opcode ID: e18cd60e8314567dd1be52f39449004a17ff84b5904c946a9313a1a8cde5dd35
            • Instruction ID: d92b0e59335377a8f92f8bb73f1ce228a8777c71fcf76f5aedf6e618983bbf06
            • Opcode Fuzzy Hash: e18cd60e8314567dd1be52f39449004a17ff84b5904c946a9313a1a8cde5dd35
            • Instruction Fuzzy Hash: FE51BE31A211179BCB14DF68C8418BEB3F5BF64725B204229F866F7284EBB0DD54CB94
            Function 0025372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32 ref: 00253774
            • CoUninitialize.OLE32 ref: 0025377F
            • CoCreateInstance.OLE32(?,00000000,00000017,0026FB78,?), ref: 002537D9
            • IIDFromString.OLE32(?,?), ref: 0025384C
            • VariantInit.OLEAUT32(?), ref: 002538E4
            • VariantClear.OLEAUT32(?), ref: 00253936
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 636576611-1287834457
            • Opcode ID: 586a991c09c802a3fef9ace6330281a51cf36fb5946fe4e5315bd1fe5c181c4a
            • Instruction ID: 45f049cdb7db4962055b434ee6982a4aff9d19ccebe1991b53f738afbebe2fb9
            • Opcode Fuzzy Hash: 586a991c09c802a3fef9ace6330281a51cf36fb5946fe4e5315bd1fe5c181c4a
            • Instruction Fuzzy Hash: 1861D1B0628301AFD311DF54D888F6ABBE4EF49751F104909FC859B291D7B0EE58CBA6
            Function 00268B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
              • Part of subcall function 001E912D: GetCursorPos.USER32(?), ref: 001E9141
              • Part of subcall function 001E912D: ScreenToClient.USER32(00000000,?), ref: 001E915E
              • Part of subcall function 001E912D: GetAsyncKeyState.USER32(00000001), ref: 001E9183
              • Part of subcall function 001E912D: GetAsyncKeyState.USER32(00000002), ref: 001E919D
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00268B6B
            • ImageList_EndDrag.COMCTL32 ref: 00268B71
            • ReleaseCapture.USER32 ref: 00268B77
            • SetWindowTextW.USER32(?,00000000), ref: 00268C12
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00268C25
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00268CFF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#*
            • API String ID: 1924731296-2805786107
            • Opcode ID: 16db11c87c79cc7ddda769cd266d0e65503c0a4b02977e2de6b8f92fc7c9a797
            • Instruction ID: 606968fdd1201b5b1ad3518ea920c48d600826d1343bad81502a25455d72e771
            • Opcode Fuzzy Hash: 16db11c87c79cc7ddda769cd266d0e65503c0a4b02977e2de6b8f92fc7c9a797
            • Instruction Fuzzy Hash: 79519B71114301AFD704EF14EC5AFAA77E4FB89714F40062EF996A72A1CB709964CBA2
            Function 00243388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002433CF
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002433F0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-3080491070
            • Opcode ID: 1413fac7371db7667a025ac02057c8998dc3e21405244a3c3f1e158be9a92859
            • Instruction ID: 564520bfa59827188b003c3353fe3dbced7607faba8e38531799097d7addf713
            • Opcode Fuzzy Hash: 1413fac7371db7667a025ac02057c8998dc3e21405244a3c3f1e158be9a92859
            • Instruction Fuzzy Hash: 9151BE72910209BADF18EBA0DD46EEEB778AF25740F104066F40572192EB712F68DF61
            Function 0023B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 1256254125-769500911
            • Opcode ID: 175acb9d030fcef977a4675464626ea2eaac8a164d34a9c997f349694cd7681b
            • Instruction ID: f5db7d6acda8575bced846ba0a36fdfe764d850d39f14e4d894570a1813e1d6a
            • Opcode Fuzzy Hash: 175acb9d030fcef977a4675464626ea2eaac8a164d34a9c997f349694cd7681b
            • Instruction Fuzzy Hash: 014128B2B201278BCB115F7DC8915BEB7A9FFA0754F244129E621DB285E731CC91CB90
            Function 00245393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 002453A0
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00245416
            • GetLastError.KERNEL32 ref: 00245420
            • SetErrorMode.KERNEL32(00000000,READY), ref: 002454A7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 9e17ff51443d155f6ecc8fa111081a0849adb8d073ea1bfebdc0ca3e9e0ca999
            • Instruction ID: 20e08914fa396e47ebd570e160d492227a37349a94e8ae2322ad6b547fd5b993
            • Opcode Fuzzy Hash: 9e17ff51443d155f6ecc8fa111081a0849adb8d073ea1bfebdc0ca3e9e0ca999
            • Instruction Fuzzy Hash: 4D31D235A201159FCB14DF68D488AAABBF4EF15305F148065E845CF393DB70DD92CBA0
            Function 00263C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • CreateMenu.USER32 ref: 00263C79
            • SetMenu.USER32(?,00000000), ref: 00263C88
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00263D10
            • IsMenu.USER32(?), ref: 00263D24
            • CreatePopupMenu.USER32 ref: 00263D2E
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00263D5B
            • DrawMenuBar.USER32 ref: 00263D63
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup
            • String ID: 0$F
            • API String ID: 161812096-3044882817
            • Opcode ID: d71d9acf7231d7c548cb1ac39e3eab03f0c8bbd60dc631fa6e7a7bd3a3b1e2d3
            • Instruction ID: a3966676673bd0436cab574e99d83965848a7e1dc4ccb4a3ca5937f983f67132
            • Opcode Fuzzy Hash: d71d9acf7231d7c548cb1ac39e3eab03f0c8bbd60dc631fa6e7a7bd3a3b1e2d3
            • Instruction Fuzzy Hash: D9417E75A1120AEFDB14DF64EC48AAA7BB5FF49350F144029F946A7360D770AA20CF90
            Function 00263A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00263A9D
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00263AA0
            • GetWindowLongW.USER32(?,000000F0), ref: 00263AC7
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00263AEA
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00263B62
            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00263BAC
            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00263BC7
            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00263BE2
            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00263BF6
            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00263C13
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$LongWindow
            • String ID:
            • API String ID: 312131281-0
            • Opcode ID: 80baa88a831ee8ca3e23e78ef443a56d46b2f1b3a5c13e7ec5f9dfcc967662ec
            • Instruction ID: 668ad8a7d2922921ff8ef8a26b06b583fa394b8813b0482a26acaf7821884e3a
            • Opcode Fuzzy Hash: 80baa88a831ee8ca3e23e78ef443a56d46b2f1b3a5c13e7ec5f9dfcc967662ec
            • Instruction Fuzzy Hash: E7617A75900209AFDB10DFA8CC81EEE77B8EB09714F10419AFA15E72A1C774AAA5DB50
            Function 0023B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 0023B151
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0023A1E1,?,00000001), ref: 0023B165
            • GetWindowThreadProcessId.USER32(00000000), ref: 0023B16C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0023A1E1,?,00000001), ref: 0023B17B
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0023B18D
            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0023A1E1,?,00000001), ref: 0023B1A6
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0023A1E1,?,00000001), ref: 0023B1B8
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0023A1E1,?,00000001), ref: 0023B1FD
            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0023A1E1,?,00000001), ref: 0023B212
            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0023A1E1,?,00000001), ref: 0023B21D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: ae85031de32f9dee2e9c72442391671ee21cccfa8699dcb8be09536df1309604
            • Instruction ID: 503d143015f1df1fd957dadbe7e536bc89713e05f9a37bee3f20ec693250a18e
            • Opcode Fuzzy Hash: ae85031de32f9dee2e9c72442391671ee21cccfa8699dcb8be09536df1309604
            • Instruction Fuzzy Hash: B731CCB1520205BFDB12EF24EC4DB7EBBADBB92311F208114FA46D6190DBB49A018F64
            Function 00202C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00202C94
              • Part of subcall function 002029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000), ref: 002029DE
              • Part of subcall function 002029C8: GetLastError.KERNEL32(00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000,00000000), ref: 002029F0
            • _free.LIBCMT ref: 00202CA0
            • _free.LIBCMT ref: 00202CAB
            • _free.LIBCMT ref: 00202CB6
            • _free.LIBCMT ref: 00202CC1
            • _free.LIBCMT ref: 00202CCC
            • _free.LIBCMT ref: 00202CD7
            • _free.LIBCMT ref: 00202CE2
            • _free.LIBCMT ref: 00202CED
            • _free.LIBCMT ref: 00202CFB
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 90bd12fdaf323b8fb2f77e95960b0a1ad8df3298631bd7cb86c75fef75cc5207
            • Instruction ID: 34b0fc800bf586faee806caf516a69c6187f321a66ecafe7378cc62f7dc512c6
            • Opcode Fuzzy Hash: 90bd12fdaf323b8fb2f77e95960b0a1ad8df3298631bd7cb86c75fef75cc5207
            • Instruction Fuzzy Hash: D7119676120208EFCB02EF54D846DDD3BA9FF05350F6154A6F9485B262D631EA649F90
            Function 001D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001D1459
            • OleUninitialize.OLE32(?,00000000), ref: 001D14F8
            • UnregisterHotKey.USER32(?), ref: 001D16DD
            • DestroyWindow.USER32(?), ref: 002124B9
            • FreeLibrary.KERNEL32(?), ref: 0021251E
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0021254B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: 2c6c258f63d1a347e0c375666fd29dd0910a179850470b087ba435abfc0e5f6f
            • Instruction ID: 00ca08d51aadfd7782a1a0dc9e274a8d8f7907ea12e06bdd6cf9cd8d1ba86ddb
            • Opcode Fuzzy Hash: 2c6c258f63d1a347e0c375666fd29dd0910a179850470b087ba435abfc0e5f6f
            • Instruction Fuzzy Hash: F5D1BD31711212EFCB19EF15D898A69F7A5BF15700F2181AEE84A6B351CB30EC66CF50
            Function 001D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 001D5C7A
              • Part of subcall function 001D5D0A: GetClientRect.USER32(?,?), ref: 001D5D30
              • Part of subcall function 001D5D0A: GetWindowRect.USER32(?,?), ref: 001D5D71
              • Part of subcall function 001D5D0A: ScreenToClient.USER32(?,?), ref: 001D5D99
            • GetDC.USER32 ref: 002146F5
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00214708
            • SelectObject.GDI32(00000000,00000000), ref: 00214716
            • SelectObject.GDI32(00000000,00000000), ref: 0021472B
            • ReleaseDC.USER32(?,00000000), ref: 00214733
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002147C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: a701643ae4849920a59d524ffc2b4c24dbadf7ddf9f3fdf3adbafd9e3dd797a4
            • Instruction ID: c7a6cf5977b9865d4a5e4751d9bd7080ad75b673e9ed641fbb0841f82926d89a
            • Opcode Fuzzy Hash: a701643ae4849920a59d524ffc2b4c24dbadf7ddf9f3fdf3adbafd9e3dd797a4
            • Instruction Fuzzy Hash: AD712830510206DFCF21AF64C984AFA7BF6FF5A325F144226ED595A2A6C7309CA2DF50
            Function 0024359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002435E4
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • LoadStringW.USER32(002A2390,?,00000FFF,?), ref: 0024360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-2391861430
            • Opcode ID: a9467c814c3e40a04ac41811e67ba7d6afa7ba73e625299a51795515efeadfe9
            • Instruction ID: d816f022ba63580cf8bb14a805dbed7207546195f62b4340c3958842ec771287
            • Opcode Fuzzy Hash: a9467c814c3e40a04ac41811e67ba7d6afa7ba73e625299a51795515efeadfe9
            • Instruction Fuzzy Hash: BD51917191020ABBDF14EFA0DC46EEEBB78AF15710F144126F115722A1EB711BA8DF61
            Function 0024C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0024C272
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0024C29A
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0024C2CA
            • GetLastError.KERNEL32 ref: 0024C322
            • SetEvent.KERNEL32(?), ref: 0024C336
            • InternetCloseHandle.WININET(00000000), ref: 0024C341
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: 057eb991a838c23e0094cd35f0310cbf8a4cdc431ca4d476d5c48c10b3a523a9
            • Instruction ID: afc675a5d79cfb1210ae6a6c3bdfcca035a03bf4a64fb005e9e7d3597a466c2b
            • Opcode Fuzzy Hash: 057eb991a838c23e0094cd35f0310cbf8a4cdc431ca4d476d5c48c10b3a523a9
            • Instruction Fuzzy Hash: 6931C271611204AFD766AF689C88A7B7BFCEB49740F20851EF486D3200DBB0DD149B60
            Function 0023989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00213AAF,?,?,Bad directive syntax error,0026CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002398BC
            • LoadStringW.USER32(00000000,?,00213AAF,?), ref: 002398C3
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00239987
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: HandleLoadMessageModuleString_wcslen
            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
            • API String ID: 858772685-4153970271
            • Opcode ID: ad176dfa1d01344d853955bce8f8500b9242b90523b3fe5dcc97722c5744fce2
            • Instruction ID: 4fa3c6fd052167e49368a682d4421a141e291446124ee5a6d0636a44102fc8e9
            • Opcode Fuzzy Hash: ad176dfa1d01344d853955bce8f8500b9242b90523b3fe5dcc97722c5744fce2
            • Instruction Fuzzy Hash: 3E21A03192020EBBCF11AF90CC0AEEE7779BF29700F04446AF515661A2EB719A68DB11
            Function 0023209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 002320AB
            • GetClassNameW.USER32(00000000,?,00000100), ref: 002320C0
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0023214D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1290815626-3381328864
            • Opcode ID: 7e54e208f3045d4710fc480d0da36d52499460da35f891c15a5653c2c6e26575
            • Instruction ID: 21583feb625a8aaa1bfc82017bdf2ae6cd505fd4660b232085222126c8fed195
            • Opcode Fuzzy Hash: 7e54e208f3045d4710fc480d0da36d52499460da35f891c15a5653c2c6e26575
            • Instruction Fuzzy Hash: 42113AB63A831BFAFA052620EC1ADB7339CCB15328F300116F749A50D6EBA168265614
            Function 0020CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
            • String ID:
            • API String ID: 1282221369-0
            • Opcode ID: cca6478c694d572da701e86c136d480b88f0909d9752da0ed8d4dc328a163015
            • Instruction ID: 2901ec7347a72ca1fbb77097bf5a2a75ed00699c4b9f1250462804531873e728
            • Opcode Fuzzy Hash: cca6478c694d572da701e86c136d480b88f0909d9752da0ed8d4dc328a163015
            • Instruction Fuzzy Hash: 93615DB1924307AFDB21AFB4D88966D7BA5EF01310F24426FF944972C3DA319D258B51
            Function 001E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00226890
            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002268A9
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002268B9
            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002268D1
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002268F2
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00226901
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0022691E
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0022692D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend
            • String ID:
            • API String ID: 1268354404-0
            • Opcode ID: 6d0f529dd542e833eec75e62cfd9e290c4a569fd7298f8f4709f052ac6fe991f
            • Instruction ID: 64c44eeed8405e581eaa1f1ca668b7ccfbb044dea72e78456e5bf776a12569fd
            • Opcode Fuzzy Hash: 6d0f529dd542e833eec75e62cfd9e290c4a569fd7298f8f4709f052ac6fe991f
            • Instruction Fuzzy Hash: 2651CA7061060AEFDB24DF25DC59FAE7BB5FB48360F204518F946972A0DBB0E9A0CB40
            Function 0024C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0024C182
            • GetLastError.KERNEL32 ref: 0024C195
            • SetEvent.KERNEL32(?), ref: 0024C1A9
              • Part of subcall function 0024C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0024C272
              • Part of subcall function 0024C253: GetLastError.KERNEL32 ref: 0024C322
              • Part of subcall function 0024C253: SetEvent.KERNEL32(?), ref: 0024C336
              • Part of subcall function 0024C253: InternetCloseHandle.WININET(00000000), ref: 0024C341
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
            • String ID:
            • API String ID: 337547030-0
            • Opcode ID: f707044fb034437177071afcb5e1b869887f92f3cf47e42d80341aaeac01955e
            • Instruction ID: c2cf493f99f3b8e05615f5731190c3b66186665c143a60062f01bec40bd55521
            • Opcode Fuzzy Hash: f707044fb034437177071afcb5e1b869887f92f3cf47e42d80341aaeac01955e
            • Instruction Fuzzy Hash: FA31A371111641AFDB659FB9EC08A76BBF8FF18300B20841EFD5A86610D7F1E8249F60
            Function 002325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00233A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00233A57
              • Part of subcall function 00233A3D: GetCurrentThreadId.KERNEL32 ref: 00233A5E
              • Part of subcall function 00233A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002325B3), ref: 00233A65
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 002325BD
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002325DB
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002325DF
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 002325E9
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00232601
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00232605
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 0023260F
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00232623
            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00232627
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 75f6b437dd1ca7bac5a802acdeedb6daafae11cb02b67d7318088def188e7f22
            • Instruction ID: 110afcc1168e29846c2a4405a042334e79137bef371e55e66640aed9dcc4e5e9
            • Opcode Fuzzy Hash: 75f6b437dd1ca7bac5a802acdeedb6daafae11cb02b67d7318088def188e7f22
            • Instruction Fuzzy Hash: 6701B1706A0210BBFB107768EC8EF693E59DB8AB12F204011F358AE0E1C9E264548A69
            Function 00231803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00231449,?,?,00000000), ref: 0023180C
            • HeapAlloc.KERNEL32(00000000,?,00231449,?,?,00000000), ref: 00231813
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00231449,?,?,00000000), ref: 00231828
            • GetCurrentProcess.KERNEL32(?,00000000,?,00231449,?,?,00000000), ref: 00231830
            • DuplicateHandle.KERNEL32(00000000,?,00231449,?,?,00000000), ref: 00231833
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00231449,?,?,00000000), ref: 00231843
            • GetCurrentProcess.KERNEL32(00231449,00000000,?,00231449,?,?,00000000), ref: 0023184B
            • DuplicateHandle.KERNEL32(00000000,?,00231449,?,?,00000000), ref: 0023184E
            • CreateThread.KERNEL32(00000000,00000000,00231874,00000000,00000000,00000000), ref: 00231868
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: a68e7221197d92ddd1647b01dbf8fbdb69386f837e7c40a71aba59ed75bd6bab
            • Instruction ID: 1c0586cda209bb83656e5d1b3723b434f71ad5280896093ce95fbca3a4f5f0df
            • Opcode Fuzzy Hash: a68e7221197d92ddd1647b01dbf8fbdb69386f837e7c40a71aba59ed75bd6bab
            • Instruction Fuzzy Hash: 3301BFB5240344BFE710BB65EC4DF673B6CEB8AB11F208451FA45DB191C6B19810CB30
            Function 0025A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0023D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0023D501
              • Part of subcall function 0023D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0023D50F
              • Part of subcall function 0023D4DC: CloseHandle.KERNEL32(00000000), ref: 0023D5DC
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0025A16D
            • GetLastError.KERNEL32 ref: 0025A180
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0025A1B3
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0025A268
            • GetLastError.KERNEL32(00000000), ref: 0025A273
            • CloseHandle.KERNEL32(00000000), ref: 0025A2C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 96690a6764943ed6a45584bb5e766ad8329ea78ee7a94864c34561f7c7bdc248
            • Instruction ID: 715659472875afeab0cddff1b346a6c7704a9e4dab0802273c4d4e0ebf7df977
            • Opcode Fuzzy Hash: 96690a6764943ed6a45584bb5e766ad8329ea78ee7a94864c34561f7c7bdc248
            • Instruction Fuzzy Hash: 0E61E370214242AFD710DF18C496F26BBE1AF54318F14C58CE85A8B7A3C7B2EC59CB96
            Function 00263886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00263925
            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0026393A
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00263954
            • _wcslen.LIBCMT ref: 00263999
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 002639C6
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002639F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$Window_wcslen
            • String ID: SysListView32
            • API String ID: 2147712094-78025650
            • Opcode ID: 0a72c1086be1463aac07c5d1ad0b49fa9c9b0e9105366832d5d89b277452ea16
            • Instruction ID: 5d72b1d3416816205c0159861f6f912028531786c9455c87de3ce729cb6ce112
            • Opcode Fuzzy Hash: 0a72c1086be1463aac07c5d1ad0b49fa9c9b0e9105366832d5d89b277452ea16
            • Instruction Fuzzy Hash: 9A419471A10219ABEF21DF64CC49FEA77A9EF48354F100526F958E7281D7B19DA0CF90
            Function 0023BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0023BCFD
            • IsMenu.USER32(00000000), ref: 0023BD1D
            • CreatePopupMenu.USER32 ref: 0023BD53
            • GetMenuItemCount.USER32(01595840), ref: 0023BDA4
            • InsertMenuItemW.USER32(01595840,?,00000001,00000030), ref: 0023BDCC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup
            • String ID: 0$2
            • API String ID: 93392585-3793063076
            • Opcode ID: b7569e4bc495d0b2a72058997eb28b1874aff4b6ba0686ecbcec6fc9bd510263
            • Instruction ID: 8052570429f678ffb371123e54b19d3a9544b1a777da34ece4689a72fac6e904
            • Opcode Fuzzy Hash: b7569e4bc495d0b2a72058997eb28b1874aff4b6ba0686ecbcec6fc9bd510263
            • Instruction Fuzzy Hash: F451B2B0A1030E9BDF12DFA8D8C8BAEBBF4BF45314F248159E641E7291D7B09951CB51
            Function 0023C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 0023C913
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 61e886352f00d439c39cdeb39a7826487b4b2661459131a89fb2ae2326054d4e
            • Instruction ID: 39c97386bf4f2e7621c8624d47a03441adf1d3dcaeced1050af087745421c7d1
            • Opcode Fuzzy Hash: 61e886352f00d439c39cdeb39a7826487b4b2661459131a89fb2ae2326054d4e
            • Instruction Fuzzy Hash: E911EB726A930BBAAB019B54DC82DFB77DCDF15754F31006AF501B7282D7A1AF105364
            Function 0023ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$LocalTime
            • String ID:
            • API String ID: 952045576-0
            • Opcode ID: bd9b0ef7dd88cf60c269c8a5c1c1378cd66b73b1b92e25f6aa8ed8933ad6d278
            • Instruction ID: 1dc234ee2a212206a6a01001f2bf5097d37c9eb3d0526b3736831afe7459deb6
            • Opcode Fuzzy Hash: bd9b0ef7dd88cf60c269c8a5c1c1378cd66b73b1b92e25f6aa8ed8933ad6d278
            • Instruction Fuzzy Hash: A741D2A5D1021C76CB11EBF4888AAEFB3ACAF65710F508466F618E3161FB34E255C3E5
            Function 001EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0022682C,00000004,00000000,00000000), ref: 001EF953
            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0022682C,00000004,00000000,00000000), ref: 0022F3D1
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0022682C,00000004,00000000,00000000), ref: 0022F454
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: f10ca454798bf680691f893cf81e3819b97e29cd5c02842eebc1dd8bc72f8b17
            • Instruction ID: b6b0aa2615612e80121cc302f0748e60608169e9ccdf4651367edb246cb1274d
            • Opcode Fuzzy Hash: f10ca454798bf680691f893cf81e3819b97e29cd5c02842eebc1dd8bc72f8b17
            • Instruction Fuzzy Hash: E2414C30114AC0BAC7799F2AE98C73EBBA1AB56318F25403DF8C757562C7B19882CB11
            Function 00262D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00262D1B
            • GetDC.USER32(00000000), ref: 00262D23
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00262D2E
            • ReleaseDC.USER32(00000000,00000000), ref: 00262D3A
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00262D76
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00262D87
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00265A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00262DC2
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00262DE1
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: 992cd10311fe53e35ca35eea3533b96b5f48ca516855c4b23d8c7e002223207f
            • Instruction ID: 87210a06d0c53a668ae3e1925b5511c152a7c8e9ce06d56146d076d0432d0517
            • Opcode Fuzzy Hash: 992cd10311fe53e35ca35eea3533b96b5f48ca516855c4b23d8c7e002223207f
            • Instruction Fuzzy Hash: 2431BA72211610BFEB259F10DC8AFFB3BADEF49715F048055FE489A291C6B59C90CBA4
            Function 00235622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: e8ff37e5728474c17099a8040f230245b83bf0dde82051217c621e0f4d2e7935
            • Instruction ID: 0ba553062c25260806185b81e86da4e6934c8bc230af515490bfb13d2a3f7d8f
            • Opcode Fuzzy Hash: e8ff37e5728474c17099a8040f230245b83bf0dde82051217c621e0f4d2e7935
            • Instruction Fuzzy Hash: 822198F177492AB7D61499119E83FBA635EAE31394F840021FE099A541F760ED30C9E5
            Function 00254FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: NULL Pointer assignment$Not an Object type
            • API String ID: 0-572801152
            • Opcode ID: c928756af39101f96cf52db322eba3f3150139a36c2abfcfbd356de660562eab
            • Instruction ID: 040b8101a571187e0305d40a24fff52a8477e8ec23e297980ab4fbe010066713
            • Opcode Fuzzy Hash: c928756af39101f96cf52db322eba3f3150139a36c2abfcfbd356de660562eab
            • Instruction Fuzzy Hash: 79D1E371A1061AAFDF10CFA8C890BAEB7B5BF48354F148069ED19EB280E770DD59CB54
            Function 00211522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002115CE
            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00211651
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002117FB,?,002117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002116E4
            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002116FB
              • Part of subcall function 00203820: RtlAllocateHeap.NTDLL(00000000,?,002A1444,?,001EFDF5,?,?,001DA976,00000010,002A1440,001D13FC,?,001D13C6,?,001D1129), ref: 00203852
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00211777
            • __freea.LIBCMT ref: 002117A2
            • __freea.LIBCMT ref: 002117AE
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
            • String ID:
            • API String ID: 2829977744-0
            • Opcode ID: 0ae089841ae67f4792938db6647f4037dc97af1cf263d476636b358f71d1fd2e
            • Instruction ID: 2aed5c8583d9e25491625244d65edaff2eca0e4c752e5829f069cfb1e3582b60
            • Opcode Fuzzy Hash: 0ae089841ae67f4792938db6647f4037dc97af1cf263d476636b358f71d1fd2e
            • Instruction Fuzzy Hash: DD91E871E20216AEDB208E74DC41AEEBBFA9F69310F584559EA01E7281D735CCF1CB60
            Function 00254523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2610073882-625585964
            • Opcode ID: 0d593800bf13642994e5c8b31bce51bd520236f749131b852f9ebfb8fabfa869
            • Instruction ID: f690fb0e4010e2ca6bae881a0e074d347f802e12ceee3baae25e10a247582120
            • Opcode Fuzzy Hash: 0d593800bf13642994e5c8b31bce51bd520236f749131b852f9ebfb8fabfa869
            • Instruction Fuzzy Hash: 6491E630A20215AFDF20DFA5C844FAEF7B8EF46719F108519F905AB280D7709995CFA4
            Function 00241187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            APIs
            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0024125C
            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00241284
            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002412A8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002412D8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0024135F
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002413C4
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00241430
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ArraySafe$Data$Access$UnaccessVartype
            • String ID:
            • API String ID: 2550207440-0
            • Opcode ID: a947b5c23449a3a23ba3bd9f01fb94a2846753da57882971e0e2fb6b1eefcb6d
            • Instruction ID: 339534c07d8837c0dd0aca03ea2babf317092eda1a9420fd2d133d8e2e0da366
            • Opcode Fuzzy Hash: a947b5c23449a3a23ba3bd9f01fb94a2846753da57882971e0e2fb6b1eefcb6d
            • Instruction Fuzzy Hash: CA911775A102199FEB08DF94D884BBE77B5FF44314F144029E940EB291D7B4E9A1CF90
            Function 001E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 964549f74a99f88a31bbe02dbee7749a3ecaa6f4b7d5d5bc4556c6cace8f9528
            • Instruction ID: 735e7252a87b3d067152c194cea3e16178728a5c4ad7d2f8058124eeb16d2670
            • Opcode Fuzzy Hash: 964549f74a99f88a31bbe02dbee7749a3ecaa6f4b7d5d5bc4556c6cace8f9528
            • Instruction Fuzzy Hash: 4B915971D04259EFCB14CFA9CC88AEEBBB8FF49320F248156E515B7251D374A941CB60
            Function 00253947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 0025396B
            • CharUpperBuffW.USER32(?,?), ref: 00253A7A
            • _wcslen.LIBCMT ref: 00253A8A
            • VariantClear.OLEAUT32(?), ref: 00253C1F
              • Part of subcall function 00240CDF: VariantInit.OLEAUT32(00000000), ref: 00240D1F
              • Part of subcall function 00240CDF: VariantCopy.OLEAUT32(?,?), ref: 00240D28
              • Part of subcall function 00240CDF: VariantClear.OLEAUT32(?), ref: 00240D34
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4137639002-1221869570
            • Opcode ID: b376e9d5dac9900ff1996b690d4798497e518a58d7532e362ddec8be3153e0bc
            • Instruction ID: 09f58f45f3f5999ebf221892f3adcee79ffe7cc2df8e6e82bd6fcc1b425f9a4c
            • Opcode Fuzzy Hash: b376e9d5dac9900ff1996b690d4798497e518a58d7532e362ddec8be3153e0bc
            • Instruction Fuzzy Hash: A29179746283059FCB00EF24C48096AB7E4FF88755F14892EF8899B351DB31EE59CB96
            Function 00254BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0023000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?,?,?,0023035E), ref: 0023002B
              • Part of subcall function 0023000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?,?), ref: 00230046
              • Part of subcall function 0023000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?,?), ref: 00230054
              • Part of subcall function 0023000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?), ref: 00230064
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00254C51
            • _wcslen.LIBCMT ref: 00254D59
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00254DCF
            • CoTaskMemFree.OLE32(?), ref: 00254DDA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 614568839-2785691316
            • Opcode ID: cc77b0e0db416c91fb0c19933f00188ff1aec27e0705185b7058fdeba52ab0fd
            • Instruction ID: d6cabba80033b346ad89081c7a8d4aaf1c99ad6663e9bec950669606b831f007
            • Opcode Fuzzy Hash: cc77b0e0db416c91fb0c19933f00188ff1aec27e0705185b7058fdeba52ab0fd
            • Instruction Fuzzy Hash: 02913971D1021DAFDF14EFA4D891AEEB7B8BF08304F10816AE915A7251DB709E58CF60
            Function 002620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00262183
            • GetMenuItemCount.USER32(00000000), ref: 002621B5
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002621DD
            • _wcslen.LIBCMT ref: 00262213
            • GetMenuItemID.USER32(?,?), ref: 0026224D
            • GetSubMenu.USER32(?,?), ref: 0026225B
              • Part of subcall function 00233A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00233A57
              • Part of subcall function 00233A3D: GetCurrentThreadId.KERNEL32 ref: 00233A5E
              • Part of subcall function 00233A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002325B3), ref: 00233A65
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002622E3
              • Part of subcall function 0023E97B: Sleep.KERNEL32 ref: 0023E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
            • String ID:
            • API String ID: 4196846111-0
            • Opcode ID: a59e71922a819b32996e986ac6fb72c0354a5e503c8ae96098f1781c88ff04d9
            • Instruction ID: 2df019a1bd713db03aaf78ca9bb9ac41b685bf1a2a17c66588fa2daf6074be90
            • Opcode Fuzzy Hash: a59e71922a819b32996e986ac6fb72c0354a5e503c8ae96098f1781c88ff04d9
            • Instruction Fuzzy Hash: 18718E75E10605EFCB10EF68C845AAEB7F5EF88310F108499E816EB341DB74EE958B90
            Function 0023AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 0023AEF9
            • GetKeyboardState.USER32(?), ref: 0023AF0E
            • SetKeyboardState.USER32(?), ref: 0023AF6F
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 0023AF9D
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0023AFBC
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 0023AFFD
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0023B020
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 1ac9b91252eb30ec00c96c238f843325e3b81f94316648ace64c3419ccddcf40
            • Instruction ID: 777238a07f5660b737bd1c3384389f8f5334676920b5cb259284ec19defa2896
            • Opcode Fuzzy Hash: 1ac9b91252eb30ec00c96c238f843325e3b81f94316648ace64c3419ccddcf40
            • Instruction Fuzzy Hash: 585113E0A243D63DFB374A34CC45BBBBEA95B06304F088599E2D9498C2C3D9ACE4D751
            Function 0023ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 0023AD19
            • GetKeyboardState.USER32(?), ref: 0023AD2E
            • SetKeyboardState.USER32(?), ref: 0023AD8F
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0023ADBB
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0023ADD8
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0023AE17
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0023AE38
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 77eed49e47c3ef736fec49232b039201bfd5e552625da13638ff201f07b3c9e5
            • Instruction ID: 626b490e8734c96ecb1d42e9958f62f507039a7dc9fb1b66bc65930146993324
            • Opcode Fuzzy Hash: 77eed49e47c3ef736fec49232b039201bfd5e552625da13638ff201f07b3c9e5
            • Instruction Fuzzy Hash: D15109E19247D63DFB378B34CC45B7A7EA85B46300F0885A9E1D5468C3C394ECA4D752
            Function 0020542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(00213CD6,?,?,?,?,?,?,?,?,00205BA3,?,?,00213CD6,?,?), ref: 00205470
            • __fassign.LIBCMT ref: 002054EB
            • __fassign.LIBCMT ref: 00205506
            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00213CD6,00000005,00000000,00000000), ref: 0020552C
            • WriteFile.KERNEL32(?,00213CD6,00000000,00205BA3,00000000,?,?,?,?,?,?,?,?,?,00205BA3,?), ref: 0020554B
            • WriteFile.KERNEL32(?,?,00000001,00205BA3,00000000,?,?,?,?,?,?,?,?,?,00205BA3,?), ref: 00205584
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: 82ab939a514c745c2e47d43918945a577a3b03c030e974995a8dc25d580f24f4
            • Instruction ID: 78feb3f87c878d91755410d3aa7356fbf36d1b31b03dfae65eefaf953af5ce6a
            • Opcode Fuzzy Hash: 82ab939a514c745c2e47d43918945a577a3b03c030e974995a8dc25d580f24f4
            • Instruction Fuzzy Hash: 9E51BFB0A107099FDB10CFA8DC85AEEBFF9EF09300F14415AE555E7292D6709A51CF60
            Function 001F2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
            Download Yara Rule
            APIs
            • _ValidateLocalCookies.LIBCMT ref: 001F2D4B
            • ___except_validate_context_record.LIBVCRUNTIME ref: 001F2D53
            • _ValidateLocalCookies.LIBCMT ref: 001F2DE1
            • __IsNonwritableInCurrentImage.LIBCMT ref: 001F2E0C
            • _ValidateLocalCookies.LIBCMT ref: 001F2E61
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
            • String ID: csm
            • API String ID: 1170836740-1018135373
            • Opcode ID: b4dca6e75c7b5a3fe56745b13fcb43d69c22ac452f5f5e7f8eb4ddd091044c29
            • Instruction ID: 00a47fba76aa68d5c61fa193c16b2ba8b5c7efeac87a99894e4458f402fe8883
            • Opcode Fuzzy Hash: b4dca6e75c7b5a3fe56745b13fcb43d69c22ac452f5f5e7f8eb4ddd091044c29
            • Instruction Fuzzy Hash: 6F41C434A0020DEBCF14DFA8C845ABEBBB5BF45324F148155EA18AB392D7359E15CBD0
            Function 002510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0025304E: inet_addr.WSOCK32(?), ref: 0025307A
              • Part of subcall function 0025304E: _wcslen.LIBCMT ref: 0025309B
            • socket.WSOCK32(00000002,00000001,00000006), ref: 00251112
            • WSAGetLastError.WSOCK32 ref: 00251121
            • WSAGetLastError.WSOCK32 ref: 002511C9
            • closesocket.WSOCK32(00000000), ref: 002511F9
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
            • String ID:
            • API String ID: 2675159561-0
            • Opcode ID: 8572d14fe665905fb23a14b2dd5ced49844e4ab81ceaf33471583b78eebcd8dc
            • Instruction ID: f62e81c8f0e481b573fe8972f524513fec49135f832408048b37184ba88a2c12
            • Opcode Fuzzy Hash: 8572d14fe665905fb23a14b2dd5ced49844e4ab81ceaf33471583b78eebcd8dc
            • Instruction Fuzzy Hash: 80412731210605AFDB109F24D884BAAB7E9EF44325F14C099FD4A9B291C7B4ED55CBE4
            Function 0023CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0023DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0023CF22,?), ref: 0023DDFD
              • Part of subcall function 0023DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0023CF22,?), ref: 0023DE16
            • lstrcmpiW.KERNEL32(?,?), ref: 0023CF45
            • MoveFileW.KERNEL32(?,?), ref: 0023CF7F
            • _wcslen.LIBCMT ref: 0023D005
            • _wcslen.LIBCMT ref: 0023D01B
            • SHFileOperationW.SHELL32(?), ref: 0023D061
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
            • String ID: \*.*
            • API String ID: 3164238972-1173974218
            • Opcode ID: 23d89fff744ca1c90d9dd8cd0d3e49e45bcfd31dbc1822cca32ef8d79a10456d
            • Instruction ID: 63fab9f58ea8c2cdde14f8ce69c7af275f2bd4b02c909a31c82d5411ee555a97
            • Opcode Fuzzy Hash: 23d89fff744ca1c90d9dd8cd0d3e49e45bcfd31dbc1822cca32ef8d79a10456d
            • Instruction Fuzzy Hash: 894196B1D1521D9FDF12EFA0D981AEEB7B8AF18340F1000E6E545EB141EB34AA58CF50
            Function 00262DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00262E1C
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00262E4F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00262E84
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00262EB6
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00262EE0
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00262EF1
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00262F0B
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 735694015d002aa8b7ab7f185bbb8e47770f9597b03c39f2b510520586f95183
            • Instruction ID: 90167ce7a1204915280e0da40637f2b3ba66df343697c14e4bad6d789cd250fb
            • Opcode Fuzzy Hash: 735694015d002aa8b7ab7f185bbb8e47770f9597b03c39f2b510520586f95183
            • Instruction Fuzzy Hash: CA313530A54552DFDB20DF58EC88F6537E4EB9A720F244064F9509B2B2CBB2B8A4DB01
            Function 00237726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00237769
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0023778F
            • SysAllocString.OLEAUT32(00000000), ref: 00237792
            • SysAllocString.OLEAUT32(?), ref: 002377B0
            • SysFreeString.OLEAUT32(?), ref: 002377B9
            • StringFromGUID2.OLE32(?,?,00000028), ref: 002377DE
            • SysAllocString.OLEAUT32(?), ref: 002377EC
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: bc9632b0bb490431f2889874fccc79b48f26d8be5bb775d4f7a6d8295cae0dcf
            • Instruction ID: 9e8c9ad4cbd309019b160aa79b6dc235dbcd40b97a7cc9cca116d5573028cfe6
            • Opcode Fuzzy Hash: bc9632b0bb490431f2889874fccc79b48f26d8be5bb775d4f7a6d8295cae0dcf
            • Instruction Fuzzy Hash: CB21A4B661821AAFDF20EFA9DC88CBBB7ECEB09764B148025F915DB150D6B0DC41C760
            Function 002377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00237842
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00237868
            • SysAllocString.OLEAUT32(00000000), ref: 0023786B
            • SysAllocString.OLEAUT32 ref: 0023788C
            • SysFreeString.OLEAUT32 ref: 00237895
            • StringFromGUID2.OLE32(?,?,00000028), ref: 002378AF
            • SysAllocString.OLEAUT32(?), ref: 002378BD
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: defee455b09818e9568d038a5ffe8f9d3aa8641d6c7d3fe84b586022e5803bf4
            • Instruction ID: 1e5d6bf702b94bea9f5e2e154fd41031f3ebb136d832c121067a0b76ead6d8d4
            • Opcode Fuzzy Hash: defee455b09818e9568d038a5ffe8f9d3aa8641d6c7d3fe84b586022e5803bf4
            • Instruction Fuzzy Hash: 1121A7B1615105AFDF20AFA9DC8CDBA77ECEB09360B208125F915DB1A1DAB0DC41DB64
            Function 002404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 002404F2
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0024052E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: b77032017df412c2b0dd7b7a694e3210ed6cd01f5f4b00eae6ef01c9d3941dab
            • Instruction ID: d6c974fdc9e69f9c89034d273bf16d1bcb34fb554741153f8c6642c8c7a99ef6
            • Opcode Fuzzy Hash: b77032017df412c2b0dd7b7a694e3210ed6cd01f5f4b00eae6ef01c9d3941dab
            • Instruction Fuzzy Hash: 082162759103069BDF24AF29DC88A5A7BA4FF45724F604A19FDA1D72E0D7B099A0CF20
            Function 002405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 002405C6
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00240601
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: 6bcfcfd7efdae6d527b984f49fbf5ea46468e7daec430146ce7f7fb5408252cd
            • Instruction ID: 2e8e8ccbdd27664469b034c51b8693a16ba2db91f10ff17f314a3d874d65937f
            • Opcode Fuzzy Hash: 6bcfcfd7efdae6d527b984f49fbf5ea46468e7daec430146ce7f7fb5408252cd
            • Instruction Fuzzy Hash: C72197755103069BDB249F69DC84A5A77E8BF95720F304A19FEA2D72D0D7B098B0CB10
            Function 002640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001D604C
              • Part of subcall function 001D600E: GetStockObject.GDI32(00000011), ref: 001D6060
              • Part of subcall function 001D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001D606A
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00264112
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0026411F
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0026412A
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00264139
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00264145
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 34117945a6244682e7d2db15b93f43ef03ccec8220c3e86580ad631850052e9d
            • Instruction ID: 0e2bb53ae6ea844f7c8bb75a43c4bb6e060f5bc510d0562e57d4584c36d7b6fb
            • Opcode Fuzzy Hash: 34117945a6244682e7d2db15b93f43ef03ccec8220c3e86580ad631850052e9d
            • Instruction Fuzzy Hash: 9C11B2B215022ABEEF119F64CC85EE77F5DEF09798F004111FB58A2150CBB29C61DBA4
            Function 0020D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 0020D7A3: _free.LIBCMT ref: 0020D7CC
            • _free.LIBCMT ref: 0020D82D
              • Part of subcall function 002029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000), ref: 002029DE
              • Part of subcall function 002029C8: GetLastError.KERNEL32(00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000,00000000), ref: 002029F0
            • _free.LIBCMT ref: 0020D838
            • _free.LIBCMT ref: 0020D843
            • _free.LIBCMT ref: 0020D897
            • _free.LIBCMT ref: 0020D8A2
            • _free.LIBCMT ref: 0020D8AD
            • _free.LIBCMT ref: 0020D8B8
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
            • Instruction ID: 49c26464370ffbce9138120ae163f6afa0a6b637fadd9806c4ee67abb736e399
            • Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
            • Instruction Fuzzy Hash: C6114F71562B08EAD721BFF4CC4BFCBBBDC6F40700F504825B299A60E3DA65B5254E50
            Function 0023DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0023DA74
            • LoadStringW.USER32(00000000), ref: 0023DA7B
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0023DA91
            • LoadStringW.USER32(00000000), ref: 0023DA98
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0023DADC
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 0023DAB9
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 4072794657-3128320259
            • Opcode ID: 9ae7ab7e6c0b25e134e77334b0132819cd89f14490810fc20860005247a90719
            • Instruction ID: 44625cb1f0c1becc42cfe583d0338c5bea22f568e12d944276c4dc6c73516e82
            • Opcode Fuzzy Hash: 9ae7ab7e6c0b25e134e77334b0132819cd89f14490810fc20860005247a90719
            • Instruction Fuzzy Hash: F30162F29102487FE711ABA4ED8DEF7726CE708701F504492F786E2041E6B49E944F74
            Function 0024096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(0158E150,0158E150), ref: 0024097B
            • EnterCriticalSection.KERNEL32(0158E130,00000000), ref: 0024098D
            • TerminateThread.KERNEL32(00000004,000001F6), ref: 0024099B
            • WaitForSingleObject.KERNEL32(00000004,000003E8), ref: 002409A9
            • CloseHandle.KERNEL32(00000004), ref: 002409B8
            • InterlockedExchange.KERNEL32(0158E150,000001F6), ref: 002409C8
            • LeaveCriticalSection.KERNEL32(0158E130), ref: 002409CF
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 9142a1eb8db9fc2af188642d7c45ea9860d322769f9abb8ceb3a5939a51ad553
            • Instruction ID: 1a57804bd343fa72ea3a31072bb7ef674781b5590870b1af5a231f899a5cb56d
            • Opcode Fuzzy Hash: 9142a1eb8db9fc2af188642d7c45ea9860d322769f9abb8ceb3a5939a51ad553
            • Instruction Fuzzy Hash: 81F01D31442502ABD7456FA4EE9CAE67A25BF01702F605025F641508A0C7B5A475CFA0
            Function 00251C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
            Download Yara Rule
            APIs
            • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00251DC0
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00251DE1
            • WSAGetLastError.WSOCK32 ref: 00251DF2
            • htons.WSOCK32(?), ref: 00251EDB
            • inet_ntoa.WSOCK32(?), ref: 00251E8C
              • Part of subcall function 002339E8: _strlen.LIBCMT ref: 002339F2
              • Part of subcall function 00253224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0024EC0C), ref: 00253240
            • _strlen.LIBCMT ref: 00251F35
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
            • String ID:
            • API String ID: 3203458085-0
            • Opcode ID: 8f2993d5a7c458f39b3b74dbeb3c4837d69e4acfab28cf4523395ed50855db7b
            • Instruction ID: 5530c0815180141f89cee5dd90a34a55706b24b5127828e93e62142944049cae
            • Opcode Fuzzy Hash: 8f2993d5a7c458f39b3b74dbeb3c4837d69e4acfab28cf4523395ed50855db7b
            • Instruction Fuzzy Hash: 98B1DE30214341AFC324DF24D885F2A7BA5AF94318F54894DF8565B2E2CB71ED5ACB91
            Function 002001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 002000BA
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002000D6
            • __allrem.LIBCMT ref: 002000ED
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0020010B
            • __allrem.LIBCMT ref: 00200122
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00200140
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1992179935-0
            • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
            • Instruction ID: 44d85cd0aade3fe989d486858fbf1c328d1edfaffee9783f758aeba3907033d5
            • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
            • Instruction Fuzzy Hash: 43812672A10B069BF7209F68CC81B6BB3E9AF41320F24413EF615D72C2E7B0D9518B90
            Function 002061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001F82D9,001F82D9,?,?,?,0020644F,00000001,00000001,8BE85006), ref: 00206258
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0020644F,00000001,00000001,8BE85006,?,?,?), ref: 002062DE
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002063D8
            • __freea.LIBCMT ref: 002063E5
              • Part of subcall function 00203820: RtlAllocateHeap.NTDLL(00000000,?,002A1444,?,001EFDF5,?,?,001DA976,00000010,002A1440,001D13FC,?,001D13C6,?,001D1129), ref: 00203852
            • __freea.LIBCMT ref: 002063EE
            • __freea.LIBCMT ref: 00206413
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocateHeap
            • String ID:
            • API String ID: 1414292761-0
            • Opcode ID: ed03707b5875dd2f09693410af69a8427099c1d7bc471f619a7d26154524859f
            • Instruction ID: 3be64329b24a9b2ba4108ba318f8135e7e647f24d9d9cd8e18352f3a6a74df1e
            • Opcode Fuzzy Hash: ed03707b5875dd2f09693410af69a8427099c1d7bc471f619a7d26154524859f
            • Instruction Fuzzy Hash: 1B51B072620316AFDB258FA4DC89EAF76A9EB44B10F144669FC05D61C2DB74DC70CAA0
            Function 0025BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
              • Part of subcall function 0025C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0025B6AE,?,?), ref: 0025C9B5
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025C9F1
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025CA68
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0025BCCA
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0025BD25
            • RegCloseKey.ADVAPI32(00000000), ref: 0025BD6A
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0025BD99
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0025BDF3
            • RegCloseKey.ADVAPI32(?), ref: 0025BDFF
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
            • String ID:
            • API String ID: 1120388591-0
            • Opcode ID: 96a6f917f8dbe285639469bd881d45871260076aab8b771db221efe93faa08c9
            • Instruction ID: 5f2bfa2081cbc006023527fc5922ef5c0aae642ca17a77afc39100757887fdf2
            • Opcode Fuzzy Hash: 96a6f917f8dbe285639469bd881d45871260076aab8b771db221efe93faa08c9
            • Instruction Fuzzy Hash: 34819D30228241AFC715DF24C895E2ABBF5FF84308F54855DF8994B2A2DB31ED59CB92
            Function 0022F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000035), ref: 0022F7B9
            • SysAllocString.OLEAUT32(00000001), ref: 0022F860
            • VariantCopy.OLEAUT32(0022FA64,00000000), ref: 0022F889
            • VariantClear.OLEAUT32(0022FA64), ref: 0022F8AD
            • VariantCopy.OLEAUT32(0022FA64,00000000), ref: 0022F8B1
            • VariantClear.OLEAUT32(?), ref: 0022F8BB
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$ClearCopy$AllocInitString
            • String ID:
            • API String ID: 3859894641-0
            • Opcode ID: e180c13bfa7dd830b0a755365de3165b43d6a0c77d11c977e6fb7b7f8fdc1db8
            • Instruction ID: a281da38279ab22d44554180d473b85bf143c7cb94db7d2d95ba0c8081c0f6ce
            • Opcode Fuzzy Hash: e180c13bfa7dd830b0a755365de3165b43d6a0c77d11c977e6fb7b7f8fdc1db8
            • Instruction Fuzzy Hash: 5551C731520320BACF64AFA5F995B29B3B4EF55310B24947BF806DF291DBB48C90CB56
            Function 0024910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D7620: _wcslen.LIBCMT ref: 001D7625
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
            • GetOpenFileNameW.COMDLG32(00000058), ref: 002494E5
            • _wcslen.LIBCMT ref: 00249506
            • _wcslen.LIBCMT ref: 0024952D
            • GetSaveFileNameW.COMDLG32(00000058), ref: 00249585
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$FileName$OpenSave
            • String ID: X
            • API String ID: 83654149-3081909835
            • Opcode ID: b9791d41678a02e9aa47c19ad1ad4d77321c4023ca5328088b393ab47fea46db
            • Instruction ID: 661a775395db19e2e6ef35e187706798c82e272663f7788c2791e58f9f1de117
            • Opcode Fuzzy Hash: b9791d41678a02e9aa47c19ad1ad4d77321c4023ca5328088b393ab47fea46db
            • Instruction Fuzzy Hash: 1DE1C1316183418FC728DF24D881A6BB7E4BF95314F14896DF8899B3A2DB31ED45CB92
            Function 001E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
            • BeginPaint.USER32(?,?,?), ref: 001E9241
            • GetWindowRect.USER32(?,?), ref: 001E92A5
            • ScreenToClient.USER32(?,?), ref: 001E92C2
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001E92D3
            • EndPaint.USER32(?,?,?,?,?), ref: 001E9321
            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002271EA
              • Part of subcall function 001E9339: BeginPath.GDI32(00000000), ref: 001E9357
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
            • String ID:
            • API String ID: 3050599898-0
            • Opcode ID: 6c62d24903776a1e6a42419671a4b73f53415d11f3c7c0341e77b1e2bc579fbf
            • Instruction ID: 4ba93f7bd626b2b2b786b6665a6bc527c8d8a1a3e0a11d1b3483c34bd4d2bf7d
            • Opcode Fuzzy Hash: 6c62d24903776a1e6a42419671a4b73f53415d11f3c7c0341e77b1e2bc579fbf
            • Instruction Fuzzy Hash: 3B41D270108651AFD711DF65EC88FBB7BB8EF56320F100629F9A4872E1CB709855DB62
            Function 002407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0024080C
            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00240847
            • EnterCriticalSection.KERNEL32(?), ref: 00240863
            • LeaveCriticalSection.KERNEL32(?), ref: 002408DC
            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002408F3
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00240921
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
            • String ID:
            • API String ID: 3368777196-0
            • Opcode ID: 114ed5aa3359d69babf9afadc65b0a8ad8b6da1a607c301f90347ae5538f5686
            • Instruction ID: 59d26906fac31387a9172510692dc8d88e675a89659fa5106172a5ea1d23080a
            • Opcode Fuzzy Hash: 114ed5aa3359d69babf9afadc65b0a8ad8b6da1a607c301f90347ae5538f5686
            • Instruction Fuzzy Hash: 9D416B71900205EFDF15AF54DC85AAA77B8FF04300F1480A9EE049A297DB70EE65DBA4
            Function 002681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0022F3AB,00000000,?,?,00000000,?,0022682C,00000004,00000000,00000000), ref: 0026824C
            • EnableWindow.USER32(00000000,00000000), ref: 00268272
            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 002682D1
            • ShowWindow.USER32(00000000,00000004), ref: 002682E5
            • EnableWindow.USER32(00000000,00000001), ref: 0026830B
            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0026832F
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 58df32d1aa3406b1154e6a0b9d72f816683bb5d7bbd0a9e5323ba8ca57cd0859
            • Instruction ID: 8963d7b6682630303882a5c014121339c186f615ce75d240e99395f7ae55f694
            • Opcode Fuzzy Hash: 58df32d1aa3406b1154e6a0b9d72f816683bb5d7bbd0a9e5323ba8ca57cd0859
            • Instruction Fuzzy Hash: 4441C830601686AFDB15CF15D8A9BF57BE0FB46714F1843A9E9484F272CB71A8A1CF50
            Function 00234C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00234C95
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00234CB2
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00234CEA
            • _wcslen.LIBCMT ref: 00234D08
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00234D10
            • _wcsstr.LIBVCRUNTIME ref: 00234D1A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
            • String ID:
            • API String ID: 72514467-0
            • Opcode ID: e53e0986dce2e830c47a4bf95f91872aaca15ee975bb9209fed1eb74af843162
            • Instruction ID: c6649582d643f097aadbffc8f51379923b29762df1499b5c0f47a29bd0e2e2b0
            • Opcode Fuzzy Hash: e53e0986dce2e830c47a4bf95f91872aaca15ee975bb9209fed1eb74af843162
            • Instruction Fuzzy Hash: 642126B2214205BBEB196F39EC09E7F7B9CDF49750F10806EF805CA191EBA1EC1186A0
            Function 0024581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001D3A97,?,?,001D2E7F,?,?,?,00000000), ref: 001D3AC2
            • _wcslen.LIBCMT ref: 0024587B
            • CoInitialize.OLE32(00000000), ref: 00245995
            • CoCreateInstance.OLE32(0026FCF8,00000000,00000001,0026FB68,?), ref: 002459AE
            • CoUninitialize.OLE32 ref: 002459CC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 3172280962-24824748
            • Opcode ID: a7bbfaab405df8f3dddc2bbcbc9d53532ad0b366c6f0b7a1ec67736cf972adc1
            • Instruction ID: fc46e4aa4f61475ddc450a92daa4951360f9416cc55ad73f5326f9f5d91b90f1
            • Opcode Fuzzy Hash: a7bbfaab405df8f3dddc2bbcbc9d53532ad0b366c6f0b7a1ec67736cf972adc1
            • Instruction Fuzzy Hash: 42D163716186129FC718DF24C48092ABBE1FF89714F14895DF88A9B362DB31EC45CB92
            Function 0023175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00230FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00230FCA
              • Part of subcall function 00230FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00230FD6
              • Part of subcall function 00230FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00230FE5
              • Part of subcall function 00230FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00230FEC
              • Part of subcall function 00230FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00231002
            • GetLengthSid.ADVAPI32(?,00000000,00231335), ref: 002317AE
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002317BA
            • HeapAlloc.KERNEL32(00000000), ref: 002317C1
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 002317DA
            • GetProcessHeap.KERNEL32(00000000,00000000,00231335), ref: 002317EE
            • HeapFree.KERNEL32(00000000), ref: 002317F5
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: c1cea80a765cb4aab132faca9fc2d1ab9b743dce17bf44d4371b5d51b36d6efa
            • Instruction ID: 57e13dcee9f418e1a03a2c8ab634a33d585c4b0a446dddb65e7bffe624cc6454
            • Opcode Fuzzy Hash: c1cea80a765cb4aab132faca9fc2d1ab9b743dce17bf44d4371b5d51b36d6efa
            • Instruction Fuzzy Hash: 5C11B1B1520205FFDB20AFA4DC49BBEBBB9EB46355F248058F48597210C7759964CB70
            Function 002314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002314FF
            • OpenProcessToken.ADVAPI32(00000000), ref: 00231506
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00231515
            • CloseHandle.KERNEL32(00000004), ref: 00231520
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0023154F
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00231563
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: 1a39df7097c3824fbbfc1f8d282c75cc8d9ad1c83d61e7487932899f815b69cb
            • Instruction ID: 024048f44d788691490aad521d7a923a8fa4f09e17ced4feea281b53a9971915
            • Opcode Fuzzy Hash: 1a39df7097c3824fbbfc1f8d282c75cc8d9ad1c83d61e7487932899f815b69cb
            • Instruction Fuzzy Hash: FA115CB250020AABDF119F94ED49BEE7BA9EF48744F148015FA05A2160C3B18E70DB60
            Function 001F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,001F3379,001F2FE5), ref: 001F3390
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001F339E
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001F33B7
            • SetLastError.KERNEL32(00000000,?,001F3379,001F2FE5), ref: 001F3409
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: 2e4717332aafba6d2e1d9669310db74551e78b43e2d49138a034bd8c0bc3337f
            • Instruction ID: b4695d1420e3793894bc37026e7c81e5b18e13de01b0c07758ad1a23b1abb190
            • Opcode Fuzzy Hash: 2e4717332aafba6d2e1d9669310db74551e78b43e2d49138a034bd8c0bc3337f
            • Instruction Fuzzy Hash: 3D012F33208319BFAA2937B47C89A372A94EB25379B30022AF730802F0EF524E225554
            Function 00202D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,00205686,00213CD6,?,00000000,?,00205B6A,?,?,?,?,?,001FE6D1,?,00298A48), ref: 00202D78
            • _free.LIBCMT ref: 00202DAB
            • _free.LIBCMT ref: 00202DD3
            • SetLastError.KERNEL32(00000000,?,?,?,?,001FE6D1,?,00298A48,00000010,001D4F4A,?,?,00000000,00213CD6), ref: 00202DE0
            • SetLastError.KERNEL32(00000000,?,?,?,?,001FE6D1,?,00298A48,00000010,001D4F4A,?,?,00000000,00213CD6), ref: 00202DEC
            • _abort.LIBCMT ref: 00202DF2
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLast$_free$_abort
            • String ID:
            • API String ID: 3160817290-0
            • Opcode ID: 3d87e2a9fd6afb7079244e0532d445039a90407e7a973fc0f5e874ecc8fdd7d5
            • Instruction ID: f8c44c6f21087c74a1a63e85fd97414cb189bd8a1a3d6f7e4a03d2578ffb6554
            • Opcode Fuzzy Hash: 3d87e2a9fd6afb7079244e0532d445039a90407e7a973fc0f5e874ecc8fdd7d5
            • Instruction Fuzzy Hash: BCF0C836534B01EBC7127B34BC0EE2A265DAFC27A5F35441BF828922E7EE648C394570
            Function 00268A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001E9693
              • Part of subcall function 001E9639: SelectObject.GDI32(?,00000000), ref: 001E96A2
              • Part of subcall function 001E9639: BeginPath.GDI32(?), ref: 001E96B9
              • Part of subcall function 001E9639: SelectObject.GDI32(?,00000000), ref: 001E96E2
            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00268A4E
            • LineTo.GDI32(?,00000003,00000000), ref: 00268A62
            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00268A70
            • LineTo.GDI32(?,00000000,00000003), ref: 00268A80
            • EndPath.GDI32(?), ref: 00268A90
            • StrokePath.GDI32(?), ref: 00268AA0
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 25935506f44b2816bde5990db95dc0681fce8a82255e8c2d2c5bee7528f05cc8
            • Instruction ID: ec628b99f6e0888140117b926210f5cf78fc9c1de90316da6f18938b080854e1
            • Opcode Fuzzy Hash: 25935506f44b2816bde5990db95dc0681fce8a82255e8c2d2c5bee7528f05cc8
            • Instruction Fuzzy Hash: B6110976000149FFDF12AF94EC88EAA7F6CEB08390F10C012FA599A1A1C7719D65DBA0
            Function 002351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00235218
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00235229
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00235230
            • ReleaseDC.USER32(00000000,00000000), ref: 00235238
            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0023524F
            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00235261
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CapsDevice$Release
            • String ID:
            • API String ID: 1035833867-0
            • Opcode ID: 62ab0c23b15746b85cc9977e31573d8b7d7fbb77bcfaf71bdfb7d50606d691f4
            • Instruction ID: c0e51b396d171781c22ffc7cd8e4b8aabac5fc7c5defc69a3f3cde4027cc06f0
            • Opcode Fuzzy Hash: 62ab0c23b15746b85cc9977e31573d8b7d7fbb77bcfaf71bdfb7d50606d691f4
            • Instruction Fuzzy Hash: 2601A775E00715BBEB106FE59C49E5EBFB8EF44351F148065FA08A7280D6B09C10CF60
            Function 001D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001D1BF4
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 001D1BFC
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001D1C07
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001D1C12
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 001D1C1A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 001D1C22
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 5966f208ff8c28cbfcc14f6aeaba86bbcb3ae7a63634b2a9124fb9df1801774d
            • Instruction ID: cb08f5adfed23fee0269eb00cbd9ec726fb9b5ad38abfe82dc795ac7d4ac4b4c
            • Opcode Fuzzy Hash: 5966f208ff8c28cbfcc14f6aeaba86bbcb3ae7a63634b2a9124fb9df1801774d
            • Instruction Fuzzy Hash: 720167B0902B5ABDE3009F6A8C85B52FFA8FF59354F00411BE15C4BA42C7F5A864CBE5
            Function 0023EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0023EB30
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0023EB46
            • GetWindowThreadProcessId.USER32(?,?), ref: 0023EB55
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0023EB64
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0023EB6E
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0023EB75
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 255d7bdd0561aac768d79c35e132c9dd72fc6c3237a945cfb7548afe2cee6688
            • Instruction ID: deca5f9283d0da118d4a029546502d8fb976fed7b54f3fbb6a6ddb2e35419e1f
            • Opcode Fuzzy Hash: 255d7bdd0561aac768d79c35e132c9dd72fc6c3237a945cfb7548afe2cee6688
            • Instruction Fuzzy Hash: 77F01D72140159BBE7217B52EC0EEBB7A7CEFCAB11F108158F642D119196E05A0186B5
            Function 00227439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?), ref: 00227452
            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00227469
            • GetWindowDC.USER32(?), ref: 00227475
            • GetPixel.GDI32(00000000,?,?), ref: 00227484
            • ReleaseDC.USER32(?,00000000), ref: 00227496
            • GetSysColor.USER32(00000005), ref: 002274B0
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ClientColorMessagePixelRectReleaseSendWindow
            • String ID:
            • API String ID: 272304278-0
            • Opcode ID: 3b5500c3ec384d086eda720b5e3faac80d15fcdd40ea67a12d136dc5bbde54ab
            • Instruction ID: e77d140a6b8ced2a23dd69c23968798fc03923fd1c7c543ab1e106b61071504a
            • Opcode Fuzzy Hash: 3b5500c3ec384d086eda720b5e3faac80d15fcdd40ea67a12d136dc5bbde54ab
            • Instruction Fuzzy Hash: 48018B31404215FFDB106FA4EC0CBBA7BB5FB04321F618060F966A21A0CBB11E51EB50
            Function 00231874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0023187F
            • UnloadUserProfile.USERENV(?,?), ref: 0023188B
            • CloseHandle.KERNEL32(?), ref: 00231894
            • CloseHandle.KERNEL32(?), ref: 0023189C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 002318A5
            • HeapFree.KERNEL32(00000000), ref: 002318AC
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: 8fd4558c0c95c1f174ca3c1eed1a7cfa1ad96ac5a49c632c219eb7425a2ec4c6
            • Instruction ID: 0e5bb3e49c1309782d3868c8f654c00163e4c89b1b2ed6a3c9e481fdda0dcb93
            • Opcode Fuzzy Hash: 8fd4558c0c95c1f174ca3c1eed1a7cfa1ad96ac5a49c632c219eb7425a2ec4c6
            • Instruction Fuzzy Hash: DBE0C236004101BBDB017BA2FD0C91ABB29FB4AB22B30C261F26981170CBB29420DB60
            Function 001DBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 001DBEB3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: D%*$D%*$D%*$D%*D%*
            • API String ID: 1385522511-3318676335
            • Opcode ID: c0f8101836cd8fa37223b314179ecb0c9c9ad4f0d88c587b85b376e1f4aeb9e1
            • Instruction ID: 198376f276d605bc835fcb9ce1e1d8ecfd9c4dcfdbb497408e33f3c06fe25c05
            • Opcode Fuzzy Hash: c0f8101836cd8fa37223b314179ecb0c9c9ad4f0d88c587b85b376e1f4aeb9e1
            • Instruction Fuzzy Hash: 08915B75A0460ACFCB18CF99C0D06A9B7F2FF59314B26416ED946AB350EB31ED81CB90
            Function 00257B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001F0242: EnterCriticalSection.KERNEL32(002A070C,002A1884,?,?,001E198B,002A2518,?,?,?,001D12F9,00000000), ref: 001F024D
              • Part of subcall function 001F0242: LeaveCriticalSection.KERNEL32(002A070C,?,001E198B,002A2518,?,?,?,001D12F9,00000000), ref: 001F028A
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
              • Part of subcall function 001F00A3: __onexit.LIBCMT ref: 001F00A9
            • __Init_thread_footer.LIBCMT ref: 00257BFB
              • Part of subcall function 001F01F8: EnterCriticalSection.KERNEL32(002A070C,?,?,001E8747,002A2514), ref: 001F0202
              • Part of subcall function 001F01F8: LeaveCriticalSection.KERNEL32(002A070C,?,001E8747,002A2514), ref: 001F0235
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
            • String ID: +T"$5$G$Variable must be of type 'Object'.
            • API String ID: 535116098-2019472171
            • Opcode ID: eb6826e8c1848968b3720030ee0b79fec1b632aa89506b4c7af2195ba65d4d52
            • Instruction ID: 42f246155e66c7f4688142cbc187b70e1eeb4b7bebfb28c5d463452df0d277c2
            • Opcode Fuzzy Hash: eb6826e8c1848968b3720030ee0b79fec1b632aa89506b4c7af2195ba65d4d52
            • Instruction Fuzzy Hash: EA918A70A64209EFCB04EF54E8919BDB7B1FF49301F50805AFC069B292DB71AE69CB54
            Function 0023C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D7620: _wcslen.LIBCMT ref: 001D7625
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0023C6EE
            • _wcslen.LIBCMT ref: 0023C735
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0023C79C
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0023C7CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ItemMenu$Info_wcslen$Default
            • String ID: 0
            • API String ID: 1227352736-4108050209
            • Opcode ID: 8a2ca7ee841171d9f332e5fc38b5f8811730168aef51c1ccfe2b660f5275fd44
            • Instruction ID: 4dfc29652a2e4f215860994ff14dd7b68ea904304f70d1f93c58efb7f4346bfb
            • Opcode Fuzzy Hash: 8a2ca7ee841171d9f332e5fc38b5f8811730168aef51c1ccfe2b660f5275fd44
            • Instruction Fuzzy Hash: C151B3B16243029BD7159F28C885B6BB7E8AF99314F24092EF995F21D0DB70D924CF52
            Function 0025AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
            Download Yara Rule
            APIs
            • ShellExecuteExW.SHELL32(0000003C), ref: 0025AEA3
              • Part of subcall function 001D7620: _wcslen.LIBCMT ref: 001D7625
            • GetProcessId.KERNEL32(00000000), ref: 0025AF38
            • CloseHandle.KERNEL32(00000000), ref: 0025AF67
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CloseExecuteHandleProcessShell_wcslen
            • String ID: <$@
            • API String ID: 146682121-1426351568
            • Opcode ID: a12d6c44d214265b7308bbf10039548304f8a83ff0b3adec024826501a849647
            • Instruction ID: 995abcab85b242c2e9f80322f43846e5d53171664da5772beb12988dc32e4dae
            • Opcode Fuzzy Hash: a12d6c44d214265b7308bbf10039548304f8a83ff0b3adec024826501a849647
            • Instruction Fuzzy Hash: F5718970A10219DFCB14EF54D486A9EBBF0FF08300F0485AAE816AB392DB75ED55CB95
            Function 0023719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00237206
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0023723C
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0023724D
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002372CF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 7a06ae536c3dcd4706f4e93c6a8aa5a8f02fcf5ff6483aec0516b97df3f6c415
            • Instruction ID: c783023a0b95e95ac57795a257f8527af96fd0d3d48432889a19f04f6254a775
            • Opcode Fuzzy Hash: 7a06ae536c3dcd4706f4e93c6a8aa5a8f02fcf5ff6483aec0516b97df3f6c415
            • Instruction Fuzzy Hash: 0B412DF1614205AFDF25CF54C884A9B7BA9EF49314F2480AABD059F20AD7B1D954CBA0
            Function 00262F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00262F8D
            • LoadLibraryW.KERNEL32(?), ref: 00262F94
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00262FA9
            • DestroyWindow.USER32(?), ref: 00262FB1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$DestroyLibraryLoadWindow
            • String ID: SysAnimate32
            • API String ID: 3529120543-1011021900
            • Opcode ID: 6474321f8ef36cf88fb46c37c58ea57076bbd63654ce836e8988b2c206919226
            • Instruction ID: 9ad96e4d9882ace612a570837a36ca1b7697458d161b01b4d9952393d2381acd
            • Opcode Fuzzy Hash: 6474321f8ef36cf88fb46c37c58ea57076bbd63654ce836e8988b2c206919226
            • Instruction Fuzzy Hash: F921DC71220606EBEB104FA4DC84EBB37BDEF59364F108218FA50D65A0C7B1DCA59BA0
            Function 001F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001F4D1E,002028E9,?,001F4CBE,002028E9,002988B8,0000000C,001F4E15,002028E9,00000002), ref: 001F4D8D
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001F4DA0
            • FreeLibrary.KERNEL32(00000000,?,?,?,001F4D1E,002028E9,?,001F4CBE,002028E9,002988B8,0000000C,001F4E15,002028E9,00000002,00000000), ref: 001F4DC3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 5256839c39b67b60604077102cf4a228f45172832c8a9717412753af3df36a17
            • Instruction ID: 6fdccc5a002714fe241339ead5dcc14f69594cccf73cd41508a4561c7b84e35e
            • Opcode Fuzzy Hash: 5256839c39b67b60604077102cf4a228f45172832c8a9717412753af3df36a17
            • Instruction Fuzzy Hash: F0F04F34A4020CBBDB15AF94EC4DBBEBBB5EF55752F1440A5F909A2260DB705A50CB90
            Function 001D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,001D4EDD,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4E9C
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001D4EAE
            • FreeLibrary.KERNEL32(00000000,?,?,001D4EDD,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4EC0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-3689287502
            • Opcode ID: e2f11ba35db8db178cbe90b9b825a5be749562f6f3ea19067776711dca3a9683
            • Instruction ID: fac1e322eaad806db961739465a6bee2cd41a66da6718ef90227d485868a9ed8
            • Opcode Fuzzy Hash: e2f11ba35db8db178cbe90b9b825a5be749562f6f3ea19067776711dca3a9683
            • Instruction Fuzzy Hash: E8E08635A015226B922127257C1CA7B6654AF87B627194156FC44D2200DBB4CD0140B4
            Function 001D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00213CDE,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4E62
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001D4E74
            • FreeLibrary.KERNEL32(00000000,?,?,00213CDE,?,002A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001D4E87
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-1355242751
            • Opcode ID: fa4bcaea0558bf4ab40e1ccef6ef6c29fad353f10c9e30abf078229becbc860b
            • Instruction ID: 0046734c72476d001305a2a06137201be944c01dfe71f9543f3431e11e1abc90
            • Opcode Fuzzy Hash: fa4bcaea0558bf4ab40e1ccef6ef6c29fad353f10c9e30abf078229becbc860b
            • Instruction Fuzzy Hash: CED0C231502661676A223B24BC0CDAB6B18AFCBB513154252F848A2210CFB8CD0181E0
            Function 0025A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32 ref: 0025A427
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0025A435
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0025A468
            • CloseHandle.KERNEL32(?), ref: 0025A63D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$CloseCountersCurrentHandleOpen
            • String ID:
            • API String ID: 3488606520-0
            • Opcode ID: af0fc2846f8191778135beebf59511a35bf2bff1d12c070a104d36e2acb9b93c
            • Instruction ID: 2bc0978ac4d23d283ecaebd75f1b30f729fe68ba654488c6f2718fa28062a7a5
            • Opcode Fuzzy Hash: af0fc2846f8191778135beebf59511a35bf2bff1d12c070a104d36e2acb9b93c
            • Instruction Fuzzy Hash: DCA1AE716043019FD720DF28D886F2AB7E5AF98714F14895DF99A9B392D7B0EC44CB82
            Function 0020BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00273700), ref: 0020BB91
            • WideCharToMultiByte.KERNEL32(00000000,00000000,002A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0020BC09
            • WideCharToMultiByte.KERNEL32(00000000,00000000,002A1270,000000FF,?,0000003F,00000000,?), ref: 0020BC36
            • _free.LIBCMT ref: 0020BB7F
              • Part of subcall function 002029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000), ref: 002029DE
              • Part of subcall function 002029C8: GetLastError.KERNEL32(00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000,00000000), ref: 002029F0
            • _free.LIBCMT ref: 0020BD4B
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
            • String ID:
            • API String ID: 1286116820-0
            • Opcode ID: c74cf452922c3a8cda0b014e1d10788e00a3ec8873f0c901b6dc0a12717c76f4
            • Instruction ID: 1f6a7529222f36d6c60e7fcfcf6be3a9165960be369d36e599334b0f0a1bfb0a
            • Opcode Fuzzy Hash: c74cf452922c3a8cda0b014e1d10788e00a3ec8873f0c901b6dc0a12717c76f4
            • Instruction Fuzzy Hash: AE511A71810319DFDB21EF659C45AAEB7BCEF41320F20426BE454D71D2DB709E608B50
            Function 0023E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0023DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0023CF22,?), ref: 0023DDFD
              • Part of subcall function 0023DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0023CF22,?), ref: 0023DE16
              • Part of subcall function 0023E199: GetFileAttributesW.KERNEL32(?,0023CF95), ref: 0023E19A
            • lstrcmpiW.KERNEL32(?,?), ref: 0023E473
            • MoveFileW.KERNEL32(?,?), ref: 0023E4AC
            • _wcslen.LIBCMT ref: 0023E5EB
            • _wcslen.LIBCMT ref: 0023E603
            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0023E650
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
            • String ID:
            • API String ID: 3183298772-0
            • Opcode ID: a3b469f93ded8ef4556102f21b7377a0aecf579268f486028a13ea3e3e656844
            • Instruction ID: 38d4eeac4d33f7dc790b5b5beedab79ddc80037b0bdcee6e72f1bac8b46b39cd
            • Opcode Fuzzy Hash: a3b469f93ded8ef4556102f21b7377a0aecf579268f486028a13ea3e3e656844
            • Instruction Fuzzy Hash: EF5193F24183459BCB24EB90D8819EF73ECAF94340F00491EF689D3191EF74A59C8B66
            Function 0025B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
              • Part of subcall function 0025C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0025B6AE,?,?), ref: 0025C9B5
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025C9F1
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025CA68
              • Part of subcall function 0025C998: _wcslen.LIBCMT ref: 0025CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0025BAA5
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0025BB00
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0025BB63
            • RegCloseKey.ADVAPI32(?,?), ref: 0025BBA6
            • RegCloseKey.ADVAPI32(00000000), ref: 0025BBB3
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
            • String ID:
            • API String ID: 826366716-0
            • Opcode ID: b5f690045ef7f84e19890b9846c9ad96edcc96b41fe4b2657af1440288313d21
            • Instruction ID: 863e15dda9ac3a92ef3a76ed18216a8107d33000e05a8136970273b61eb61751
            • Opcode Fuzzy Hash: b5f690045ef7f84e19890b9846c9ad96edcc96b41fe4b2657af1440288313d21
            • Instruction Fuzzy Hash: 3161C231228241EFD715DF14C490E2ABBE5FF84308F54855DF8998B2A2DB71ED49CB92
            Function 00238BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00238BCD
            • VariantClear.OLEAUT32 ref: 00238C3E
            • VariantClear.OLEAUT32 ref: 00238C9D
            • VariantClear.OLEAUT32(?), ref: 00238D10
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00238D3B
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType
            • String ID:
            • API String ID: 4136290138-0
            • Opcode ID: 94335ca1821328ce31557931c80d646e7a89cdb627b8aa1d087bf3a3cb583e20
            • Instruction ID: aadb4712f6cb07e291c94a611ccd79e42e7d1ba21c5b3e7dce0f2e89d9767101
            • Opcode Fuzzy Hash: 94335ca1821328ce31557931c80d646e7a89cdb627b8aa1d087bf3a3cb583e20
            • Instruction Fuzzy Hash: 95516AB5A10219EFCB14DF68D884AAAB7F8FF89310F158559F905DB350EB30E911CB90
            Function 00248AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00248BAE
            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00248BDA
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00248C32
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00248C57
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00248C5F
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String
            • String ID:
            • API String ID: 2832842796-0
            • Opcode ID: 3881ea56cb7984d31573b4e9d3522edb5ff716db8a43c262db975f00c68a7b2b
            • Instruction ID: af20f08079d3380ebe8f532615f32e280df2fdfe237438c54e830a767d8c371e
            • Opcode Fuzzy Hash: 3881ea56cb7984d31573b4e9d3522edb5ff716db8a43c262db975f00c68a7b2b
            • Instruction Fuzzy Hash: BC515A35A102159FCB09DF65D880A6EBBF5FF48314F088459E849AB3A2DB31ED51CB91
            Function 00258EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00258F40
            • GetProcAddress.KERNEL32(00000000,?), ref: 00258FD0
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00258FEC
            • GetProcAddress.KERNEL32(00000000,?), ref: 00259032
            • FreeLibrary.KERNEL32(00000000), ref: 00259052
              • Part of subcall function 001EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00241043,?,7529E610), ref: 001EF6E6
              • Part of subcall function 001EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0022FA64,00000000,00000000,?,?,00241043,?,7529E610,?,0022FA64), ref: 001EF70D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
            • String ID:
            • API String ID: 666041331-0
            • Opcode ID: fb3a29f264d25b3d324e65d63d3ebfd833a4f5a40555eb39e4828028ac512a2b
            • Instruction ID: 4d88605d1211a7786b690d6755d0424d5eb80303da5304bde5d98c2c352b25b6
            • Opcode Fuzzy Hash: fb3a29f264d25b3d324e65d63d3ebfd833a4f5a40555eb39e4828028ac512a2b
            • Instruction Fuzzy Hash: 6D516A35604206DFC704DF58D4948ADBBF1FF59324B548099EC0AAB762DB71ED89CB90
            Function 00266B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00266C33
            • SetWindowLongW.USER32(?,000000EC,?), ref: 00266C4A
            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00266C73
            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0024AB79,00000000,00000000), ref: 00266C98
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00266CC7
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Long$MessageSendShow
            • String ID:
            • API String ID: 3688381893-0
            • Opcode ID: 7994975119908cd151a6040fb851afd3161db12d2a312216d6365bb6e77c6b9c
            • Instruction ID: 08a295c9e9ce8bfaca3f8985f5f6e28e33f07c2944c91c21dca0433f075593a1
            • Opcode Fuzzy Hash: 7994975119908cd151a6040fb851afd3161db12d2a312216d6365bb6e77c6b9c
            • Instruction Fuzzy Hash: 2D41EA35624545AFD724DF28CC5CFB97FA9EB09360F144226F895A72E0C7B1EDA1CA80
            Function 00202051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: de6b1cab0d54eca9659bca8633aac20eacce04b01cce9469da075b885a5aface
            • Instruction ID: 185142ac8ff5192344dc15cfd8ad67b2c449d07e74f736d328e9473184cea7bd
            • Opcode Fuzzy Hash: de6b1cab0d54eca9659bca8633aac20eacce04b01cce9469da075b885a5aface
            • Instruction Fuzzy Hash: 3E41C132A10304DBCB20DF68C884A5DB3A6EF99314F2545AAE615EB392D731AD15CB90
            Function 001E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 001E9141
            • ScreenToClient.USER32(00000000,?), ref: 001E915E
            • GetAsyncKeyState.USER32(00000001), ref: 001E9183
            • GetAsyncKeyState.USER32(00000002), ref: 001E919D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: d944e8c8fbeb0991e8c70e941f3729763387dcc619f588f7286399920a8b6407
            • Instruction ID: f34b54ba1cc2732b0f569812820541b42bc52859c351df0943861d5778ed9a16
            • Opcode Fuzzy Hash: d944e8c8fbeb0991e8c70e941f3729763387dcc619f588f7286399920a8b6407
            • Instruction Fuzzy Hash: 60415F3191855BFBDF19AFA5D848BEEB774FF05320F208216E429A3290C7705964CF51
            Function 00243874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 002438CB
            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00243922
            • TranslateMessage.USER32(?), ref: 0024394B
            • DispatchMessageW.USER32(?), ref: 00243955
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00243966
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
            • String ID:
            • API String ID: 2256411358-0
            • Opcode ID: fd0694c3bc9459b302612ab5e314580e9a0fa8a31c23eb91c19a39818f247211
            • Instruction ID: c6494ae8f0ca3ca51dc30adb0cc2c4bfaf82537936f9a24f87e1bfbd21076313
            • Opcode Fuzzy Hash: fd0694c3bc9459b302612ab5e314580e9a0fa8a31c23eb91c19a39818f247211
            • Instruction Fuzzy Hash: DA31A470924343DFEB2DDF35A84CBB677A8AB06314F144569E4A2821A0E7F49AA4CB11
            Function 0024CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0024CF38
            • InternetReadFile.WININET(?,00000000,?,?), ref: 0024CF6F
            • GetLastError.KERNEL32(?,00000000,?,?,?,0024C21E,00000000), ref: 0024CFB4
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0024C21E,00000000), ref: 0024CFC8
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0024C21E,00000000), ref: 0024CFF2
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
            • String ID:
            • API String ID: 3191363074-0
            • Opcode ID: ff9dd8fb3b64eb1f16ad03bfab0d4b12cca190fb44e76a407bc68c9b597d124d
            • Instruction ID: 18eb31b1b1b7a68cc3e0f38c89406781a765a76f0f30f6a89cf2416697a01e11
            • Opcode Fuzzy Hash: ff9dd8fb3b64eb1f16ad03bfab0d4b12cca190fb44e76a407bc68c9b597d124d
            • Instruction Fuzzy Hash: 2C31CE71611206EFDB68DFA9D884AAFBBF9FB10300B20802FF406D2500DB74AE15CB60
            Function 00231901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00231915
            • PostMessageW.USER32(00000001,00000201,00000001), ref: 002319C1
            • Sleep.KERNEL32(00000000,?,?,?), ref: 002319C9
            • PostMessageW.USER32(00000001,00000202,00000000), ref: 002319DA
            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 002319E2
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 167a7734f6f66f8e5c6e0224c412e7d2c4af7560f60a198dbecf0343eef16f6f
            • Instruction ID: 0db2b7eda16ba1400ad5b8347cdd7bf2fe22fbc975afb9c68f49bce9d8a8f9b2
            • Opcode Fuzzy Hash: 167a7734f6f66f8e5c6e0224c412e7d2c4af7560f60a198dbecf0343eef16f6f
            • Instruction Fuzzy Hash: B331E4B191021AEFCB04DFA8DD5DBEE3BB5EB44315F108225F961A72D0C7B09964CB90
            Function 00265706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00265745
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 0026579D
            • _wcslen.LIBCMT ref: 002657AF
            • _wcslen.LIBCMT ref: 002657BA
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00265816
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$_wcslen
            • String ID:
            • API String ID: 763830540-0
            • Opcode ID: 5b9ae2e3066a4c9b954e70a4344664a34501e5ec4c94feef6f1385ddda1146e3
            • Instruction ID: 493dca822246b53306b4655419cb5ae0a591567d6b8ce1a124f9bf1fe32b8294
            • Opcode Fuzzy Hash: 5b9ae2e3066a4c9b954e70a4344664a34501e5ec4c94feef6f1385ddda1146e3
            • Instruction Fuzzy Hash: 7A21A5719246299ADB219F60DC84AEEB7B8FF44724F108256F929EB1C0DBB089D5CF50
            Function 00250930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 00250951
            • GetForegroundWindow.USER32 ref: 00250968
            • GetDC.USER32(00000000), ref: 002509A4
            • GetPixel.GDI32(00000000,?,00000003), ref: 002509B0
            • ReleaseDC.USER32(00000000,00000003), ref: 002509E8
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$ForegroundPixelRelease
            • String ID:
            • API String ID: 4156661090-0
            • Opcode ID: 907e10e8fa6fcc68b318a9a3e576ed4c1a96e38783ae2d8647bb723099449f9c
            • Instruction ID: 3182b52419e7a6026786c6fb14b69bbf70e8e368fe4d54b191298251be9d57f5
            • Opcode Fuzzy Hash: 907e10e8fa6fcc68b318a9a3e576ed4c1a96e38783ae2d8647bb723099449f9c
            • Instruction Fuzzy Hash: 8F218135600204AFD704EF69DC88AAEBBE9EF44701F14C469E85AD7352CB70AC54CB50
            Function 0020CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 0020CDC6
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0020CDE9
              • Part of subcall function 00203820: RtlAllocateHeap.NTDLL(00000000,?,002A1444,?,001EFDF5,?,?,001DA976,00000010,002A1440,001D13FC,?,001D13C6,?,001D1129), ref: 00203852
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0020CE0F
            • _free.LIBCMT ref: 0020CE22
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0020CE31
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
            • String ID:
            • API String ID: 336800556-0
            • Opcode ID: 2d347c7202047fd0899c4b99f30d5a20ea66ca4682c52e690251a0f899096fec
            • Instruction ID: b00fd5ef4770e3010cd93927fbc45cba2c4b80b6559b20f830e1eddb2d77547f
            • Opcode Fuzzy Hash: 2d347c7202047fd0899c4b99f30d5a20ea66ca4682c52e690251a0f899096fec
            • Instruction Fuzzy Hash: 6701D8F26113157FA3212BB6AC8CC7F696DDEC6BA13354269FD05C7282DAA08D2191B0
            Function 001E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001E9693
            • SelectObject.GDI32(?,00000000), ref: 001E96A2
            • BeginPath.GDI32(?), ref: 001E96B9
            • SelectObject.GDI32(?,00000000), ref: 001E96E2
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 3bb3aba2d9dde8623efe938efafd01e9bc27600b06decf1b0597949d8c9ab0fa
            • Instruction ID: 224a174e9d9a3cb8124f359c00d7e26d99ed63092a1679638629cece4fccbe56
            • Opcode Fuzzy Hash: 3bb3aba2d9dde8623efe938efafd01e9bc27600b06decf1b0597949d8c9ab0fa
            • Instruction Fuzzy Hash: 28218070802786EBDB119F65FC1C7AE3BA8BB16365F104216F414A61B0DBB059A5CF94
            Function 00235711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 804b312414c0d5f2c36733c523674dc3c122260181d994381a57de3d57db249e
            • Instruction ID: 6af608ca5170d88469283ab5f04aa34847798242c3f0d9c496f09c2f4e789a01
            • Opcode Fuzzy Hash: 804b312414c0d5f2c36733c523674dc3c122260181d994381a57de3d57db249e
            • Instruction Fuzzy Hash: B301B9E16A5619FBD60895109E42FBBB35EAB353A4F414021FE0D9A241F760ED70C2E0
            Function 00202DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,?,001FF2DE,00203863,002A1444,?,001EFDF5,?,?,001DA976,00000010,002A1440,001D13FC,?,001D13C6), ref: 00202DFD
            • _free.LIBCMT ref: 00202E32
            • _free.LIBCMT ref: 00202E59
            • SetLastError.KERNEL32(00000000,001D1129), ref: 00202E66
            • SetLastError.KERNEL32(00000000,001D1129), ref: 00202E6F
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLast$_free
            • String ID:
            • API String ID: 3170660625-0
            • Opcode ID: 8372225cdcaa44d80253b2dd5bb44406f04e63cb90a1c4b8cf9c8add36b697c6
            • Instruction ID: eb29b2e64063ecdef978b56156f41b0f4303b0c03676ef18fecad7e9dc36c834
            • Opcode Fuzzy Hash: 8372225cdcaa44d80253b2dd5bb44406f04e63cb90a1c4b8cf9c8add36b697c6
            • Instruction Fuzzy Hash: 8501F4362B5701EBC7127B34BC8DD2B265DABD13A5B31402BF865A22D3EEB09C394520
            Function 0023000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?,?,?,0023035E), ref: 0023002B
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?,?), ref: 00230046
            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?,?), ref: 00230054
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?), ref: 00230064
            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0022FF41,80070057,?,?), ref: 00230070
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: 1aa54eea7c463cc8d8d9e825357feae27820c11e49e5b4b4840400355745e9c3
            • Instruction ID: 99e639321eefc08fc7f7d2c46463a69e858a7d95dabd71e8babd333df5e38517
            • Opcode Fuzzy Hash: 1aa54eea7c463cc8d8d9e825357feae27820c11e49e5b4b4840400355745e9c3
            • Instruction Fuzzy Hash: 1301F2B2610214BFDB216F68EC88BBA7AEDEF44751F208024F845D3210D7B0DD108BB0
            Function 0023E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?), ref: 0023E997
            • QueryPerformanceFrequency.KERNEL32(?), ref: 0023E9A5
            • Sleep.KERNEL32(00000000), ref: 0023E9AD
            • QueryPerformanceCounter.KERNEL32(?), ref: 0023E9B7
            • Sleep.KERNEL32 ref: 0023E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 8c02332be900d1e1269c24a6d56a0db94207747c1c668dcbb7522cf62c61f04c
            • Instruction ID: f7640a3c9eb7513ebb624d3f2eb932e100f2a956db0816545baae2b44457ac7a
            • Opcode Fuzzy Hash: 8c02332be900d1e1269c24a6d56a0db94207747c1c668dcbb7522cf62c61f04c
            • Instruction Fuzzy Hash: 90015B71C11629DBCF00AFE4EC5D7EDBB78BB09301F114556E942B2280CB7095698B62
            Function 002310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00231114
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 00231120
            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 0023112F
            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00230B9B,?,?,?), ref: 00231136
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0023114D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: 91385213993117d37346359a1d69cc8c1c86f7e01ea3cc033268f5390a92a197
            • Instruction ID: 1e0afd1cf07778095eac437eea9ef62c23856b343b8a1a23a7b49c10f3d636aa
            • Opcode Fuzzy Hash: 91385213993117d37346359a1d69cc8c1c86f7e01ea3cc033268f5390a92a197
            • Instruction Fuzzy Hash: 150131B5200245BFDB115F65EC4DEAA3F6EEF85360F204465FA89D7350DB71DC109A60
            Function 00230FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00230FCA
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00230FD6
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00230FE5
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00230FEC
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00231002
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 08e4cc3747989137b09e18b2684bfbb53e442dae8b7b6d585435c16cda4ec64a
            • Instruction ID: 18e5a4fcb9888502c39dd493485769de33d0b87bc3bd55d49ea21c589d5a037d
            • Opcode Fuzzy Hash: 08e4cc3747989137b09e18b2684bfbb53e442dae8b7b6d585435c16cda4ec64a
            • Instruction Fuzzy Hash: 2AF06275100311FBD7216FA5EC4DF663B6DEF8A761F208454FD89D7251CAB1DC608A60
            Function 00231014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0023102A
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00231036
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00231045
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0023104C
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00231062
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 3eb233c2ee0487bf76fcab4d9c1537f4159b984d46f49506e55a43c3920e0f08
            • Instruction ID: d020a4fed966263cce58e5235d22a0f6c1fe13f2fecf5ff58b9be067ab429f3c
            • Opcode Fuzzy Hash: 3eb233c2ee0487bf76fcab4d9c1537f4159b984d46f49506e55a43c3920e0f08
            • Instruction Fuzzy Hash: 2EF06275200311FBD7216FA5EC5DF663B6DEF8A761F204414FD89D7250CAB1D8608A60
            Function 0024030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(?,?,?,?,0024017D,?,002432FC,?,00000001,00212592,?), ref: 00240324
            • CloseHandle.KERNEL32(?,?,?,?,0024017D,?,002432FC,?,00000001,00212592,?), ref: 00240331
            • CloseHandle.KERNEL32(?,?,?,?,0024017D,?,002432FC,?,00000001,00212592,?), ref: 0024033E
            • CloseHandle.KERNEL32(?,?,?,?,0024017D,?,002432FC,?,00000001,00212592,?), ref: 0024034B
            • CloseHandle.KERNEL32(?,?,?,?,0024017D,?,002432FC,?,00000001,00212592,?), ref: 00240358
            • CloseHandle.KERNEL32(?,?,?,?,0024017D,?,002432FC,?,00000001,00212592,?), ref: 00240365
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 676e72a144a5f22ec8e25572c895c06eeea6d95b93247a5c5e096aae7eebc413
            • Instruction ID: b3012a7aa1d3782eca2adf80df55a4b7e04718eb7025ddeaf02df788633db638
            • Opcode Fuzzy Hash: 676e72a144a5f22ec8e25572c895c06eeea6d95b93247a5c5e096aae7eebc413
            • Instruction Fuzzy Hash: 9001A272810B169FC734AF66D8D0416FBF5BF503153158A7FD29652931C3B1A9A4CF80
            Function 0020D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 0020D752
              • Part of subcall function 002029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000), ref: 002029DE
              • Part of subcall function 002029C8: GetLastError.KERNEL32(00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000,00000000), ref: 002029F0
            • _free.LIBCMT ref: 0020D764
            • _free.LIBCMT ref: 0020D776
            • _free.LIBCMT ref: 0020D788
            • _free.LIBCMT ref: 0020D79A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 97f6c68621a07837cde8ef6b55f289a4d2a46b074d1e9cfc2a68cc36361046d4
            • Instruction ID: c5799f2d9689df78453af7b1c89d5cc149c9103ece78691376a93e620140a9c1
            • Opcode Fuzzy Hash: 97f6c68621a07837cde8ef6b55f289a4d2a46b074d1e9cfc2a68cc36361046d4
            • Instruction Fuzzy Hash: 17F0FF32565309EBC721EFA8F9C9C16B7DDBB447107B41806F048E7597C720FC908AA4
            Function 00235C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 00235C58
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00235C6F
            • MessageBeep.USER32(00000000), ref: 00235C87
            • KillTimer.USER32(?,0000040A), ref: 00235CA3
            • EndDialog.USER32(?,00000001), ref: 00235CBD
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: c44ce0c362bb279ccd33a2e264da13eb3238da9c01128ca4a195a506364589cb
            • Instruction ID: f43bad140263f05a39608572c05c0b5bcb6f80a0b36e8a4864ca8ae0444709ce
            • Opcode Fuzzy Hash: c44ce0c362bb279ccd33a2e264da13eb3238da9c01128ca4a195a506364589cb
            • Instruction Fuzzy Hash: 1D01D670510B14ABEB206F10ED8EFA677BCBB00B05F00156BF187A14E0DBF4A994CA90
            Function 002022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 002022BE
              • Part of subcall function 002029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000), ref: 002029DE
              • Part of subcall function 002029C8: GetLastError.KERNEL32(00000000,?,0020D7D1,00000000,00000000,00000000,00000000,?,0020D7F8,00000000,00000007,00000000,?,0020DBF5,00000000,00000000), ref: 002029F0
            • _free.LIBCMT ref: 002022D0
            • _free.LIBCMT ref: 002022E3
            • _free.LIBCMT ref: 002022F4
            • _free.LIBCMT ref: 00202305
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 1e76172ffffdc106c97571b123b103bd450bf2898f611f8e8f77359b716d441c
            • Instruction ID: 908d9240e2436a936167f93192b4b3dfb0d43c14f1f83663ba1e3b543a9ac5eb
            • Opcode Fuzzy Hash: 1e76172ffffdc106c97571b123b103bd450bf2898f611f8e8f77359b716d441c
            • Instruction Fuzzy Hash: 55F017B4820224CFCB12AF54BC4D9483A64B71A760B70150BF814E22F2CF304835AEA4
            Function 001E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 001E95D4
            • StrokeAndFillPath.GDI32(?,?,002271F7,00000000,?,?,?), ref: 001E95F0
            • SelectObject.GDI32(?,00000000), ref: 001E9603
            • DeleteObject.GDI32 ref: 001E9616
            • StrokePath.GDI32(?), ref: 001E9631
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 6f59814cb7699c6ade12a796e683a452b95b506ab84c45f2f7ad369a793c4959
            • Instruction ID: cc9ce001b132a0af688de5aa117fcc0df55c171d9103617b715dcb3cb280932e
            • Opcode Fuzzy Hash: 6f59814cb7699c6ade12a796e683a452b95b506ab84c45f2f7ad369a793c4959
            • Instruction Fuzzy Hash: BCF03C30005685EBDB166F66FD1C77A3B61AB06372F148255F469550F0CB7089A5DF20
            Function 00200F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: __freea$_free
            • String ID: a/p$am/pm
            • API String ID: 3432400110-3206640213
            • Opcode ID: 4ecdd693e76b96f2ea71f8a4e5746c3170a48da2869a1e9c8e1d445aaabaa840
            • Instruction ID: 0c68622f401d46ada6f9fec060e5be0592200ebdd79c4749ef454dc415a2be8e
            • Opcode Fuzzy Hash: 4ecdd693e76b96f2ea71f8a4e5746c3170a48da2869a1e9c8e1d445aaabaa840
            • Instruction Fuzzy Hash: A7D1EF31930307CADB289F68C895BBAB7B5FF05300F284199E9459BAD2D3759DB0CB91
            Function 002561D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001F0242: EnterCriticalSection.KERNEL32(002A070C,002A1884,?,?,001E198B,002A2518,?,?,?,001D12F9,00000000), ref: 001F024D
              • Part of subcall function 001F0242: LeaveCriticalSection.KERNEL32(002A070C,?,001E198B,002A2518,?,?,?,001D12F9,00000000), ref: 001F028A
              • Part of subcall function 001F00A3: __onexit.LIBCMT ref: 001F00A9
            • __Init_thread_footer.LIBCMT ref: 00256238
              • Part of subcall function 001F01F8: EnterCriticalSection.KERNEL32(002A070C,?,?,001E8747,002A2514), ref: 001F0202
              • Part of subcall function 001F01F8: LeaveCriticalSection.KERNEL32(002A070C,?,001E8747,002A2514), ref: 001F0235
              • Part of subcall function 0024359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002435E4
              • Part of subcall function 0024359C: LoadStringW.USER32(002A2390,?,00000FFF,?), ref: 0024360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
            • String ID: x#*$x#*$x#*
            • API String ID: 1072379062-612482911
            • Opcode ID: 5ab42efe021757aaf16f6cc1b47a84e25f7e45811b8e9a0751685b99ffa86081
            • Instruction ID: f855778f857c12e79d037f249a64f9713a1c15388dc58e5e1b0f0d522acb09e6
            • Opcode Fuzzy Hash: 5ab42efe021757aaf16f6cc1b47a84e25f7e45811b8e9a0751685b99ffa86081
            • Instruction Fuzzy Hash: 29C1B071A1010AAFCB14DF58C894EBEB7B9FF59300F508069F9059B251DB70ED59CB94
            Function 00232716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0023B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002321D0,?,?,00000034,00000800,?,00000034), ref: 0023B42D
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00232760
              • Part of subcall function 0023B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0023B3F8
              • Part of subcall function 0023B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0023B355
              • Part of subcall function 0023B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00232194,00000034,?,?,00001004,00000000,00000000), ref: 0023B365
              • Part of subcall function 0023B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00232194,00000034,?,?,00001004,00000000,00000000), ref: 0023B37B
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002327CD
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0023281A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: aac3187fb52499425a79569fef38ad258506c993b38cee285055b58b632c30d4
            • Instruction ID: 82f4a6eb46ae41dc3aabf1b05453c06ce5af4f73604c08d4f6ee89ce11cb3f75
            • Opcode Fuzzy Hash: aac3187fb52499425a79569fef38ad258506c993b38cee285055b58b632c30d4
            • Instruction Fuzzy Hash: A5413CB2900219BFDB15DFA4CD45AEEBBB8AF09700F104095FA55B7181DB706E59CBA0
            Function 0020172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PI_2024.exe,00000104), ref: 00201769
            • _free.LIBCMT ref: 00201834
            • _free.LIBCMT ref: 0020183E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free$FileModuleName
            • String ID: C:\Users\user\Desktop\PI_2024.exe
            • API String ID: 2506810119-1460691011
            • Opcode ID: 927eec42dd4c51004eecdb179d577712e2ac6c420120c7c97bcbe9757559ad1b
            • Instruction ID: c7bb4e92281080a76d6467063e78a31d57f5a4012fb8fa041f1a1cdabc984a58
            • Opcode Fuzzy Hash: 927eec42dd4c51004eecdb179d577712e2ac6c420120c7c97bcbe9757559ad1b
            • Instruction Fuzzy Hash: D1316075A10319EBDB21DF999885D9EBBFCEB85310F244166F90497292DBB08E70CB90
            Function 0023C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0023C306
            • DeleteMenu.USER32(?,00000007,00000000), ref: 0023C34C
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002A1990,01595840), ref: 0023C395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem
            • String ID: 0
            • API String ID: 135850232-4108050209
            • Opcode ID: bddd56020df93152ce3d975fd6001802d309bdde7c74c5a1490f81bf483dea30
            • Instruction ID: 5d3ad1bdc39279b427e80596df52bef15e722f1ce59398fef3820c0d0fa5c407
            • Opcode Fuzzy Hash: bddd56020df93152ce3d975fd6001802d309bdde7c74c5a1490f81bf483dea30
            • Instruction Fuzzy Hash: A441C3B12143029FD720DF24D884B2ABBE4FF85310F20866DF9A5A72D1D770E914CB52
            Function 00264416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0026CC08,00000000,?,?,?,?), ref: 002644AA
            • GetWindowLongW.USER32 ref: 002644C7
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002644D7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: db9abe687b25ac8bbd5b3c80ee0919cfd245941645e7d4c7f67312ef24ba0a7a
            • Instruction ID: 934cee0548e6fa504190775995c75a4d4edee496a6bcc297ee0449e50b48617c
            • Opcode Fuzzy Hash: db9abe687b25ac8bbd5b3c80ee0919cfd245941645e7d4c7f67312ef24ba0a7a
            • Instruction Fuzzy Hash: 8631A431220646AFDF11AF38DC45BEA77A9EB19334F204715F9B5921D0DB70ECA09B50
            Function 00236E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
            Download Yara Rule
            APIs
            • SysReAllocString.OLEAUT32(?,?), ref: 00236EED
            • VariantCopyInd.OLEAUT32(?,?), ref: 00236F08
            • VariantClear.OLEAUT32(?), ref: 00236F12
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyString
            • String ID: *j#
            • API String ID: 2173805711-4159629435
            • Opcode ID: ae89c3d815b0fa9d0dd99413fbba3e5410afa022669f2b37536a49cc901723ce
            • Instruction ID: eaa2c8163e3f5275304713b152ab75ac75c0af7da55685055a983eca0c9efd99
            • Opcode Fuzzy Hash: ae89c3d815b0fa9d0dd99413fbba3e5410afa022669f2b37536a49cc901723ce
            • Instruction Fuzzy Hash: 6431A1B1618246EFCB05AFA4F8989BD3779FF54300F2084A9F8074B7A1CB749921DB90
            Function 0025304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0025335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00253077,?,?), ref: 00253378
            • inet_addr.WSOCK32(?), ref: 0025307A
            • _wcslen.LIBCMT ref: 0025309B
            • htons.WSOCK32(00000000), ref: 00253106
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 946324512-2422070025
            • Opcode ID: 1b3d620ab42dd3cadbfa08e2b0827ff0f2c2918dc298681a6afa0472ceee1dfa
            • Instruction ID: 157e576ae048ed72fde99b0a28c96bf50be00aafbf6fe5c865e0ad64c9716102
            • Opcode Fuzzy Hash: 1b3d620ab42dd3cadbfa08e2b0827ff0f2c2918dc298681a6afa0472ceee1dfa
            • Instruction Fuzzy Hash: 4131D5352103069FCB20DF28C485EAA77E0EF14399F24D059ED158B392D772DE59CB64
            Function 00264653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00264705
            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00264713
            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0026471A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$DestroyWindow
            • String ID: msctls_updown32
            • API String ID: 4014797782-2298589950
            • Opcode ID: 19d5c238cc79761e3d9954c300cb010bcc1d82af40d16769a8cf2d26f14c09b7
            • Instruction ID: 63c7c263992d86535f0d4688936a6f65332e41951b85c265a6b9d00bf46ec260
            • Opcode Fuzzy Hash: 19d5c238cc79761e3d9954c300cb010bcc1d82af40d16769a8cf2d26f14c09b7
            • Instruction Fuzzy Hash: 8421A1B5610209AFDB11EF64DCC5DB777ADEF5A3A4B140049FA009B361CB70EC61CA60
            Function 002395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 176396367-2734436370
            • Opcode ID: e58f2dd35c02f2278fdc43ce330e12d1ff752b99c59051a7b087a2bce168cbe8
            • Instruction ID: da74c89482bc74976e429e5ce8cc6d44d3ef7f42114f3032b975484a4d8460ed
            • Opcode Fuzzy Hash: e58f2dd35c02f2278fdc43ce330e12d1ff752b99c59051a7b087a2bce168cbe8
            • Instruction Fuzzy Hash: 47215EB212561166D731AF289C03FB773DCAF67300F504026FA4997181EBE1ADE1C695
            Function 002637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00263840
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00263850
            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00263876
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: b41aa9408b0df13a281d94c7efe9cff6050eac2042702c567c8ef5bfba5b0458
            • Instruction ID: ad2075ec185b475c9e517134b9dea2b30d9d764dd4463774ad93a32d508c3283
            • Opcode Fuzzy Hash: b41aa9408b0df13a281d94c7efe9cff6050eac2042702c567c8ef5bfba5b0458
            • Instruction Fuzzy Hash: 94218072620119BBEF12DF54DC85EBB77AEEF89760F108114F9549B190C6B1DCA18BA0
            Function 002449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00244A08
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00244A5C
            • SetErrorMode.KERNEL32(00000000,?,?,0026CC08), ref: 00244AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume
            • String ID: %lu
            • API String ID: 2507767853-685833217
            • Opcode ID: 359deefffff3047bde8ddfeb17249eb0f1cb25e7143f122ccf2b2c45ab2f0d45
            • Instruction ID: adea731577753f967d95d897a6cca2c15ec303acfe955382d6ab13e6ea23738d
            • Opcode Fuzzy Hash: 359deefffff3047bde8ddfeb17249eb0f1cb25e7143f122ccf2b2c45ab2f0d45
            • Instruction Fuzzy Hash: BC317375A10109AFDB10EF54D885EAA77F8EF09304F148095F909DB352DB71EE45CB61
            Function 002641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0026424F
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00264264
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00264271
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: 90044eb9154f05142ec6273f4e1cc5a7b142b3d3e2e11513990d69d1323edb1a
            • Instruction ID: cd6edfd8c5547794d43484f950dd5d137997202d76bb7084b806a0967f3fadb9
            • Opcode Fuzzy Hash: 90044eb9154f05142ec6273f4e1cc5a7b142b3d3e2e11513990d69d1323edb1a
            • Instruction Fuzzy Hash: 8D110631260209BEEF206F28CC46FAB3BACEF95B64F110114FA95E2090D6B1DCA19B10
            Function 00232F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
              • Part of subcall function 00232DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00232DC5
              • Part of subcall function 00232DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00232DD6
              • Part of subcall function 00232DA7: GetCurrentThreadId.KERNEL32 ref: 00232DDD
              • Part of subcall function 00232DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00232DE4
            • GetFocus.USER32 ref: 00232F78
              • Part of subcall function 00232DEE: GetParent.USER32(00000000), ref: 00232DF9
            • GetClassNameW.USER32(?,?,00000100), ref: 00232FC3
            • EnumChildWindows.USER32(?,0023303B), ref: 00232FEB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
            • String ID: %s%d
            • API String ID: 1272988791-1110647743
            • Opcode ID: 133ef30a0c847c3b0585c699da8dafacde4db6e532a458ca734eaf8883ed37ef
            • Instruction ID: f352092f2b31ed7f7794c82c1bff5ad947ed0b0b602b56e1e8a1ed5a13111a11
            • Opcode Fuzzy Hash: 133ef30a0c847c3b0585c699da8dafacde4db6e532a458ca734eaf8883ed37ef
            • Instruction Fuzzy Hash: 0011A2B1710209ABCF15BF60DC85EFD376AAF94314F148076F9099B252DF709A598B70
            Function 00265882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002658C1
            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002658EE
            • DrawMenuBar.USER32(?), ref: 002658FD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Menu$InfoItem$Draw
            • String ID: 0
            • API String ID: 3227129158-4108050209
            • Opcode ID: 08d2035ccec3d48454f288cb76d34931fb2d387be7b7457260387b9252369de0
            • Instruction ID: 136c486bc7acedff7bc48af9c7b8b3ed517d382bfa1c96f4289a8f3f22d71be7
            • Opcode Fuzzy Hash: 08d2035ccec3d48454f288cb76d34931fb2d387be7b7457260387b9252369de0
            • Instruction Fuzzy Hash: BC015B31510268EEDB21AF11EC48BAEBBB4FF45360F108099E889D6151DB709A94DF61
            Function 0022D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0022D3BF
            • FreeLibrary.KERNEL32 ref: 0022D3E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: AddressFreeLibraryProc
            • String ID: GetSystemWow64DirectoryW$X64
            • API String ID: 3013587201-2590602151
            • Opcode ID: cd84ee6cefd64926da0d281e91c7b14148854b1094f3bef45d313fe2d1832dbc
            • Instruction ID: 15752a85c90a029553bd1df7dce8a330effa631d6762e59a0705276431377939
            • Opcode Fuzzy Hash: cd84ee6cefd64926da0d281e91c7b14148854b1094f3bef45d313fe2d1832dbc
            • Instruction Fuzzy Hash: 01F05C31831A32F7D7356A90AC189BD33145F12701B78C6D5FC45E1105DB90CCB04692
            Function 0023007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d22485bddf0410e3cfbe8601e30b680f34b93539199faafcf956ae0a4b71adb0
            • Instruction ID: 790f3bddf7e0ff0c7a3f47a253dfd3d4ed58074d8fd0c2e15a3907dfb32bda63
            • Opcode Fuzzy Hash: d22485bddf0410e3cfbe8601e30b680f34b93539199faafcf956ae0a4b71adb0
            • Instruction Fuzzy Hash: 04C15CB5A10206EFDB14CF94C8A4EAEB7B5FF48704F208598E905EB251D771ED91CBA0
            Function 0025342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Variant$ClearInitInitializeUninitialize
            • String ID:
            • API String ID: 1998397398-0
            • Opcode ID: a2a50bc206dbd876bd47db5b119d0e401939f52dab3b6d2cbdc0acfc0dad23de
            • Instruction ID: a3c818761c9216578d686c1f5580d162098a81316c5cc3df398eb7901d01331c
            • Opcode Fuzzy Hash: a2a50bc206dbd876bd47db5b119d0e401939f52dab3b6d2cbdc0acfc0dad23de
            • Instruction Fuzzy Hash: ADA169756142019FC700DF28D485A2AB7E5FF88355F04895EFD8A9B3A2DB30EE05CB96
            Function 00230436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0026FC08,?), ref: 002305F0
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0026FC08,?), ref: 00230608
            • CLSIDFromProgID.OLE32(?,?,00000000,0026CC40,000000FF,?,00000000,00000800,00000000,?,0026FC08,?), ref: 0023062D
            • _memcmp.LIBVCRUNTIME ref: 0023064E
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID:
            • API String ID: 314563124-0
            • Opcode ID: 4ccf227cf3621b067b81a142c31801ea9095874789f17b0bd0bbc166367d675c
            • Instruction ID: ef2e15ebd9eaa7092db947640957471218de778ae177a55e8537fbb66cb37fba
            • Opcode Fuzzy Hash: 4ccf227cf3621b067b81a142c31801ea9095874789f17b0bd0bbc166367d675c
            • Instruction Fuzzy Hash: 0A812DB1A10109EFCB04DF94C994EEEB7B9FF89315F204598E516AB250DB71AE06CF60
            Function 00211391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 3d25cb05b986ee8194b2584b7388fc6b77ce2a4ef72f9c07aca3838252cc3b80
            • Instruction ID: 7072fca25fea56fd065787387a422bfd8dee06f956be69672bd72ff220b86224
            • Opcode Fuzzy Hash: 3d25cb05b986ee8194b2584b7388fc6b77ce2a4ef72f9c07aca3838252cc3b80
            • Instruction Fuzzy Hash: 32417B31620205ABDB217FF89C46AFE3AE5EF71730F244225F619C21D2E7B088F15662
            Function 00266278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(0159EB98,?), ref: 002662E2
            • ScreenToClient.USER32(?,?), ref: 00266315
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00266382
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: 1d01b9323ca3434a18db0f603c2502611be0e478a229acfa58b03b52ff007a30
            • Instruction ID: 81546b03db6ca7b5718a4f7c08c1274a2b627e4ac66702a8face86a08df24acb
            • Opcode Fuzzy Hash: 1d01b9323ca3434a18db0f603c2502611be0e478a229acfa58b03b52ff007a30
            • Instruction Fuzzy Hash: 1B513C74A1024AAFCF14DF58D8889AE7BB5EF45760F10819AF81597290D730EDA1CB90
            Function 00251AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 00251AFD
            • WSAGetLastError.WSOCK32 ref: 00251B0B
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00251B8A
            • WSAGetLastError.WSOCK32 ref: 00251B94
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorLast$socket
            • String ID:
            • API String ID: 1881357543-0
            • Opcode ID: 9799f333ae326ff6826d727009b0d348626001351dfb79375163cf7ab1c45ee6
            • Instruction ID: e54b5904873ced91244be5960620b1fb81ab42faa15e16905c60d8a7dc75c122
            • Opcode Fuzzy Hash: 9799f333ae326ff6826d727009b0d348626001351dfb79375163cf7ab1c45ee6
            • Instruction Fuzzy Hash: 6C41E334600201AFE721AF24D886F2A77E5AB58718F54C44CF95A9F3D2D7B2DD91CB90
            Function 0020B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1547be093fd44c92322b12448ac4c81129fd0edc5c755e5ba989212ce9b58542
            • Instruction ID: 8373274cff1a8841d96754010c332d30d85a48d86252988cecd73ea6de32e4b1
            • Opcode Fuzzy Hash: 1547be093fd44c92322b12448ac4c81129fd0edc5c755e5ba989212ce9b58542
            • Instruction Fuzzy Hash: 85411771A20304AFD7359F78CC41BAABBE9EB88710F10456EF141DB2C2D3719A618B90
            Function 002456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00245783
            • GetLastError.KERNEL32(?,00000000), ref: 002457A9
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002457CE
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002457FA
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: c4a8e1bcd56e286d0140cf5f656f876fd8766037b7841e0b491e85abec726d12
            • Instruction ID: 160d07b17cae23bfaaa855fd31a7d0ee53b4c04f3ef3b4f75acd62a2cfcac6e7
            • Opcode Fuzzy Hash: c4a8e1bcd56e286d0140cf5f656f876fd8766037b7841e0b491e85abec726d12
            • Instruction Fuzzy Hash: 5D412C35600611DFCB15EF15D444A5EBBE2EF99720B19C989EC4AAB3A2DB30FD40CB91
            Function 0020D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,001F6D71,00000000,00000000,001F82D9,?,001F82D9,?,00000001,001F6D71,8BE85006,00000001,001F82D9,001F82D9), ref: 0020D910
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0020D999
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0020D9AB
            • __freea.LIBCMT ref: 0020D9B4
              • Part of subcall function 00203820: RtlAllocateHeap.NTDLL(00000000,?,002A1444,?,001EFDF5,?,?,001DA976,00000010,002A1440,001D13FC,?,001D13C6,?,001D1129), ref: 00203852
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
            • String ID:
            • API String ID: 2652629310-0
            • Opcode ID: a5d1e43152575b9330d77abb8fddc4195f07a6002b3b9230d80e73da1a0cfe08
            • Instruction ID: f42a34a6af02de1dfd748c8c25883a637c70207e0dad42d9fd2915ba50b7ed96
            • Opcode Fuzzy Hash: a5d1e43152575b9330d77abb8fddc4195f07a6002b3b9230d80e73da1a0cfe08
            • Instruction Fuzzy Hash: F231CF72A2120AABDF25DFA4DC45EBE7BA5EB45310F154168FC04D7292EB35CD60CBA0
            Function 002652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00265352
            • GetWindowLongW.USER32(?,000000F0), ref: 00265375
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00265382
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002653A8
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LongWindow$InvalidateMessageRectSend
            • String ID:
            • API String ID: 3340791633-0
            • Opcode ID: f4fbeee4a4d5738de7e582873f1d3faa22dca5d79a64f92e0b016b440dc2e339
            • Instruction ID: f5c36b7193f8fd6b1627a061920a901dab812107cf9e3c13b11c5b8395d64e5f
            • Opcode Fuzzy Hash: f4fbeee4a4d5738de7e582873f1d3faa22dca5d79a64f92e0b016b440dc2e339
            • Instruction Fuzzy Hash: 5631E634A75A29EFEB349E14CC45BE83765AB05B90F544182FA11963E0C7F099F0DB42
            Function 0023AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0023ABF1
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 0023AC0D
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 0023AC74
            • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0023ACC6
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: c366e01aebc04603590ffa6c59cef0b29cfcd17ab730298cb78056a3657d6db8
            • Instruction ID: acb93c193ebfc4204fcc27e0884256281eaa6913a4de622f9b42098bbd81a1e1
            • Opcode Fuzzy Hash: c366e01aebc04603590ffa6c59cef0b29cfcd17ab730298cb78056a3657d6db8
            • Instruction Fuzzy Hash: B63139B0A243196FEF35CF65CC087FA7BA5AB89310F045B2BE4C1521D1C3B58DA18752
            Function 00267674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 0026769A
            • GetWindowRect.USER32(?,?), ref: 00267710
            • PtInRect.USER32(?,?,00268B89), ref: 00267720
            • MessageBeep.USER32(00000000), ref: 0026778C
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: 7013fc89a58cfc1a55f93a68e20c3313e50c858f3f8003f11864ff6cbb781d56
            • Instruction ID: 80675efa06990e64e86d7ce39cc57dd825b7fdea650d4f3063ae849ae3531df8
            • Opcode Fuzzy Hash: 7013fc89a58cfc1a55f93a68e20c3313e50c858f3f8003f11864ff6cbb781d56
            • Instruction Fuzzy Hash: 0641BF34A15216DFDB02CF58E898EA9B7F4FF49318F1480A8E4149B261DB70E9A1CF90
            Function 002616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 002616EB
              • Part of subcall function 00233A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00233A57
              • Part of subcall function 00233A3D: GetCurrentThreadId.KERNEL32 ref: 00233A5E
              • Part of subcall function 00233A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002325B3), ref: 00233A65
            • GetCaretPos.USER32(?), ref: 002616FF
            • ClientToScreen.USER32(00000000,?), ref: 0026174C
            • GetForegroundWindow.USER32 ref: 00261752
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: 842281ea05f348b1e9560493fd5a28193dd662cf917e5ec525e1d7866eb71f24
            • Instruction ID: 729aaf85169d2e39c9a01fe6df2ab0cf71e139d12e122c17754fbaa7e38d0a77
            • Opcode Fuzzy Hash: 842281ea05f348b1e9560493fd5a28193dd662cf917e5ec525e1d7866eb71f24
            • Instruction Fuzzy Hash: 27313E71D10149AFCB04EFA9C885CAEBBF9EF58304B5480AAE455E7351E731AE45CBA0
            Function 0023D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 0023D501
            • Process32FirstW.KERNEL32(00000000,?), ref: 0023D50F
            • Process32NextW.KERNEL32(00000000,?), ref: 0023D52F
            • CloseHandle.KERNEL32(00000000), ref: 0023D5DC
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 420147892-0
            • Opcode ID: e624e789e274d2e20f799007ecb52386625348a7a2c76220ccbadf2357c9ca9a
            • Instruction ID: 0add8dbaa75d4c1a5593efef37f8f7c14b338a30396d89e0a4f9646dd3dbd738
            • Opcode Fuzzy Hash: e624e789e274d2e20f799007ecb52386625348a7a2c76220ccbadf2357c9ca9a
            • Instruction Fuzzy Hash: 0531D4711083019FD300EF54E885ABFBBF8EFA9344F54092EF585872A1EB719948CB92
            Function 00268FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
            • GetCursorPos.USER32(?), ref: 00269001
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00227711,?,?,?,?,?), ref: 00269016
            • GetCursorPos.USER32(?), ref: 0026905E
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00227711,?,?,?), ref: 00269094
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: c269fbcb61aff4392a8a25af202876a8741b419006f78d68bbbfca823a386f15
            • Instruction ID: fe0f00880e17e16c38da1568e019e7016666f4f14245e87f1ec00f4461c810a3
            • Opcode Fuzzy Hash: c269fbcb61aff4392a8a25af202876a8741b419006f78d68bbbfca823a386f15
            • Instruction Fuzzy Hash: EB21DE35611018EFCF258F94DC58EFA7BB9EF8A360F104069F9059B261CB7199E0DB60
            Function 0023D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNEL32(?,0026CB68), ref: 0023D2FB
            • GetLastError.KERNEL32 ref: 0023D30A
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0023D319
            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0026CB68), ref: 0023D376
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateDirectory$AttributesErrorFileLast
            • String ID:
            • API String ID: 2267087916-0
            • Opcode ID: be20a5acf3a87cf8e16453c0f09629f5761666183690ddb76aeb9d5b4d6f5b25
            • Instruction ID: de6d94590574d7ccbee628c81305606e8ba4868104ffe8a6babf7a68aa94cc38
            • Opcode Fuzzy Hash: be20a5acf3a87cf8e16453c0f09629f5761666183690ddb76aeb9d5b4d6f5b25
            • Instruction Fuzzy Hash: CF21B2B05193029F8300EF28E88596E77E4EE56724F204A5EF899C72A1D731DD5ACF93
            Function 00231571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00231014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0023102A
              • Part of subcall function 00231014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00231036
              • Part of subcall function 00231014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00231045
              • Part of subcall function 00231014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0023104C
              • Part of subcall function 00231014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00231062
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002315BE
            • _memcmp.LIBVCRUNTIME ref: 002315E1
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00231617
            • HeapFree.KERNEL32(00000000), ref: 0023161E
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 7054259f84e5d00d6f8483efe1d090f643a8e2d1900c299391cf81c32888513a
            • Instruction ID: 38a3c4726fc73f66caf7c2704a539e60bb9c281e9c60609c84fb0ae11e6c68a5
            • Opcode Fuzzy Hash: 7054259f84e5d00d6f8483efe1d090f643a8e2d1900c299391cf81c32888513a
            • Instruction Fuzzy Hash: 3121AFB1E10109EFDF04DFA5C949BEEB7B8EF44354F188469E445AB241E770AA25CFA0
            Function 00262782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EC), ref: 0026280A
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00262824
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00262832
            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00262840
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Long$AttributesLayered
            • String ID:
            • API String ID: 2169480361-0
            • Opcode ID: 92baa3b163b67dd8a4c6fa8ed1c0f5d64fab6cd98525259a5dce655f4326761f
            • Instruction ID: 03cf1323e0f0202cd748f9f42c8f3564b0beb95fc89a4cb9825da13a0e09e433
            • Opcode Fuzzy Hash: 92baa3b163b67dd8a4c6fa8ed1c0f5d64fab6cd98525259a5dce655f4326761f
            • Instruction Fuzzy Hash: 8D21F431214912EFD7149B24DC44FAAB795EF45324F248159F4168B6E2C7B1FC86CBD0
            Function 002378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00238D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0023790A,?,000000FF,?,00238754,00000000,?,0000001C,?,?), ref: 00238D8C
              • Part of subcall function 00238D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00238DB2
              • Part of subcall function 00238D7D: lstrcmpiW.KERNEL32(00000000,?,0023790A,?,000000FF,?,00238754,00000000,?,0000001C,?,?), ref: 00238DE3
            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00238754,00000000,?,0000001C,?,?,00000000), ref: 00237923
            • lstrcpyW.KERNEL32(00000000,?), ref: 00237949
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00238754,00000000,?,0000001C,?,?,00000000), ref: 00237984
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 55777e360bc3f19fdaadeea0b9232c879a6839ee22b4d8767d163f198918cccd
            • Instruction ID: c04f65fd86c0d52a57b97b2c703c24d310924a49797aea0058c648d3361a24e5
            • Opcode Fuzzy Hash: 55777e360bc3f19fdaadeea0b9232c879a6839ee22b4d8767d163f198918cccd
            • Instruction Fuzzy Hash: EC1129BA210342ABCF256F39D844E7A77E5FF45350F10812AF846CB264EB71D821C751
            Function 00267CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000F0), ref: 00267D0B
            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00267D2A
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00267D42
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0024B7AD,00000000), ref: 00267D6B
              • Part of subcall function 001E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001E9BB2
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$Long
            • String ID:
            • API String ID: 847901565-0
            • Opcode ID: 71186a71ec5b58d5d1f3989ee4b65cc82bf2e5d63389128ea8ebb48af695f348
            • Instruction ID: 22f48910a3738662b0c644ab14f348abb080f35ee39e2f052b79346047b43a64
            • Opcode Fuzzy Hash: 71186a71ec5b58d5d1f3989ee4b65cc82bf2e5d63389128ea8ebb48af695f348
            • Instruction Fuzzy Hash: B411A5316246569FCB109F28EC08A7A3BA5AF46374F258724F835D71F0E77099B0CB50
            Function 00265660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001060,?,00000004), ref: 002656BB
            • _wcslen.LIBCMT ref: 002656CD
            • _wcslen.LIBCMT ref: 002656D8
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00265816
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend_wcslen
            • String ID:
            • API String ID: 455545452-0
            • Opcode ID: 9fb5aedd162e9256618ba3ee29b9e17f0475f97cd132abe80ab8135ab1299e28
            • Instruction ID: 965bbc84e2dfe2222c4a42207f1c78e08406bbdaa84a63f2bd854cbe0fc0ba74
            • Opcode Fuzzy Hash: 9fb5aedd162e9256618ba3ee29b9e17f0475f97cd132abe80ab8135ab1299e28
            • Instruction Fuzzy Hash: C311267162062A96DF20DF61DC85AFE77ACFF11764F10406AF915D6081EBB0CAE0CB60
            Function 00231A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00231A47
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00231A59
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00231A6F
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00231A8A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 7e276e3d557437f5dc60526386ba90c1302f9f34f05ab72a16a93d463f0f0994
            • Instruction ID: f3c9031ace782b47a946e5614b6aa84c8dec7b495ddbaa7c7caa3269feeac312
            • Opcode Fuzzy Hash: 7e276e3d557437f5dc60526386ba90c1302f9f34f05ab72a16a93d463f0f0994
            • Instruction Fuzzy Hash: 2211097AD01219FFEB11DBA5CD85FADBB78EB08750F200091EA04B7294D6B16E60DB94
            Function 0023E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 0023E1FD
            • MessageBoxW.USER32(?,?,?,?), ref: 0023E230
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0023E246
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0023E24D
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
            • String ID:
            • API String ID: 2880819207-0
            • Opcode ID: b8cd5e1b6c970a3a323961185d53dcc33306595a4cd991cc50039e84246328e7
            • Instruction ID: 3e3fecfbecce06f32ba2c511220a96cf63608ef71ab8c7671c4b0997ab2c9a91
            • Opcode Fuzzy Hash: b8cd5e1b6c970a3a323961185d53dcc33306595a4cd991cc50039e84246328e7
            • Instruction Fuzzy Hash: 6C1108B2914255BBCF01AFA8BC0DAAF7FAC9B46320F108295FD14D32D0D6B09D1487A0
            Function 001FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,?,001FCFF9,00000000,00000004,00000000), ref: 001FD218
            • GetLastError.KERNEL32 ref: 001FD224
            • __dosmaperr.LIBCMT ref: 001FD22B
            • ResumeThread.KERNEL32(00000000), ref: 001FD249
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Thread$CreateErrorLastResume__dosmaperr
            • String ID:
            • API String ID: 173952441-0
            • Opcode ID: abcb62812380f941c896537e63aec37b1a6b533b903eebb5295a95ae67bf7254
            • Instruction ID: 6b4b6a767c039eaa3d910e343aeb62df987aee55a19bf838c4997bc8ee633deb
            • Opcode Fuzzy Hash: abcb62812380f941c896537e63aec37b1a6b533b903eebb5295a95ae67bf7254
            • Instruction Fuzzy Hash: 4C01D23680520CBBDB116BA5EC09BBE7A6ADF82331F204259FA25961D0CFB1C901C6E0
            Function 001D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001D604C
            • GetStockObject.GDI32(00000011), ref: 001D6060
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 001D606A
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CreateMessageObjectSendStockWindow
            • String ID:
            • API String ID: 3970641297-0
            • Opcode ID: 4f1fdf73423d224ea12758bc7c8c2a0f05444e05c81191d7b7743c8ec1b638aa
            • Instruction ID: 881fadf27f2119d86e2c5de3221efc052ea5cc73676c0d74bd6fc5f26c9ca772
            • Opcode Fuzzy Hash: 4f1fdf73423d224ea12758bc7c8c2a0f05444e05c81191d7b7743c8ec1b638aa
            • Instruction Fuzzy Hash: 0811AD72101509BFEF166FA4DC48EEABB6DEF093A4F104202FA1452210C776DC60DBA0
            Function 001F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___BuildCatchObject.LIBVCRUNTIME ref: 001F3B56
              • Part of subcall function 001F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 001F3AD2
              • Part of subcall function 001F3AA3: ___AdjustPointer.LIBCMT ref: 001F3AED
            • _UnwindNestedFrames.LIBCMT ref: 001F3B6B
            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 001F3B7C
            • CallCatchBlock.LIBVCRUNTIME ref: 001F3BA4
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
            • String ID:
            • API String ID: 737400349-0
            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction ID: ca23e37b19359ffc86ecbe6ccc5496155f4a7c8e790ac466a7a9637a722b6b03
            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction Fuzzy Hash: 6B01E57210014DBBDF126E95CC46EFB7B6AEFA8754F044019FF58A6121C732E961EBA0
            Function 00203073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001D13C6,00000000,00000000,?,0020301A,001D13C6,00000000,00000000,00000000,?,0020328B,00000006,FlsSetValue), ref: 002030A5
            • GetLastError.KERNEL32(?,0020301A,001D13C6,00000000,00000000,00000000,?,0020328B,00000006,FlsSetValue,00272290,FlsSetValue,00000000,00000364,?,00202E46), ref: 002030B1
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0020301A,001D13C6,00000000,00000000,00000000,?,0020328B,00000006,FlsSetValue,00272290,FlsSetValue,00000000), ref: 002030BF
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 60a8b6cd01401ffc5f3722d58d1a736baac490fb7e03fa8ee4d7212caa003c76
            • Instruction ID: 24ddaa30440b90c562724b6817a9ff52201b8ebc3cae80f25bf616937af3f5bc
            • Opcode Fuzzy Hash: 60a8b6cd01401ffc5f3722d58d1a736baac490fb7e03fa8ee4d7212caa003c76
            • Instruction Fuzzy Hash: 2601D432332323ABCB218F79AC489677B9DAF45B61B204621F949E3181DB61D921C6E0
            Function 00237464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0023747F
            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00237497
            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002374AC
            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002374CA
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Type$Register$FileLoadModuleNameUser
            • String ID:
            • API String ID: 1352324309-0
            • Opcode ID: 4c08b78b0c33dcc1514197aade5e5697075338ca361614618fc82721d8ef093b
            • Instruction ID: 74eab73bf93e351a1cd8f3b23522312cc6779af7133def22288b52f098d39358
            • Opcode Fuzzy Hash: 4c08b78b0c33dcc1514197aade5e5697075338ca361614618fc82721d8ef093b
            • Instruction Fuzzy Hash: 21118EF52153119BEB30DF54EC08BA27BFCEB00B00F108569E656D6151D7B0F914DB60
            Function 0023B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0023ACD3,?,00008000), ref: 0023B0C4
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0023ACD3,?,00008000), ref: 0023B0E9
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0023ACD3,?,00008000), ref: 0023B0F3
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0023ACD3,?,00008000), ref: 0023B126
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 38187645d9582297c16fe30050ded26aec663255ff8fdf2c5a61cc7e57840365
            • Instruction ID: 1a63b111aea05172cfe8e3df86bc3be2cbf3db4b50bc06bed2d60b421c21d137
            • Opcode Fuzzy Hash: 38187645d9582297c16fe30050ded26aec663255ff8fdf2c5a61cc7e57840365
            • Instruction Fuzzy Hash: B811AD70C2052DE7CF05AFE4E9586FEBB78FF0A710F108096DA85B6185CB7086608B61
            Function 00232DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00232DC5
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00232DD6
            • GetCurrentThreadId.KERNEL32 ref: 00232DDD
            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00232DE4
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: fad6e9ab505e40c25006d13939340aaa9f866fc93f333811262ddc5fbec7fa2f
            • Instruction ID: 84803677801f54f711fb341ca6a3ca852133dedf0c755e802dd444f6effbf67c
            • Opcode Fuzzy Hash: fad6e9ab505e40c25006d13939340aaa9f866fc93f333811262ddc5fbec7fa2f
            • Instruction Fuzzy Hash: 41E06DB1111228BADB203B62EC0DEFB7E6CEF83BA1F204015F106D10809AE18844C6B0
            Function 00268863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001E9693
              • Part of subcall function 001E9639: SelectObject.GDI32(?,00000000), ref: 001E96A2
              • Part of subcall function 001E9639: BeginPath.GDI32(?), ref: 001E96B9
              • Part of subcall function 001E9639: SelectObject.GDI32(?,00000000), ref: 001E96E2
            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00268887
            • LineTo.GDI32(?,?,?), ref: 00268894
            • EndPath.GDI32(?), ref: 002688A4
            • StrokePath.GDI32(?), ref: 002688B2
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 652af64ff0aa49f8f67ad9ae10620674eb248193331b72df7541b5ac3fbff1eb
            • Instruction ID: e52cac1b0a56def9bb5f7acec01f39bd958a41371d9d255e068871b333e9e32d
            • Opcode Fuzzy Hash: 652af64ff0aa49f8f67ad9ae10620674eb248193331b72df7541b5ac3fbff1eb
            • Instruction Fuzzy Hash: FCF03A36041259FBDB126F94AC0DFDE3E59AF1A310F148100FA51650E1CBB55561CBE5
            Function 001E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 001E98CC
            • SetTextColor.GDI32(?,?), ref: 001E98D6
            • SetBkMode.GDI32(?,00000001), ref: 001E98E9
            • GetStockObject.GDI32(00000005), ref: 001E98F1
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Color$ModeObjectStockText
            • String ID:
            • API String ID: 4037423528-0
            • Opcode ID: 0d3a4648bc799575361255071dc52234de4d1a51a1915f9dd6f761f7e0bc5c16
            • Instruction ID: caf1115d8e1b6c558d2dbc34913674998623151969e9097e28e883b694e0ff62
            • Opcode Fuzzy Hash: 0d3a4648bc799575361255071dc52234de4d1a51a1915f9dd6f761f7e0bc5c16
            • Instruction Fuzzy Hash: 33E06531244680AADB216F74BC0DBE93F20AB12335F14C259F6FA540E1C7B146509B11
            Function 0023162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00231634
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,002311D9), ref: 0023163B
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002311D9), ref: 00231648
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,002311D9), ref: 0023164F
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: 6513b030922f950b43923021b8f5ea61030778956720bb88e4e09ba906afda58
            • Instruction ID: 12be80f051854a1a6991c0aa203db37c8c88560f4e14a80ba5165c75c9b1b173
            • Opcode Fuzzy Hash: 6513b030922f950b43923021b8f5ea61030778956720bb88e4e09ba906afda58
            • Instruction Fuzzy Hash: 03E08671601212EBD7203FE1BD0DB663B7CAF44791F24C808F785C9080D6B44450CB50
            Function 0022D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 0022D858
            • GetDC.USER32(00000000), ref: 0022D862
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0022D882
            • ReleaseDC.USER32(?), ref: 0022D8A3
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: cceaddd075a84c0b046793402737d9d07c5dc09c1d7772ea6346febccad469b0
            • Instruction ID: a1dd0c6b3c2de2aa97516a9d09736642fdee2cba0b2660b31914e1225e238bfc
            • Opcode Fuzzy Hash: cceaddd075a84c0b046793402737d9d07c5dc09c1d7772ea6346febccad469b0
            • Instruction Fuzzy Hash: 02E01AB5800205EFCB41AFA0E80C67DBBB5FB48310F24D409F89AE7250C7B95901AF44
            Function 0022D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 0022D86C
            • GetDC.USER32(00000000), ref: 0022D876
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0022D882
            • ReleaseDC.USER32(?), ref: 0022D8A3
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: eb4f3f10db3d8066ff0dc98d69964de92b67209500660531a1ecf619727430fe
            • Instruction ID: 95a481a80a8c756de99ef0b43097a487c45f4476f43eb843a0dfa8b28da8b9f8
            • Opcode Fuzzy Hash: eb4f3f10db3d8066ff0dc98d69964de92b67209500660531a1ecf619727430fe
            • Instruction Fuzzy Hash: AAE012B0800200EFCB40AFA0E80C66EBBB9FB48310B249409F99AE7250CBB95901AF44
            Function 00244D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D7620: _wcslen.LIBCMT ref: 001D7625
            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00244ED4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Connection_wcslen
            • String ID: *$LPT
            • API String ID: 1725874428-3443410124
            • Opcode ID: 0ddfa9f9689cb48cc7102cd9217eedd5e85e09057aa7577de2a7f5297029d2cc
            • Instruction ID: 52a1139a829ad3177904ddcfbfdfe8db3d370b6d905a69afba6adb3bb5ffcbf4
            • Opcode Fuzzy Hash: 0ddfa9f9689cb48cc7102cd9217eedd5e85e09057aa7577de2a7f5297029d2cc
            • Instruction Fuzzy Hash: B1918275A102059FCB18EF58C484FAABBF1BF48304F158099E80A9F7A2D771ED95CB91
            Function 001FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 001FE30D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ErrorHandling__start
            • String ID: pow
            • API String ID: 3213639722-2276729525
            • Opcode ID: 238f6f1eb1fea63c5853dfaae4e817270882364578a51dcb09eb7855f2327974
            • Instruction ID: 13bd9b8b000b33209e8dc5af8a97cb00fee3eee12c2e4c1219e544a7ee942381
            • Opcode Fuzzy Hash: 238f6f1eb1fea63c5853dfaae4e817270882364578a51dcb09eb7855f2327974
            • Instruction Fuzzy Hash: 8651AD61E2D30696CB157B14DD093793BE4FF40740F3049A9E1D9822FAEB349CF59A42
            Function 00257771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(0022569E,00000000,?,0026CC08,?,00000000,00000000), ref: 002578DD
              • Part of subcall function 001D6B57: _wcslen.LIBCMT ref: 001D6B6A
            • CharUpperBuffW.USER32(0022569E,00000000,?,0026CC08,00000000,?,00000000,00000000), ref: 0025783B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: BuffCharUpper$_wcslen
            • String ID: <s)
            • API String ID: 3544283678-2492495807
            • Opcode ID: d7ce2654b48e1293dacaad791164dffc373dd0a2870779689af2175ac177d7c1
            • Instruction ID: 665e55060853452e7962d8a5248278aa49a97f7e14d64d7f45edf90b1179c341
            • Opcode Fuzzy Hash: d7ce2654b48e1293dacaad791164dffc373dd0a2870779689af2175ac177d7c1
            • Instruction Fuzzy Hash: 31619072924119ABCF04EFA0EC91DFDB378BF28301B440126F942A7191EF706A19DBA4
            Function 001EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: 6ab9457c38d5fe2aacc76586ea93637377229d25610c129561ea08d1104843a7
            • Instruction ID: 687afba52d434fc2b8dd7da291d9c31176a98480543834cb8c67edad3fe88147
            • Opcode Fuzzy Hash: 6ab9457c38d5fe2aacc76586ea93637377229d25610c129561ea08d1104843a7
            • Instruction Fuzzy Hash: 7A513335600297EFDF18DFA8E4816BEBBA8EF25310F248015F8919B2D0D7349D52DBA0
            Function 001EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 001EF2A2
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 001EF2BB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: cb404c32077bcd1b772fd3fd1d6710ff92c5c1ae6870cc4550adc49e20668969
            • Instruction ID: f75b060b9b4b775747514fb5c1b8ed1770ca5b1df34ccdbed5627ba5ad092da1
            • Opcode Fuzzy Hash: cb404c32077bcd1b772fd3fd1d6710ff92c5c1ae6870cc4550adc49e20668969
            • Instruction Fuzzy Hash: DF5148714087459BD320AF14EC86BAFBBF8FB95300F81885DF5D981195EB708529CB66
            Function 00255745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002557E0
            • _wcslen.LIBCMT ref: 002557EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: BuffCharUpper_wcslen
            • String ID: CALLARGARRAY
            • API String ID: 157775604-1150593374
            • Opcode ID: b2005201b74739b69062c24103f64f22943359f2b7f30405d24c50ff9b522b37
            • Instruction ID: 3e08cd2cc8c3cebda3874fcd840f7bda33a16199708082ec8c9f638d158c3f6d
            • Opcode Fuzzy Hash: b2005201b74739b69062c24103f64f22943359f2b7f30405d24c50ff9b522b37
            • Instruction Fuzzy Hash: AF41E271E202199FCB04DFA9C8998BEBBF5FF59321F10402AE805A7291E7709D95CF94
            Function 0024D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0024D130
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0024D13A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CrackInternet_wcslen
            • String ID: |
            • API String ID: 596671847-2343686810
            • Opcode ID: b532031a4836e8f778b8e83bafea5592632cefff01fe39d85dafd533bba840d3
            • Instruction ID: 1b22d6aa167d8cd2004c101d7127a4f84ef78d981bd842da6d07992272abba8d
            • Opcode Fuzzy Hash: b532031a4836e8f778b8e83bafea5592632cefff01fe39d85dafd533bba840d3
            • Instruction Fuzzy Hash: 52313E75D10209ABCF15EFA4CC85EEEBFB9FF18300F10001AF919A6266D771AA16DB50
            Function 0026356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00263621
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0026365C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: e3e2a8f178a6d73818b823844576cdebaa6b2845ef1c23197e5dd0c77ecb5b75
            • Instruction ID: 62e3eb49a19abba973917060a864812e596db0a770bfbe7b97c4fb76d1df2e32
            • Opcode Fuzzy Hash: e3e2a8f178a6d73818b823844576cdebaa6b2845ef1c23197e5dd0c77ecb5b75
            • Instruction Fuzzy Hash: 5131B071120205AEDB10DF28DC80EFB73ADFF88724F108619F9A597280DB70ADA1CB64
            Function 00264537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0026461F
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00264634
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: 1f54d670721580d80dee94a239ccfbe9b65e5a54642bd71eddeda71823f8a727
            • Instruction ID: bceb88c83cb632ab0d67bea77884fe5a5732fcee025ebcf64a0e09ae72f87eaa
            • Opcode Fuzzy Hash: 1f54d670721580d80dee94a239ccfbe9b65e5a54642bd71eddeda71823f8a727
            • Instruction Fuzzy Hash: 55314A74A1130A9FDF14DFA9C980BDABBB9FF59300F50406AE945AB381D770A991CF90
            Function 002631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0026327C
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00263287
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: 64aedeb1e5f6e70e9d4c5f3851e6fb4617fe7ad1cb11efa75763d1d7db5fd9e7
            • Instruction ID: f1c5b4f236560fde2d4d90be3490e8e1436e6096474afedb7c5b80b6415fdf6b
            • Opcode Fuzzy Hash: 64aedeb1e5f6e70e9d4c5f3851e6fb4617fe7ad1cb11efa75763d1d7db5fd9e7
            • Instruction Fuzzy Hash: F711E2713202097FFF25DE54DC94EBB37AAEB953A4F104124FA1897290D6719DA18B60
            Function 00263710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001D604C
              • Part of subcall function 001D600E: GetStockObject.GDI32(00000011), ref: 001D6060
              • Part of subcall function 001D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001D606A
            • GetWindowRect.USER32(00000000,?), ref: 0026377A
            • GetSysColor.USER32(00000012), ref: 00263794
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: e974269a1da62a8d8a714b18368b5deb0d2b31d0cb19eb7e7f96806c67669fdc
            • Instruction ID: dfa83a5ce19faf85ea38955bb416a22f109a866464ab157f6a351e67a67cbe7c
            • Opcode Fuzzy Hash: e974269a1da62a8d8a714b18368b5deb0d2b31d0cb19eb7e7f96806c67669fdc
            • Instruction Fuzzy Hash: 6C113AB262020AAFDF01EFA8CC45EFE7BB8FB09354F104515F956E2250D775E8A19B50
            Function 0024CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0024CD7D
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0024CDA6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 2de076934f27551784de719819bb6786910684bd7a1499468d886add06d6fcbf
            • Instruction ID: b486637d745c5ded66b73f5df05f0d7029796ef414763bb4eef12bdc0709bcaf
            • Opcode Fuzzy Hash: 2de076934f27551784de719819bb6786910684bd7a1499468d886add06d6fcbf
            • Instruction Fuzzy Hash: 5611E771926632B9D76C4A6A8C48EF3BE5CEF127A4F204236B14982080D2A05850D6F0
            Function 00263429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 002634AB
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002634BA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: 5977a856cddb4e52eace3483d0c825b08debd0b298ddb819977b1a0301fc48b0
            • Instruction ID: 96eb8ce2375512e3820cd2f268b8a58cec21691500f79483af4aa51286da14a2
            • Opcode Fuzzy Hash: 5977a856cddb4e52eace3483d0c825b08debd0b298ddb819977b1a0301fc48b0
            • Instruction Fuzzy Hash: 5A118F71120109AFEB119E64EC84ABB776AEF15374F604324FA65931E0CB71DCA19B50
            Function 00236C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            • CharUpperBuffW.USER32(?,?,?), ref: 00236CB6
            • _wcslen.LIBCMT ref: 00236CC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: STOP
            • API String ID: 1256254125-2411985666
            • Opcode ID: 5fa47abe0145af8502816e171cd03935197c8414715ed920ce39156cb446ab2f
            • Instruction ID: 8d6f44c96d328034eb108689f4daa89f53c78aace69afc456323f2f87868ff3c
            • Opcode Fuzzy Hash: 5fa47abe0145af8502816e171cd03935197c8414715ed920ce39156cb446ab2f
            • Instruction Fuzzy Hash: FB01087262052B9BCB109FFDDC488BF73BCFA61714B104926E45296191EB71D820C750
            Function 00231BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
              • Part of subcall function 00233CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00233CCA
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00231C46
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: fd3dd206c6e7afb3d488683ef56461d2f1b7f9e052af1fb54003bdcfe77d1048
            • Instruction ID: 5ca467fec56797ac0a59b74475bc120565e9af763b872ab5538079eb0f273568
            • Opcode Fuzzy Hash: fd3dd206c6e7afb3d488683ef56461d2f1b7f9e052af1fb54003bdcfe77d1048
            • Instruction Fuzzy Hash: 2901F7B17A010966CF08EBA0D9519FF73A89F22340F10141BF40667281EA649F3897B2
            Function 00231C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
              • Part of subcall function 00233CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00233CCA
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00231CC8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 5dc4809b56af8598b58c1cca3b81741de9eee822629b7e671c0612edabc4bb8f
            • Instruction ID: 8801455f7c38103d911b3fba8d15207006512a980c1d3faff3b8ae78e67c6ce2
            • Opcode Fuzzy Hash: 5dc4809b56af8598b58c1cca3b81741de9eee822629b7e671c0612edabc4bb8f
            • Instruction Fuzzy Hash: 6E01D6F17A011967CF04FBA0DA11AFE73ACAB22340F141417B80277281EA609F38D672
            Function 001EA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 001EA529
              • Part of subcall function 001D9CB3: _wcslen.LIBCMT ref: 001D9CBD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Init_thread_footer_wcslen
            • String ID: ,%*$3y"
            • API String ID: 2551934079-1803669325
            • Opcode ID: aa9d7466f117c1bb15111032d2ba1e4e5f564f232ccf8d475e93258384679b5a
            • Instruction ID: f1c7f2ffc7efed60dd20b5f2fe03f7d727d52257fe146fc44259c7bcf3e59e8f
            • Opcode Fuzzy Hash: aa9d7466f117c1bb15111032d2ba1e4e5f564f232ccf8d475e93258384679b5a
            • Instruction Fuzzy Hash: D0012631B40A548BC609F769E85BAAD7368DF1A720FD00469F6121B2C3EF10BD458A97
            Function 00268172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002A3018,002A305C), ref: 002681BF
            • CloseHandle.KERNEL32 ref: 002681D1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CloseCreateHandleProcess
            • String ID: \0*
            • API String ID: 3712363035-2652565987
            • Opcode ID: eaa93b508c230ae39cb0228629031f5a810f753b2a23af4f3f1b9a41c0c8679c
            • Instruction ID: 139fb7c1a73306fe90ec63a99bbab8e42d45ab5c4a86a4129b3cda4a63e7a033
            • Opcode Fuzzy Hash: eaa93b508c230ae39cb0228629031f5a810f753b2a23af4f3f1b9a41c0c8679c
            • Instruction Fuzzy Hash: BDF05EF2650304BBE320AB61BC49FB77A5CEB0A750F104461FB08D51A2DA758A2482B8
            Function 0025747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: 3, 3, 16, 1
            • API String ID: 176396367-3042988571
            • Opcode ID: 126f6c0dde8eaa744d5ebe7f9f9ce4e0c39f4cf1aa93cf0e9f19e185c45faa41
            • Instruction ID: aca889c2867e0c0b83ed91e15d5b6b4b2411e0ea18370235fe575ccf723169cd
            • Opcode Fuzzy Hash: 126f6c0dde8eaa744d5ebe7f9f9ce4e0c39f4cf1aa93cf0e9f19e185c45faa41
            • Instruction Fuzzy Hash: C5E0AB463642201192301239BCC197F4699EFD9351310082FFE84C2266EBE08CB183A4
            Function 00230B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00230B23
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Message
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 2030045667-4017498283
            • Opcode ID: 0b7bf1aec7899bea7bdb487148d1f232b02e14786c20b6e74fbc1fdf70e1fb99
            • Instruction ID: 47fb766763d12e25170bce06096b4c336397a69b1c3e179225ff4a150274e1b1
            • Opcode Fuzzy Hash: 0b7bf1aec7899bea7bdb487148d1f232b02e14786c20b6e74fbc1fdf70e1fb99
            • Instruction Fuzzy Hash: D2E0D83135435826D31437957C43F9D7A848F15B20F20442BFB88955C38BD224A006E9
            Function 001F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001F0D71,?,?,?,001D100A), ref: 001EF7CE
            • IsDebuggerPresent.KERNEL32(?,?,?,001D100A), ref: 001F0D75
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001D100A), ref: 001F0D84
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001F0D7F
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 55579361-631824599
            • Opcode ID: 198709214ade8b49451791a26487b104d254669ece8553b3d2f1ade7fc88dcdc
            • Instruction ID: 8e7f6b0e2c71043b5237ca60e6f556349282dd53bff243bcb954662ea076561e
            • Opcode Fuzzy Hash: 198709214ade8b49451791a26487b104d254669ece8553b3d2f1ade7fc88dcdc
            • Instruction Fuzzy Hash: E0E092742007518BD771EFB8F5083667BE4AF18744F00892DE986C6752DBF1E4848B91
            Function 001EE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 001EE3D5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: 0%*$8%*
            • API String ID: 1385522511-3749661820
            • Opcode ID: ede4f6a1e879b0fc985b5d409870ca12bbb9f05ca4571522fea77d0c5b761768
            • Instruction ID: dec6ff346054778d0f7ca2a57d15caad853ecc93de34bdaa3844b0941886c3e9
            • Opcode Fuzzy Hash: ede4f6a1e879b0fc985b5d409870ca12bbb9f05ca4571522fea77d0c5b761768
            • Instruction Fuzzy Hash: 70E02635C14D54CBCA0D971DBA78A9C33D1BB1A320B9001E9E102875D29F3128458654
            Function 0022D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: LocalTime
            • String ID: %.3d$X64
            • API String ID: 481472006-1077770165
            • Opcode ID: a3c7efc8bb379ca1bb254c720f63a659d977c415707e3de06666362d09755019
            • Instruction ID: eb771a6afec82b22a64f7e1c38848b0dde68e5a55fb3d55aeb4859a89c2a66c0
            • Opcode Fuzzy Hash: a3c7efc8bb379ca1bb254c720f63a659d977c415707e3de06666362d09755019
            • Instruction Fuzzy Hash: 50D01271838128F9DB5097E0EC498FEB37CAB18301F608552FC0691041D764D528A761
            Function 00262322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0026232C
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0026233F
              • Part of subcall function 0023E97B: Sleep.KERNEL32 ref: 0023E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 8c14c5c6937b6358a8882ef4b319595ee0d96da929e119e106b6282effc63602
            • Instruction ID: ece53b54c0b2a0cf7a356d1cd5b30fd94f704b0d40a9853b751f6069f730cadf
            • Opcode Fuzzy Hash: 8c14c5c6937b6358a8882ef4b319595ee0d96da929e119e106b6282effc63602
            • Instruction Fuzzy Hash: B4D012763E4310B7EA68B770FC4FFD6BA589B44B10F118916B786AA1D0C9F0A815CB54
            Function 00262356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0026236C
            • PostMessageW.USER32(00000000), ref: 00262373
              • Part of subcall function 0023E97B: Sleep.KERNEL32 ref: 0023E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2027588981.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true
            • Associated: 00000000.00000002.2027186473.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.000000000026C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027688929.0000000000292000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027825816.000000000029C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2027904573.00000000002A4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1d0000_PI_2024.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 8b55d36d501ed4dd3e4022ff14da87b73ad56be8515a42d24a73de2dc928a770
            • Instruction ID: 9b317f0403071243c684cf586d873c1e444e5c5da992a2de081b83024c776832
            • Opcode Fuzzy Hash: 8b55d36d501ed4dd3e4022ff14da87b73ad56be8515a42d24a73de2dc928a770
            • Instruction Fuzzy Hash: 0BD0A9723D03007AEA68B370EC0FFC6AA089B04B00F108902B282AA0D0C9E0A8008A48