Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3TpW2Sn68z.exe

Overview

General Information

Sample name:3TpW2Sn68z.exe
renamed because original name is a hash value
Original sample name:560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe
Analysis ID:1504845
MD5:c7fc0cee8ca35d709ed276e9f88ddbed
SHA1:ceea9d76bf0429872f4d7420addd0abdb5e8f4dc
SHA256:560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Suspect Svchost Activity
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3TpW2Sn68z.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\3TpW2Sn68z.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
    • RegAsymX.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\3TpW2Sn68z.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
      • RegAsymX.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\directory\RegAsymX.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
        • svchost.exe (PID: 7660 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
          • WerFault.exe (PID: 7764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 7884 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • RegAsymX.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Local\directory\RegAsymX.exe" MD5: C7FC0CEE8CA35D709ED276E9F88DDBED)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "84.38.132.103:7001:1", "Assigned name": "Main", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FR1M2R", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6aab8:$a1: Remcos restarted by watchdog!
            • 0x6b030:$a3: %02i:%02i:%02i:%03i
            Click to see the 43 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.RegAsymX.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              8.2.RegAsymX.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                8.2.RegAsymX.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  8.2.RegAsymX.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  8.2.RegAsymX.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 55 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspect Svchost Activity
                  Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\directory\RegAsymX.exe", ParentImage: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ParentProcessId: 7608, ParentProcessName: RegAsymX.exe, ProcessCommandLine: svchost.exe, ProcessId: 7660, ProcessName: svchost.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , ProcessId: 7884, ProcessName: wscript.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\directory\RegAsymX.exe", ParentImage: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ParentProcessId: 7608, ParentProcessName: RegAsymX.exe, ProcessCommandLine: svchost.exe, ProcessId: 7660, ProcessName: svchost.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs" , ProcessId: 7884, ProcessName: wscript.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\directory\RegAsymX.exe", ParentImage: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ParentProcessId: 7608, ParentProcessName: RegAsymX.exe, ProcessCommandLine: svchost.exe, ProcessId: 7660, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\RegAsymX.exe, ProcessId: 7608, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-05T14:17:21.343263+020020365941Malware Command and Control Activity Detected192.168.2.44973084.38.132.1037001TCP
                  2024-09-05T14:17:43.736278+020020365941Malware Command and Control Activity Detected192.168.2.45300984.38.132.1037001TCP
                  2024-09-05T14:18:06.103034+020020365941Malware Command and Control Activity Detected192.168.2.45301384.38.132.1037001TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "84.38.132.103:7001:1", "Assigned name": "Main", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FR1M2R", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeReversingLabs: Detection: 50%
                  Multi AV Scanner detection for submitted file
                  Source: 3TpW2Sn68z.exeReversingLabs: Detection: 50%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 3TpW2Sn68z.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_004338C8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                  Source: RegAsymX.exe, 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_98b29fde-1

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407538 _wcslen,CoGetObject,2_2_00407538
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 2.2.RegAsymX.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 8.2.RegAsymX.exe.400000.0.unpack
                  Source: 3TpW2Sn68z.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005CDBBE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D68EE FindFirstFileW,FindClose,0_2_005D68EE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_005D698F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD076
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD3A9
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D9642
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D979D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_005D9B2B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_005D5C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,1_2_0084DBBE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008568EE FindFirstFileW,FindClose,1_2_008568EE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,1_2_0085698F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D076
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D3A9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00859642
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0085979D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00859B2B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00855C97 FindFirstFileW,FindNextFileW,FindClose,1_2_00855C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_0327698F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032768EE FindFirstFileW,FindClose,3_2_032768EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D3A9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D076
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0327979D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_03279642
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_03279B2B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_0326DBBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03275C97 FindFirstFileW,FindNextFileW,FindClose,3_2_03275C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 84.38.132.103:7001
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:53013 -> 84.38.132.103:7001
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:53009 -> 84.38.132.103:7001
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 84.38.132.103
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 84.38.132.103:7001
                  Source: Joe Sandbox ViewASN Name: DATACLUBLV DATACLUBLV
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: unknownTCP traffic detected without corresponding DNS query: 84.38.132.103
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_005DCE44
                  Source: RegAsymX.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: RegAsymX.exe, 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000002_2_0040A2F3
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005DEAFF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_005DED6A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_0085ED6A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004168FC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_0327ED6A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005DEAFF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_005CAA57
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_005F9576
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00879576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00879576
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_03299576
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041CA6D SystemParametersInfoW,2_2_0041CA6D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041CA73 SystemParametersInfoW,2_2_0041CA73
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041CA6D SystemParametersInfoW,8_2_0041CA6D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: 3TpW2Sn68z.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: 3TpW2Sn68z.exe, 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_814a09af-6
                  Source: 3TpW2Sn68z.exe, 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_017a4c7f-1
                  Source: 3TpW2Sn68z.exe, 00000000.00000003.1681672618.0000000003DE1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_deae4797-6
                  Source: 3TpW2Sn68z.exe, 00000000.00000003.1681672618.0000000003DE1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3ebbe7c7-3
                  Source: RegAsymX.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: RegAsymX.exe, 00000001.00000000.1681932970.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d894eeb2-c
                  Source: RegAsymX.exe, 00000001.00000000.1681932970.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d93d97fc-5
                  Source: RegAsymX.exe, 00000002.00000002.4144768646.0000000003F72000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_610698ee-5
                  Source: RegAsymX.exe, 00000002.00000002.4144768646.0000000003F72000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_69ad603f-e
                  Source: RegAsymX.exe, 00000002.00000002.4144625611.0000000003DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7e079ba4-9
                  Source: RegAsymX.exe, 00000002.00000002.4144625611.0000000003DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_bc41f37b-8
                  Source: RegAsymX.exe, 00000002.00000002.4143541171.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2f49fdef-1
                  Source: RegAsymX.exe, 00000002.00000002.4143541171.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5b8ae25b-2
                  Source: svchost.exe, 00000003.00000002.2005838898.00000000032C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4b7a6453-9
                  Source: svchost.exe, 00000003.00000002.2005838898.00000000032C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0407e11f-a
                  Source: RegAsymX.exe, 00000008.00000000.1810224415.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7002a894-9
                  Source: RegAsymX.exe, 00000008.00000000.1810224415.00000000008A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c4435ec3-3
                  Source: RegAsymX.exe, 00000008.00000002.4144091090.0000000004276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_095845a4-a
                  Source: RegAsymX.exe, 00000008.00000002.4144091090.0000000004276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f2a9c828-4
                  Source: 3TpW2Sn68z.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_959647dd-f
                  Source: 3TpW2Sn68z.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_745d09d1-8
                  Source: RegAsymX.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2e2a7c22-2
                  Source: RegAsymX.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2fc89a24-2
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,2_2_0041330D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,2_2_0041BBC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041BB9A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0329A2D7 NtdllDialogWndProc_W,3_2_0329A2D7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032987B2 NtdllDialogWndProc_W,CallWindowProcW,3_2_032987B2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03218BA4 NtdllDialogWndProc_W,3_2_03218BA4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03298AAA NtdllDialogWndProc_W,3_2_03298AAA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03298FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,3_2_03298FC9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299380 NtdllDialogWndProc_W,3_2_03299380
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032993CB NtdllDialogWndProc_W,3_2_032993CB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0329911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,3_2_0329911E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03203170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,3_2_03203170
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03219052 NtdllDialogWndProc_W,3_2_03219052
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032190A7 NtdllDialogWndProc_W,3_2_032190A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032990A1 SendMessageW,NtdllDialogWndProc_W,3_2_032990A1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032197C0 GetParent,NtdllDialogWndProc_W,3_2_032197C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0329953A GetWindowLongW,NtdllDialogWndProc_W,3_2_0329953A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_03299576
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299400 ClientToScreen,NtdllDialogWndProc_W,3_2_03299400
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,NtdllDialogWndProc_W,3_2_0321997D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,3_2_03299F86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299E74 NtdllDialogWndProc_W,3_2_03299E74
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03299EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,3_2_03299EF3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,8_2_0041330D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,8_2_0041BBC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,8_2_0041BB9A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_005CD5EB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005C1201
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005CE8F6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_0084E8F6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004167EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_0326E8F6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0056BF400_2_0056BF40
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D20460_2_005D2046
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005680600_2_00568060
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C82980_2_005C8298
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0059E4FF0_2_0059E4FF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0059676B0_2_0059676B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005F48730_2_005F4873
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0056CAF00_2_0056CAF0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0058CAA00_2_0058CAA0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057CC390_2_0057CC39
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00596DD90_2_00596DD9
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057B1190_2_0057B119
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005691C00_2_005691C0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005813940_2_00581394
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005817060_2_00581706
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0058781B0_2_0058781B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057997D0_2_0057997D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005679200_2_00567920
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005819B00_2_005819B0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00587A4A0_2_00587A4A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00581C770_2_00581C77
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00587CA70_2_00587CA7
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005EBE440_2_005EBE44
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00599EEE0_2_00599EEE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00581F320_2_00581F32
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_020236600_2_02023660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007E80601_2_007E8060
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008520461_2_00852046
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008482981_2_00848298
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0081E4FF1_2_0081E4FF
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0081676B1_2_0081676B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008748731_2_00874873
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0080CAA01_2_0080CAA0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007ECAF01_2_007ECAF0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007FCC391_2_007FCC39
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00816DD91_2_00816DD9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007FB1191_2_007FB119
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007E91C01_2_007E91C0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008013941_2_00801394
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008017061_2_00801706
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0080781B1_2_0080781B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007F997D1_2_007F997D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008019B01_2_008019B0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007E79201_2_007E7920
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00807A4A1_2_00807A4A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00807CA71_2_00807CA7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00801C771_2_00801C77
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00819EEE1_2_00819EEE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0086BE441_2_0086BE44
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00801F321_2_00801F32
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_006036601_2_00603660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043706A2_2_0043706A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004140052_2_00414005
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043E11C2_2_0043E11C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004541D92_2_004541D9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004381E82_2_004381E8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041F18B2_2_0041F18B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004462702_2_00446270
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043E34B2_2_0043E34B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004533AB2_2_004533AB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0042742E2_2_0042742E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004375662_2_00437566
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043E5A82_2_0043E5A8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004387F02_2_004387F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043797E2_2_0043797E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004339D72_2_004339D7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0044DA492_2_0044DA49
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00427AD72_2_00427AD7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041DBF32_2_0041DBF3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00427C402_2_00427C40
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00437DB32_2_00437DB3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00435EEB2_2_00435EEB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043DEED2_2_0043DEED
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00426E9F2_2_00426E9F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_010336602_2_01033660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032682983_2_03268298
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032080603_2_03208060
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032720463_2_03272046
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0323676B3_2_0323676B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0323E4FF3_2_0323E4FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0322CAA03_2_0322CAA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0320CAF03_2_0320CAF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032948733_2_03294873
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03236DD93_2_03236DD9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321CC393_2_0321CC39
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032213943_2_03221394
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321B1193_2_0321B119
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032091C03_2_032091C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032217063_2_03221706
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03227A4A3_2_03227A4A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032079203_2_03207920
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321997D3_2_0321997D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032219B03_2_032219B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0322781B3_2_0322781B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03221F323_2_03221F32
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0328BE443_2_0328BE44
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03239EEE3_2_03239EEE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03221C773_2_03221C77
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03227CA73_2_03227CA7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043706A8_2_0043706A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004140058_2_00414005
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043E11C8_2_0043E11C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004541D98_2_004541D9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004381E88_2_004381E8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041F18B8_2_0041F18B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004462708_2_00446270
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043E34B8_2_0043E34B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004533AB8_2_004533AB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0042742E8_2_0042742E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004375668_2_00437566
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043E5A88_2_0043E5A8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004387F08_2_004387F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043797E8_2_0043797E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004339D78_2_004339D7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0044DA498_2_0044DA49
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00427AD78_2_00427AD7
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041DBF38_2_0041DBF3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00427C408_2_00427C40
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00437DB38_2_00437DB3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00435EEB8_2_00435EEB
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043DEED8_2_0043DEED
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00426E9F8_2_00426E9F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A36608_2_018A3660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 0040417E appears 46 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00402093 appears 100 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 007FF9F2 appears 31 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 004020DF appears 40 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00434801 appears 82 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00457AA8 appears 34 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00445951 appears 56 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 004046F7 appears 34 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00402213 appears 38 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 004052FD appears 32 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00800A30 appears 46 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00401E65 appears 70 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00434E70 appears 108 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00401FAB appears 44 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 0044854A appears 36 times
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: String function: 00411FA2 appears 32 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03220A30 appears 46 times
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: String function: 00580A30 appears 46 times
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: String function: 0057F9F2 appears 31 times
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568
                  Source: 3TpW2Sn68z.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@11/18@0/1
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D37B5 GetLastError,FormatMessageW,0_2_005D37B5
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C10BF AdjustTokenPrivileges,CloseHandle,0_2_005C10BF
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005C16C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008410BF AdjustTokenPrivileges,CloseHandle,1_2_008410BF
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_008416C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_0041798D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032610BF AdjustTokenPrivileges,CloseHandle,3_2_032610BF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_032616C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_005D51CD
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_005EA67C
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_005D648E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_005642A2
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7660
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R-W
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile created: C:\Users\user\AppData\Local\Temp\autA43A.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
                  Source: 3TpW2Sn68z.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 3TpW2Sn68z.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile read: C:\Users\user\Desktop\3TpW2Sn68z.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\3TpW2Sn68z.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\Desktop\3TpW2Sn68z.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: 3TpW2Sn68z.exeStatic file information: File size 1426944 > 1048576
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 3TpW2Sn68z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 3TpW2Sn68z.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 2.2.RegAsymX.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeUnpacked PE file: 8.2.RegAsymX.exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00580A76 push ecx; ret 0_2_00580A89
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00800A76 push ecx; ret 1_2_00800A89
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00457186 push ecx; ret 2_2_00457199
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041C7F3 push eax; retf 2_2_0041C7FD
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00457AA8 push eax; ret 2_2_00457AC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00434EB6 push ecx; ret 2_2_00434EC9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03220A76 push ecx; ret 3_2_03220A89
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041C7F3 push eax; retf 8_2_0041C7FD
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00406EEB ShellExecuteW,URLDownloadToFileW,2_2_00406EEB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeFile created: C:\Users\user\AppData\Local\directory\RegAsymX.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_0041AADB
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0057F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0057F98E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_005F1C41
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_007FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_007FF98E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00871C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00871C41
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0321F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_0321F98E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03291C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_03291C41
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_0041CBE1
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040F7E2 Sleep,ExitProcess,2_2_0040F7E2
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96870
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_0041A7D9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeWindow / User API: threadDelayed 1632Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeWindow / User API: threadDelayed 1623Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeWindow / User API: threadDelayed 3312Jump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeAPI coverage: 3.8 %
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeAPI coverage: 3.7 %
                  Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 1.0 %
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeAPI coverage: 7.9 %
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7640Thread sleep count: 41 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7644Thread sleep count: 1632 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7644Thread sleep time: -4896000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7652Thread sleep count: 1623 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 7652Thread sleep time: -4869000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 5804Thread sleep count: 3312 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exe TID: 5804Thread sleep time: -3312000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005CDBBE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D68EE FindFirstFileW,FindClose,0_2_005D68EE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_005D698F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD076
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005CD3A9
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D9642
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005D979D
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_005D9B2B
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_005D5C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,1_2_0084DBBE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008568EE FindFirstFileW,FindClose,1_2_008568EE
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,1_2_0085698F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D076
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0084D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0084D3A9
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00859642
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0085979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0085979D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00859B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00859B2B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00855C97 FindFirstFileW,FindNextFileW,FindClose,1_2_00855C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407877 FindFirstFileW,FindNextFileW,2_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_0327698F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032768EE FindFirstFileW,FindClose,3_2_032768EE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D3A9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_0326D076
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0327979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0327979D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_03279642
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_03279B2B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0326DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_0326DBBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03275C97 FindFirstFileW,FindNextFileW,FindClose,3_2_03275C97
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00407CD2
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll81
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005DEAA2 BlockInput,0_2_005DEAA2
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00592622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00592622
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00584CE8 mov eax, dword ptr fs:[00000030h]0_2_00584CE8
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_020234F0 mov eax, dword ptr fs:[00000030h]0_2_020234F0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_02023550 mov eax, dword ptr fs:[00000030h]0_2_02023550
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_02021E7E mov eax, dword ptr fs:[00000030h]0_2_02021E7E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_02021E90 mov eax, dword ptr fs:[00000030h]0_2_02021E90
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00804CE8 mov eax, dword ptr fs:[00000030h]1_2_00804CE8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_006034F0 mov eax, dword ptr fs:[00000030h]1_2_006034F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00603550 mov eax, dword ptr fs:[00000030h]1_2_00603550
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00601E7E mov eax, dword ptr fs:[00000030h]1_2_00601E7E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00601E90 mov eax, dword ptr fs:[00000030h]1_2_00601E90
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00443355 mov eax, dword ptr fs:[00000030h]2_2_00443355
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_01033550 mov eax, dword ptr fs:[00000030h]2_2_01033550
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_010334F0 mov eax, dword ptr fs:[00000030h]2_2_010334F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_01031E7E mov eax, dword ptr fs:[00000030h]2_2_01031E7E
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_01031E90 mov eax, dword ptr fs:[00000030h]2_2_01031E90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03224CE8 mov eax, dword ptr fs:[00000030h]3_2_03224CE8
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A3550 mov eax, dword ptr fs:[00000030h]8_2_018A3550
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A34F0 mov eax, dword ptr fs:[00000030h]8_2_018A34F0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A1E90 mov eax, dword ptr fs:[00000030h]8_2_018A1E90
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_018A1E7E mov eax, dword ptr fs:[00000030h]8_2_018A1E7E
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005C0B62
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00592622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00592622
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0058083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0058083F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005809D5 SetUnhandledExceptionFilter,0_2_005809D5
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00580C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00580C21
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00812622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00812622
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_0080083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0080083F
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_008009D5 SetUnhandledExceptionFilter,1_2_008009D5
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00800C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00800C21
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0043503C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00434A8A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043BB71
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_00434BD8 SetUnhandledExceptionFilter,2_2_00434BD8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_03232622
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032209D5 SetUnhandledExceptionFilter,3_2_032209D5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0322083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0322083F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03220C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_03220C21
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 2_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,2_2_0041812A
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3179008Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00412132
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005C1201
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_005A2BA5
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005CB226 SendInput,keybd_event,0_2_005CB226
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_005E22DA
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\RegAsymX.exe "C:\Users\user\AppData\Local\directory\RegAsymX.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005C0B62
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_005C1663
                  Source: 3TpW2Sn68z.exe, RegAsymX.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: RegAsymX.exe, 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2R\
                  Source: 3TpW2Sn68z.exe, RegAsymX.exeBinary or memory string: Shell_TrayWnd
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2R\G
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2R\Y
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@
                  Source: RegAsymX.exe, 00000002.00000002.4143971478.0000000001168000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9
                  Source: RegAsymX.exe, 00000002.00000002.4144358556.0000000001346000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_00580698 cpuid 0_2_00580698
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_0045201B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_004520B6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00452143
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,2_2_00452393
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_00448484
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004524BC
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,2_2_004525C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00452690
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,2_2_0044896D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoA,2_2_0040F90C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00451D58
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,2_2_00451FD0
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_0045201B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_004520B6
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,8_2_00452393
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_00448484
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,8_2_004525C3
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoW,8_2_0044896D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: GetLocaleInfoA,8_2_0040F90C
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_005D8195
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005BD27A GetUserNameW,0_2_005BD27A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_0059BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0059BB6F
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005642DE
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040BA4D
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \key3.db2_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: \key3.db8_2_0040BB6B
                  Source: RegAsymX.exeBinary or memory string: WIN_81
                  Source: RegAsymX.exeBinary or memory string: WIN_XP
                  Source: RegAsymX.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: RegAsymX.exeBinary or memory string: WIN_XPe
                  Source: RegAsymX.exeBinary or memory string: WIN_VISTA
                  Source: RegAsymX.exeBinary or memory string: WIN_7
                  Source: RegAsymX.exeBinary or memory string: WIN_8

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2RJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-FR1M2R-WJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.RegAsymX.exe.4130000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.1040000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsymX.exe.dd0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsymX.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7564, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7608, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsymX.exe PID: 7936, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: cmd.exe2_2_0040569A
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: cmd.exe8_2_0040569A
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_005E1204
                  Source: C:\Users\user\Desktop\3TpW2Sn68z.exeCode function: 0_2_005E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_005E1806
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00861204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,1_2_00861204
                  Source: C:\Users\user\AppData\Local\directory\RegAsymX.exeCode function: 1_2_00861806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00861806
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03281204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,3_2_03281204
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03281806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_03281806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		1
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol121
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		2
                  Valid Accounts                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Windows Service                  		2
                  Valid Accounts                  		1
                  Software Packing                  		NTDS4
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		LSA Secrets26
                  System Information Discovery                  		SSHKeylogging1
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Windows Service                  		1
                  Bypass User Account Control                  		Cached Domain Credentials241
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items322
                  Process Injection                  		1
                  Masquerading                  		DCSync12
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Proc Filesystem2
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow11
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd322
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1504845 Sample: 3TpW2Sn68z.exe Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 9 3TpW2Sn68z.exe 6 2->9         started        13 wscript.exe 1 2->13         started        process3 file4 33 C:\Users\user\AppData\Local\...\RegAsymX.exe, PE32 9->33 dropped 67 Binary is likely a compiled AutoIt script file 9->67 69 Found API chain indicative of sandbox detection 9->69 15 RegAsymX.exe 3 9->15         started        71 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->71 19 RegAsymX.exe 2 13->19         started        signatures5 process6 file7 35 C:\Users\user\AppData\...\RegAsymX.vbs, data 15->35 dropped 39 Multi AV Scanner detection for dropped file 15->39 41 Contains functionality to bypass UAC (CMSTPLUA) 15->41 43 Detected unpacking (creates a PE file in dynamic memory) 15->43 49 9 other signatures 15->49 21 RegAsymX.exe 5 4 15->21         started        45 Detected Remcos RAT 19->45 47 Binary is likely a compiled AutoIt script file 19->47 signatures8 process9 dnsIp10 37 84.38.132.103, 49730, 53009, 53013 DATACLUBLV Latvia 21->37 31 C:\ProgramData\remcos\logs.dat, data 21->31 dropped 59 Detected Remcos RAT 21->59 61 Binary is likely a compiled AutoIt script file 21->61 63 Writes to foreign memory regions 21->63 65 Maps a DLL or memory area into another process 21->65 26 svchost.exe 21->26         started        file11 signatures12 process13 signatures14 73 Binary is likely a compiled AutoIt script file 26->73 29 WerFault.exe 22 16 26->29         started        process15

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  3TpW2Sn68z.exe50%ReversingLabsWin32.Trojan.Strab
                  3TpW2Sn68z.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\directory\RegAsymX.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\directory\RegAsymX.exe50%ReversingLabsWin32.Trojan.Strab

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
                  http://upx.sf.net0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gp0%Avira URL Cloudsafe
                  84.38.132.1030%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  84.38.132.103true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpRegAsymX.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://upx.sf.netAmcache.hve.6.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/CRegAsymX.exe, 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, RegAsymX.exe, 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  84.38.132.103
                  		unknownLatvia
                  		52048DATACLUBLVtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1504845
                  Start date and time:2024-09-05 14:16:05 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 10m 4s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:13
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:3TpW2Sn68z.exe
                  renamed because original name is a hash value
                  Original Sample Name:560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e.exe
                  Detection:MAL
                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@11/18@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 51
                  • Number of non-executed functions: 297
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 20.189.173.20
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: 3TpW2Sn68z.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:17:28API Interceptor1x Sleep call for process: WerFault.exe modified
                  08:17:31API Interceptor6118164x Sleep call for process: RegAsymX.exe modified
                  13:17:00AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  DATACLUBLV1q4wVJgStc.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 46.183.223.107
                  nleHhuZy1N.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 46.183.223.107
                  Documenti di spedizione 0002838844.exeGet hashmaliciousAgentTeslaBrowse
                  • 46.183.223.107
                  Shipping Documents.bat.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                  • 46.183.220.28
                  Document SWIFT Payment Copy Ref#8374837293.exeGet hashmaliciousRemcosBrowse
                  • 84.38.132.40
                  Nakliye belgeleri.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 46.183.220.65
                  file.exeGet hashmaliciousStormKitty, XWormBrowse
                  • 84.38.132.25
                  USED TROMMEL.jsGet hashmaliciousADWINDBrowse
                  • 46.183.223.47
                  DRAFT AWB and DRAFT Commercial invoice.xlsGet hashmaliciousRemcosBrowse
                  • 46.183.222.11
                  XrAADcYten.rtfGet hashmaliciousRemcosBrowse
                  • 46.183.222.11

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_54b38e612730b8c5952b2618de6f5b28d71e92_bac6fce3_69ee89ae-f8ea-433c-9a8e-e8d9b5708f58\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8632280976180019
                  Encrypted:false
                  SSDEEP:192:RQi5j1Js8pB0GdsyvjUUGzuiFXZ24IO8KR:Z5xJs8pCGdsyvjuzuiFXY4IO8KR
                  MD5:026DD927C4D6BE0068F0454C7F0740D2
                  SHA1:67B8F953D043B13834D1CF8A09AC52F43AF4DB81
                  SHA-256:929DE90EE8009704356450B51B16ACB6B418CC257E73AAEFA1329833D56B8EF7
                  SHA-512:B1E7BA759919AC53FA116EEA5567A0B88BF1F28BBA97D6EE8A739703821D6498B8E7A62CDDD90A9AFC0A3AAF1171699D985F06A7177B6E11464BEFC9D4C9DE6E
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.0.1.2.2.2.4.7.2.6.0.8.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.0.1.2.2.2.6.7.1.0.4.6.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.e.e.8.9.a.e.-.f.8.e.a.-.4.3.3.c.-.9.a.8.e.-.e.8.d.9.b.5.7.0.8.f.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.d.6.9.e.2.6.-.0.3.c.4.-.4.7.3.8.-.8.8.e.f.-.d.5.2.1.7.7.b.4.2.c.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.e.c.-.0.0.0.1.-.0.0.1.4.-.8.c.1.a.-.b.2.8.1.8.d.f.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.1.9.6.f.4.5.b.2.6.9.a.6.1.4.a.3.9.2.6.e.f.c.0.3.2.f.c.9.d.7.5.0.1.7.f.2.7.e.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC84C.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Thu Sep 5 12:17:06 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):235386
                  Entropy (8bit):0.7130156194278792
                  Encrypted:false
                  SSDEEP:192:kf7+b6stggzDO8u+HviOmVS1aF/Ji6uOvezhUp2dIP0KVjWS:2bsSw6r+HKOmVSs/BLGe2PS
                  MD5:A37AD8656B2EC855C3A2552A121AA1C5
                  SHA1:F2DC6CBF64F2286A2D792011FE806EE03E16ECE0
                  SHA-256:B1D481FDA8B212241B4B20E762C6DDFDE41D016D8D8F5DA01088E051940083F4
                  SHA-512:93CD7909D0B26F6D34FE1810ED86DAC3A8E9D4E1E28E23078B8350D5D32FC83E807DA54D38BB9538850E4257DB2D5ED06A049F77DF3D80985CCD9680062436B0
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... .......B..f.........................................)..........T.......8...........T...........h...............<...........(...............................................................................eJ..............GenuineIntel............T...........;..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEB6.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8298
                  Entropy (8bit):3.691054350716476
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJ4Mb6pD6YG76TPgmfpDcQhpDY89bcqrsfQeom:R6lXJ3696YK6DgmfpDcQx5wf5
                  MD5:05A2789545096703989A8B9225BCA7AD
                  SHA1:39505CD08075347BC0E3D012B5AC858BA2B4DD1E
                  SHA-256:08184F8647583EDE0FD153BF1D9FCB898692F8B17ABCED16C189B5297D72B9B6
                  SHA-512:249C2B85E886B2698571CDDB134BCFE78560B4E01DFA7CE645BDE2537FDC5AE47E1FC817CED3EF0547B90979D11025E402F3E27A6308F414E6E840E9A1A7583F
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.6.0.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCEE6.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4655
                  Entropy (8bit):4.449377431426201
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zshJg77aI9N/+WpW8VYbpYm8M4JCaSE0Fs+q80Peg3dD0Fd:uIjfzI7b/7Vc4JC+PdD0Fd
                  MD5:036AC7AB1992BFCC34EE1FFC27A3BF05
                  SHA1:D4508420D934EE80A4FE9EBC678A57FA67E698C1
                  SHA-256:CC87C083632C446FEDC3C1AE7A7B67B43E7B56977770932A8C3898012F1E4AA2
                  SHA-512:721F917DB3F97D816B32E0C3805E50E2613A0436DB264105E4C3FCD703CADA4340DF640348FB3D6C739B2B5A4241C17D398BFCD1938B5FE1042211088E31FD76
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="486919" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\remcos\logs.dat

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:modified
                  Size (bytes):204
                  Entropy (8bit):3.370841607409535
                  Encrypted:false
                  SSDEEP:3:rhlKlTlQN1UljxQ55JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:6l+Neljg5YcIeeDAlOWA41gWAv
                  MD5:FB2127739913D6893E1ED596C117CA08
                  SHA1:32FE605D19EB6419F13D729FF42A29C852A0949C
                  SHA-256:6432387ADBCA135D4D175B97F0C60889CC22845AF405AFFA8CF2496DF5C62369
                  SHA-512:70BE09BDB5C9D615105D5290B582B372478E2ED8945D9CC86D0CC6FD80238ADD05E33C819546302C329276AF38B15CFDE8DA5AECFCF8918F64C967EA1CCDA636
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                  Reputation:low
                  Preview:....[.2.0.2.4./.0.9./.0.5. .0.8.:.1.6.:.5.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                  C:\Users\user\AppData\Local\Temp\Lymnaeidae

                  Download File
                  Process:C:\Users\user\Desktop\3TpW2Sn68z.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):86022
                  Entropy (8bit):4.180302087407891
                  Encrypted:false
                  SSDEEP:1536:bLNn7+q++YEUwFAJglvzOLlWkUrxf8LrfI041A:bLNnyq+ZLcvcWbUrfyA
                  MD5:E9D80FF6FCD8CEEB2F0C63B6D84354FD
                  SHA1:9E697F748635834B3B88F33FBB77323261B325B0
                  SHA-256:91F5F7478FFCD500AD50E86ADA1FAFFC60979B449AF4D56B3BF1F71BB7DA0A3D
                  SHA-512:ABA78FB40AAE7238B20BA9FBE9D975481DA595896A651962C41B89F6BEA323A7040AFAF35A33F0608A4F2D0AAF899537A5E1CC37887AFC6ECE0E468F9916B343
                  Malicious:false
                  Reputation:low
                  Preview:30I78G35S35R38O62M65E63A38X31X65I63I63Z63M30I32Y30G30X30V30U35R36S35S37N62B38V36U62J30L30F30N30B30Y30H36B36V38E39S34L35U38D34Z62V39Z36M35S30L30X30Q30Y30I30I36M36J38D39D34U64R38H36R62W61J37V32M30F30J30W30I30S30U36M36H38J39Y35I35Y38M38M62O38R36F65Y30I30P30K30C30V30P36E36D38B39S34F35N38N61O62K39K36R35E30Q30I30A30A30M30W36A36Z38J39G34M64C38O63Q62E61B36D63P30K30I30P30N30Z30O36X36W38L39S35B35H38H65N62S38P33L33F30D30J30M30I30O30G36D36U38X39B34L35F39Y30C62B39E33N32Y30S30N30D30H30N30D36E36U38L39M34V64W39G32W62T61D32W65U30K30L30G30J30B30P36M36Q38K39B35E35W39U34C62E38A36G34J30Z30H30D30S30V30X36Z36I38S39D34P35R39F36Q62M39E36V63T30K30R30J30N30T30M36M36N38E39A34G64H39J38X62B61W36N63H30S30H30O30K30S30Z36N36R38V39H35A35W39A61Y33P33E63W30M36R36O38R39Y34M35V39R63O62W39Q36M65L30K30S30D30L30K30J36Z36X38G39Q38L64I34Q34D66J66Y66Q66X66D66K62K61P37W34X30H30P30G30G30U30L36G36E38G39B39G35P34U36P66W66P66R66T66F66N62Q38D36A34W30Z30R30D30F30U30Z36H36I38L39J38S35O34Y38I66Z66I66F66D66Y66G62I39C36O63M30X30R30J30H30I3

                  C:\Users\user\AppData\Local\Temp\autA43A.tmp

                  Download File
                  Process:C:\Users\user\Desktop\3TpW2Sn68z.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):418074
                  Entropy (8bit):7.966658027526016
                  Encrypted:false
                  SSDEEP:12288:vOd8E1V9sePhuuslNPUISS+lo3eWx9aBSvQNm5pcu:vOd8c9sePhuusl7XOmaeQN29
                  MD5:CE86F406E025AB6C2D4619B42B06A10F
                  SHA1:910EC8A487315A88F37D98E65C61886BFB6E5A8D
                  SHA-256:C74E9A1BC00368E1CCE005364C3B8EC3822241D895FEBC6F018491EA368E6464
                  SHA-512:6B999D9B150EB8B6ECBB37A4B0F3E0A0246A97BCE310044BDD90926945A4FD6942BFECE1B0F64C57108834EFC63A60FEB48497DB2D4A1A7DED076DC1FE162665
                  Malicious:false
                  Reputation:low
                  Preview:EA06........*E.oP.Ug3>O&mE.S.tz..R......Bm6.Qf......|T..V.E..k......M.?.t~_?.]dS.]BE+.Fj.z.bUD..dWj\.yk..n...'[.......r.P..].._.......x9f...Di..o+a......V..,..2.\..M....o.js..(5....0.Pt.^Y......p....E|....,..A"..6..D...PrnQ.......p2...A..V.`.......UjPz,...g.....Nj.:..sP.I.9..h.)u.uj....xq@....0..(...J.D..(S9.......J.@.d..m6..)..=ZR......(..$....n..9......(.k....V..X;....O.p..O...Qe...{.S...{..=Zx.....f.!.R.@...}N....eP.T@.>.].o0.I.*.^mE.M.Tz...R..<.......x".I.b.W.... .BSR.R.@...~.Q..,.....Q...4.....Pj..>i.~.R....h......f|.....T....P.........PT@.>z.~.U.Q..@.LR..........~`...g.Az...Y..m^...T.~..V.D...d.%9..d.j-c.4.U.8+-".n....K.....).>..U.b.sJ.O-S.....4.-.....\.kY..R....&.6..o..<?.?.|........~.....&,.@.B.......0.&#.p.B........&&x....0..5i...4.......go.....E/_/.U*R=."+J...Y...Z.....Wu\.M..-...6.HnS:|K.....gz..@r.(......A s}.f.9...h..O...g0.....A@(.,......(.5....Up..5.m...ty._....1.jMV..........@Z.`.....A[l..."oU.H..p..m...{.....Q....N...V.....$...u.<.5...9

                  C:\Users\user\AppData\Local\Temp\autA489.tmp

                  Download File
                  Process:C:\Users\user\Desktop\3TpW2Sn68z.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):43672
                  Entropy (8bit):7.8285350146178185
                  Encrypted:false
                  SSDEEP:768:KfaBoBoap+msyc011tor5MNvmu8L175JdNlf4nC4vzzgEMpd7if9Iw2tAsVkjR:IaBosecK6r5MNm97BbJ4bssiXt7k9
                  MD5:82867B0C21D8C24CF50C4408D8F9821B
                  SHA1:08CDC310E08AE5E72502E4077134BB6DE08F3739
                  SHA-256:900638A4DA24C03753D210EA0C53FF6D729C04563C67B533C5E4F5271F4A3FD5
                  SHA-512:F416F2E257CAA70D47F152958C95F3F71443AFBDD1E641B37AE0CA5D15954F19D8F0461FE035DD3A23AFCB6D5E8C62577AE33AA192E35DA3AF3922BD868F2E0C
                  Malicious:false
                  Reputation:low
                  Preview:EA06..P...)3y..g5...)..6.Sf.Z,.gA..+.9.bm5..`.ejm3....9.fg0.......3.U@....S....i..g8.L..Y..3.S&s.4.aN..(S9...H..S9.Zg8...59..3..fs.$.iZ.L..9.jg6..".....Q.3. .h..6...3...6..Q..eJm2..4...3.S@.`."..g.".P.j.3.R.s...kI..k39.4...L..9...F.M@.1P..)s9...2.L..Y..3.P.(.4.kN..).i...K..i`...kE....J.....U.sj..mZ.l..9.6m4...3:..eE.L@<.$.f..........3.V&sj..qL.lf.).....M..(.Ng8.L.t...T..l@.......O.`...3..Q*0..0...3.,.gN...`....H.....U.l..9.Zm4..U.($.6....P.......T..:...Tfs....|.....Vg4.l(.9.....R.3*@.eS.D.5@...3.T.l*...9..$.J...6.M.u@.....O...4.....T...6.R&s..R...M. ,E:m3..1.......4...T...&sZ...A.Lk30..f..U........)&.L..iR.L.u.....M.....Q.@.....V&`b..!8.M.....3.Q&.jT.mY..g.j...h.R.....3...sJ...P.D....2..L.........T.....6.U....Jm6.M.....d.......\.Z..HT`...4...T..x....Ze&m6.M...*..3Q..*L.sC......F..Huh.{@..,...F.J..cE..@".H..M..fTI......u..H.....@6e..J............:h....J..5L.H&s....0......E.p...=S.H.......&......T.$ ..eZ.Rf.`'j...R.H .@...Q*.9.d.t.F&.....0..).`...\..

                  C:\Users\user\AppData\Local\Temp\autA870.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):418074
                  Entropy (8bit):7.966658027526016
                  Encrypted:false
                  SSDEEP:12288:vOd8E1V9sePhuuslNPUISS+lo3eWx9aBSvQNm5pcu:vOd8c9sePhuusl7XOmaeQN29
                  MD5:CE86F406E025AB6C2D4619B42B06A10F
                  SHA1:910EC8A487315A88F37D98E65C61886BFB6E5A8D
                  SHA-256:C74E9A1BC00368E1CCE005364C3B8EC3822241D895FEBC6F018491EA368E6464
                  SHA-512:6B999D9B150EB8B6ECBB37A4B0F3E0A0246A97BCE310044BDD90926945A4FD6942BFECE1B0F64C57108834EFC63A60FEB48497DB2D4A1A7DED076DC1FE162665
                  Malicious:false
                  Reputation:low
                  Preview:EA06........*E.oP.Ug3>O&mE.S.tz..R......Bm6.Qf......|T..V.E..k......M.?.t~_?.]dS.]BE+.Fj.z.bUD..dWj\.yk..n...'[.......r.P..].._.......x9f...Di..o+a......V..,..2.\..M....o.js..(5....0.Pt.^Y......p....E|....,..A"..6..D...PrnQ.......p2...A..V.`.......UjPz,...g.....Nj.:..sP.I.9..h.)u.uj....xq@....0..(...J.D..(S9.......J.@.d..m6..)..=ZR......(..$....n..9......(.k....V..X;....O.p..O...Qe...{.S...{..=Zx.....f.!.R.@...}N....eP.T@.>.].o0.I.*.^mE.M.Tz...R..<.......x".I.b.W.... .BSR.R.@...~.Q..,.....Q...4.....Pj..>i.~.R....h......f|.....T....P.........PT@.>z.~.U.Q..@.LR..........~`...g.Az...Y..m^...T.~..V.D...d.%9..d.j-c.4.U.8+-".n....K.....).>..U.b.sJ.O-S.....4.-.....\.kY..R....&.6..o..<?.?.|........~.....&,.@.B.......0.&#.p.B........&&x....0..5i...4.......go.....E/_/.U*R=."+J...Y...Z.....Wu\.M..-...6.HnS:|K.....gz..@r.(......A s}.f.9...h..O...g0.....A@(.,......(.5....Up..5.m...ty._....1.jMV..........@Z.`.....A[l..."oU.H..p..m...{.....Q....N...V.....$...u.<.5...9

                  C:\Users\user\AppData\Local\Temp\autA8DF.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):43672
                  Entropy (8bit):7.8285350146178185
                  Encrypted:false
                  SSDEEP:768:KfaBoBoap+msyc011tor5MNvmu8L175JdNlf4nC4vzzgEMpd7if9Iw2tAsVkjR:IaBosecK6r5MNm97BbJ4bssiXt7k9
                  MD5:82867B0C21D8C24CF50C4408D8F9821B
                  SHA1:08CDC310E08AE5E72502E4077134BB6DE08F3739
                  SHA-256:900638A4DA24C03753D210EA0C53FF6D729C04563C67B533C5E4F5271F4A3FD5
                  SHA-512:F416F2E257CAA70D47F152958C95F3F71443AFBDD1E641B37AE0CA5D15954F19D8F0461FE035DD3A23AFCB6D5E8C62577AE33AA192E35DA3AF3922BD868F2E0C
                  Malicious:false
                  Preview:EA06..P...)3y..g5...)..6.Sf.Z,.gA..+.9.bm5..`.ejm3....9.fg0.......3.U@....S....i..g8.L..Y..3.S&s.4.aN..(S9...H..S9.Zg8...59..3..fs.$.iZ.L..9.jg6..".....Q.3. .h..6...3...6..Q..eJm2..4...3.S@.`."..g.".P.j.3.R.s...kI..k39.4...L..9...F.M@.1P..)s9...2.L..Y..3.P.(.4.kN..).i...K..i`...kE....J.....U.sj..mZ.l..9.6m4...3:..eE.L@<.$.f..........3.V&sj..qL.lf.).....M..(.Ng8.L.t...T..l@.......O.`...3..Q*0..0...3.,.gN...`....H.....U.l..9.Zm4..U.($.6....P.......T..:...Tfs....|.....Vg4.l(.9.....R.3*@.eS.D.5@...3.T.l*...9..$.J...6.M.u@.....O...4.....T...6.R&s..R...M. ,E:m3..1.......4...T...&sZ...A.Lk30..f..U........)&.L..iR.L.u.....M.....Q.@.....V&`b..!8.M.....3.Q&.jT.mY..g.j...h.R.....3...sJ...P.D....2..L.........T.....6.U....Jm6.M.....d.......\.Z..HT`...4...T..x....Ze&m6.M...*..3Q..*L.sC......F..Huh.{@..,...F.J..cE..@".H..M..fTI......u..H.....@6e..J............:h....J..5L.H&s....0......E.p...=S.H.......&......T.$ ..eZ.Rf.`'j...R.H .@...Q*.9.d.t.F&.....0..).`...\..

                  C:\Users\user\AppData\Local\Temp\autAD71.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):418074
                  Entropy (8bit):7.966658027526016
                  Encrypted:false
                  SSDEEP:12288:vOd8E1V9sePhuuslNPUISS+lo3eWx9aBSvQNm5pcu:vOd8c9sePhuusl7XOmaeQN29
                  MD5:CE86F406E025AB6C2D4619B42B06A10F
                  SHA1:910EC8A487315A88F37D98E65C61886BFB6E5A8D
                  SHA-256:C74E9A1BC00368E1CCE005364C3B8EC3822241D895FEBC6F018491EA368E6464
                  SHA-512:6B999D9B150EB8B6ECBB37A4B0F3E0A0246A97BCE310044BDD90926945A4FD6942BFECE1B0F64C57108834EFC63A60FEB48497DB2D4A1A7DED076DC1FE162665
                  Malicious:false
                  Preview:EA06........*E.oP.Ug3>O&mE.S.tz..R......Bm6.Qf......|T..V.E..k......M.?.t~_?.]dS.]BE+.Fj.z.bUD..dWj\.yk..n...'[.......r.P..].._.......x9f...Di..o+a......V..,..2.\..M....o.js..(5....0.Pt.^Y......p....E|....,..A"..6..D...PrnQ.......p2...A..V.`.......UjPz,...g.....Nj.:..sP.I.9..h.)u.uj....xq@....0..(...J.D..(S9.......J.@.d..m6..)..=ZR......(..$....n..9......(.k....V..X;....O.p..O...Qe...{.S...{..=Zx.....f.!.R.@...}N....eP.T@.>.].o0.I.*.^mE.M.Tz...R..<.......x".I.b.W.... .BSR.R.@...~.Q..,.....Q...4.....Pj..>i.~.R....h......f|.....T....P.........PT@.>z.~.U.Q..@.LR..........~`...g.Az...Y..m^...T.~..V.D...d.%9..d.j-c.4.U.8+-".n....K.....).>..U.b.sJ.O-S.....4.-.....\.kY..R....&.6..o..<?.?.|........~.....&,.@.B.......0.&#.p.B........&&x....0..5i...4.......go.....E/_/.U*R=."+J...Y...Z.....Wu\.M..-...6.HnS:|K.....gz..@r.(......A s}.f.9...h..O...g0.....A@(.,......(.5....Up..5.m...ty._....1.jMV..........@Z.`.....A[l..."oU.H..p..m...{.....Q....N...V.....$...u.<.5...9

                  C:\Users\user\AppData\Local\Temp\autADD0.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):43672
                  Entropy (8bit):7.8285350146178185
                  Encrypted:false
                  SSDEEP:768:KfaBoBoap+msyc011tor5MNvmu8L175JdNlf4nC4vzzgEMpd7if9Iw2tAsVkjR:IaBosecK6r5MNm97BbJ4bssiXt7k9
                  MD5:82867B0C21D8C24CF50C4408D8F9821B
                  SHA1:08CDC310E08AE5E72502E4077134BB6DE08F3739
                  SHA-256:900638A4DA24C03753D210EA0C53FF6D729C04563C67B533C5E4F5271F4A3FD5
                  SHA-512:F416F2E257CAA70D47F152958C95F3F71443AFBDD1E641B37AE0CA5D15954F19D8F0461FE035DD3A23AFCB6D5E8C62577AE33AA192E35DA3AF3922BD868F2E0C
                  Malicious:false
                  Preview:EA06..P...)3y..g5...)..6.Sf.Z,.gA..+.9.bm5..`.ejm3....9.fg0.......3.U@....S....i..g8.L..Y..3.S&s.4.aN..(S9...H..S9.Zg8...59..3..fs.$.iZ.L..9.jg6..".....Q.3. .h..6...3...6..Q..eJm2..4...3.S@.`."..g.".P.j.3.R.s...kI..k39.4...L..9...F.M@.1P..)s9...2.L..Y..3.P.(.4.kN..).i...K..i`...kE....J.....U.sj..mZ.l..9.6m4...3:..eE.L@<.$.f..........3.V&sj..qL.lf.).....M..(.Ng8.L.t...T..l@.......O.`...3..Q*0..0...3.,.gN...`....H.....U.l..9.Zm4..U.($.6....P.......T..:...Tfs....|.....Vg4.l(.9.....R.3*@.eS.D.5@...3.T.l*...9..$.J...6.M.u@.....O...4.....T...6.R&s..R...M. ,E:m3..1.......4...T...&sZ...A.Lk30..f..U........)&.L..iR.L.u.....M.....Q.@.....V&`b..!8.M.....3.Q&.jT.mY..g.j...h.R.....3...sJ...P.D....2..L.........T.....6.U....Jm6.M.....d.......\.Z..HT`...4...T..x....Ze&m6.M...*..3Q..*L.sC......F..Huh.{@..,...F.J..cE..@".H..M..fTI......u..H.....@6e..J............:h....J..5L.H&s....0......E.p...=S.H.......&......T.$ ..eZ.Rf.`'j...R.H .@...Q*.9.d.t.F&.....0..).`...\..

                  C:\Users\user\AppData\Local\Temp\autDA6D.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):418074
                  Entropy (8bit):7.966658027526016
                  Encrypted:false
                  SSDEEP:12288:vOd8E1V9sePhuuslNPUISS+lo3eWx9aBSvQNm5pcu:vOd8c9sePhuusl7XOmaeQN29
                  MD5:CE86F406E025AB6C2D4619B42B06A10F
                  SHA1:910EC8A487315A88F37D98E65C61886BFB6E5A8D
                  SHA-256:C74E9A1BC00368E1CCE005364C3B8EC3822241D895FEBC6F018491EA368E6464
                  SHA-512:6B999D9B150EB8B6ECBB37A4B0F3E0A0246A97BCE310044BDD90926945A4FD6942BFECE1B0F64C57108834EFC63A60FEB48497DB2D4A1A7DED076DC1FE162665
                  Malicious:false
                  Preview:EA06........*E.oP.Ug3>O&mE.S.tz..R......Bm6.Qf......|T..V.E..k......M.?.t~_?.]dS.]BE+.Fj.z.bUD..dWj\.yk..n...'[.......r.P..].._.......x9f...Di..o+a......V..,..2.\..M....o.js..(5....0.Pt.^Y......p....E|....,..A"..6..D...PrnQ.......p2...A..V.`.......UjPz,...g.....Nj.:..sP.I.9..h.)u.uj....xq@....0..(...J.D..(S9.......J.@.d..m6..)..=ZR......(..$....n..9......(.k....V..X;....O.p..O...Qe...{.S...{..=Zx.....f.!.R.@...}N....eP.T@.>.].o0.I.*.^mE.M.Tz...R..<.......x".I.b.W.... .BSR.R.@...~.Q..,.....Q...4.....Pj..>i.~.R....h......f|.....T....P.........PT@.>z.~.U.Q..@.LR..........~`...g.Az...Y..m^...T.~..V.D...d.%9..d.j-c.4.U.8+-".n....K.....).>..U.b.sJ.O-S.....4.-.....\.kY..R....&.6..o..<?.?.|........~.....&,.@.B.......0.&#.p.B........&&x....0..5i...4.......go.....E/_/.U*R=."+J...Y...Z.....Wu\.M..-...6.HnS:|K.....gz..@r.(......A s}.f.9...h..O...g0.....A@(.,......(.5....Up..5.m...ty._....1.jMV..........@Z.`.....A[l..."oU.H..p..m...{.....Q....N...V.....$...u.<.5...9

                  C:\Users\user\AppData\Local\Temp\autDABC.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):43672
                  Entropy (8bit):7.8285350146178185
                  Encrypted:false
                  SSDEEP:768:KfaBoBoap+msyc011tor5MNvmu8L175JdNlf4nC4vzzgEMpd7if9Iw2tAsVkjR:IaBosecK6r5MNm97BbJ4bssiXt7k9
                  MD5:82867B0C21D8C24CF50C4408D8F9821B
                  SHA1:08CDC310E08AE5E72502E4077134BB6DE08F3739
                  SHA-256:900638A4DA24C03753D210EA0C53FF6D729C04563C67B533C5E4F5271F4A3FD5
                  SHA-512:F416F2E257CAA70D47F152958C95F3F71443AFBDD1E641B37AE0CA5D15954F19D8F0461FE035DD3A23AFCB6D5E8C62577AE33AA192E35DA3AF3922BD868F2E0C
                  Malicious:false
                  Preview:EA06..P...)3y..g5...)..6.Sf.Z,.gA..+.9.bm5..`.ejm3....9.fg0.......3.U@....S....i..g8.L..Y..3.S&s.4.aN..(S9...H..S9.Zg8...59..3..fs.$.iZ.L..9.jg6..".....Q.3. .h..6...3...6..Q..eJm2..4...3.S@.`."..g.".P.j.3.R.s...kI..k39.4...L..9...F.M@.1P..)s9...2.L..Y..3.P.(.4.kN..).i...K..i`...kE....J.....U.sj..mZ.l..9.6m4...3:..eE.L@<.$.f..........3.V&sj..qL.lf.).....M..(.Ng8.L.t...T..l@.......O.`...3..Q*0..0...3.,.gN...`....H.....U.l..9.Zm4..U.($.6....P.......T..:...Tfs....|.....Vg4.l(.9.....R.3*@.eS.D.5@...3.T.l*...9..$.J...6.M.u@.....O...4.....T...6.R&s..R...M. ,E:m3..1.......4...T...&sZ...A.Lk30..f..U........)&.L..iR.L.u.....M.....Q.@.....V&`b..!8.M.....3.Q&.jT.mY..g.j...h.R.....3...sJ...P.D....2..L.........T.....6.U....Jm6.M.....d.......\.Z..HT`...4...T..x....Ze&m6.M...*..3Q..*L.sC......F..Huh.{@..,...F.J..cE..@".H..M..fTI......u..H.....@6e..J............:h....J..5L.H&s....0......E.p...=S.H.......&......T.$ ..eZ.Rf.`'j...R.H .@...Q*.9.d.t.F&.....0..).`...\..

                  C:\Users\user\AppData\Local\Temp\ophiolatrous

                  Download File
                  Process:C:\Users\user\Desktop\3TpW2Sn68z.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):494592
                  Entropy (8bit):7.627198191106946
                  Encrypted:false
                  SSDEEP:12288:lBcQU30NZkjRqjCdKWIG887zQ09vegFpUDzzJRmJ:lu5jRrK2J9veIpUDzvmJ
                  MD5:89669F54C2CF58A12E6EB05F0B0C8B45
                  SHA1:9DD08035FB240B2D8C284C31786F20C04E4D871A
                  SHA-256:7367A34C0B9D0C68678B8BD5BD02A54C94D7A60000AABC0525079B641C0F5E03
                  SHA-512:000188DE8AF2C2886AB5085890835E29CF0E65F6C9FC01A52F47A709650D8C9F411BB8931E545C27EDC132EE14FA685EC063D5681BFFD9ECE56A52473E9F2686
                  Malicious:false
                  Preview:.c.RHD7PNU93..6E.OKGV9UR.D7PJU93666E0OKGV9URKD7PJU93666E0OKGN8URE[.^J.0...7..n./?Ju"9+P"+8.PWXX*Do)"vK <k-Yp..j.[YR .BFMr9URKD7PF...~,.;xU.9.#.,.....O.M..;.U.9..q,.^...7kM.,.;..Z9.#.,.../.O.M.r.:BU.9.}.-!^...7|Mg,.;xU.9 ".,.../fO.M.r.;yU.9.}.-.^...<Z[~,.;0OKGV9URKD7PJU93666E0OKG.|UR.E0P...U666E0OKG.9WS@E9PJ'<36 4E0OKG.sVRKT7PJ.<366vE0_KGV;URND6PJU93367E0OKGV.]RK@7PJU93466.0O[GV)URKD'PJE93666E OKGV9URKD7P.?3276E0.LG6rURKD7PJU93666E0OKGV.RR..7P..?3.66E0OKGV9URKD7PJU93..0E(OKG..SR.D7PJU93666E0.NGV<URKD7PJU93666E0OKGV9URKD7Pd!\KB66E.>NGV)URK62PJQ93666E0OKGV9URkD70d']RBW6E.6JGV.PRK>6PJ#<3666E0OKGV9UR.D7.d1XGW66Et.KGV)RRKJ7PJ.?3666E0OKGV9UR.D7.d!U@666E9OKGVIRRKF7PJ.?3666E0OKGV9UR.D7.d2_ZRE6E.MKGV.RRK@7PJU>3666E0OKGV9UR.D7.d'JAU66EP.KGV.RRK.7PJQ>3666E0OKGV9UR.D7.d'\_YU6E.tKGV.RRKx7PJ.>3666E0OKGV9UR.D7.JU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKGV9URKD7PJU93666E0OKG

                  C:\Users\user\AppData\Local\directory\RegAsymX.exe

                  Download File
                  Process:C:\Users\user\Desktop\3TpW2Sn68z.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1426944
                  Entropy (8bit):7.297149515691595
                  Encrypted:false
                  SSDEEP:24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aIHo9Hi9Yc1St1R1M9p09oMMhDIGL0:2TvC/MTQYxsWR7aIHEC+coJ1OpwoMMhv
                  MD5:C7FC0CEE8CA35D709ED276E9F88DDBED
                  SHA1:CEEA9D76BF0429872F4D7420ADDD0ABDB5E8F4DC
                  SHA-256:560DEF626FC69A10E4979B67107EFAAD102E2A01CE4733D005003DD47437A30E
                  SHA-512:A1B93C9CB87993F77F2DECF0E4EE33277567651D7FB664B579F3E293F97C6B198CE701C02CFFD9D295B3E40F62CD6500F55BC252212C5EC81AC9E257831273DA
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 50%
                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...j..f..........".................w.............@.......................... ......Q.....@...@.......@.....................d...|....@...[.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....[...@...\..................@..@.reloc...u.......v...P..............@..B........................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):276
                  Entropy (8bit):3.4552422796735183
                  Encrypted:false
                  SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1Al1A3lCatIBnriIM8lfQVn:DsO+vNloRKQ1A1g2mA2n
                  MD5:E1B0A49C9952B924EBAD02E735AF889A
                  SHA1:20A242A5C2B145769AFE8576A9783E72AFBE0364
                  SHA-256:F41741E3B63854908BC9B70DABB6958E2C75087D463834AD0856DCD4447665E6
                  SHA-512:E195CF020E1A376B536603E013E329814347F62CADFA3F0022F57DC1B15F04651273D28ACF7950A722FECE41C2436539850339029CF2BB75836E94A522383DF6
                  Malicious:true
                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.R.e.g.A.s.y.m.X...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.466203376089056
                  Encrypted:false
                  SSDEEP:6144:wIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNqdwBCswSbZ:VXD94+WlLZMM6YFHI+Z
                  MD5:71734B7E1DA5762F12DE83A7C426C47D
                  SHA1:CE14CBF3763A92E892D6D1918039883A00658DAA
                  SHA-256:A52D6D2C6E33F118412E1ED1899B0ED24ED601012D3DA92A9AF7E3C5F2CFA5CD
                  SHA-512:96BE3673C5448462057AE2D0DBB52E2F2468C412CEA455FAC04984B4F2D8A7140880CF91A349EDDE98530FC278D3C4F16BCB63E73BDB6AA60157F8D717E99E2B
                  Malicious:false
                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmF...................................................................................................................................................................................................................................................................................................................................................m...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.297149515691595
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:3TpW2Sn68z.exe
                  File size:1'426'944 bytes
                  MD5:c7fc0cee8ca35d709ed276e9f88ddbed
                  SHA1:ceea9d76bf0429872f4d7420addd0abdb5e8f4dc
                  SHA256:560def626fc69a10e4979b67107efaad102e2a01ce4733d005003dd47437a30e
                  SHA512:a1b93c9cb87993f77f2decf0e4ee33277567651d7fb664b579f3e293f97c6b198ce701c02cffd9d295b3e40f62cd6500f55bc252212c5ec81ac9e257831273da
                  SSDEEP:24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aIHo9Hi9Yc1St1R1M9p09oMMhDIGL0:2TvC/MTQYxsWR7aIHEC+coJ1OpwoMMhv
                  TLSH:EB65D00273D1C062FF9B92734B9AF6115BBC79260123AA1F13A81D7ABD701B1563E763
                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                  File Icon

                  Icon Hash:aaf3e3e3938382a0

                  Static PE Info

                  General

                  Entrypoint:0x420577
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66C4846A [Tue Aug 20 11:56:26 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:948cc502fe9226992dce9417f952fce3

                  Entrypoint Preview

                  Instruction
                  call 00007FE5E8CA9013h
                  jmp 00007FE5E8CA891Fh
                  push ebp
                  mov ebp, esp
                  push esi
                  push dword ptr [ebp+08h]
                  mov esi, ecx
                  call 00007FE5E8CA8AFDh
                  mov dword ptr [esi], 0049FDF0h
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  and dword ptr [ecx+04h], 00000000h
                  mov eax, ecx
                  and dword ptr [ecx+08h], 00000000h
                  mov dword ptr [ecx+04h], 0049FDF8h
                  mov dword ptr [ecx], 0049FDF0h
                  ret
                  push ebp
                  mov ebp, esp
                  push esi
                  push dword ptr [ebp+08h]
                  mov esi, ecx
                  call 00007FE5E8CA8ACAh
                  mov dword ptr [esi], 0049FE0Ch
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  and dword ptr [ecx+04h], 00000000h
                  mov eax, ecx
                  and dword ptr [ecx+08h], 00000000h
                  mov dword ptr [ecx+04h], 0049FE14h
                  mov dword ptr [ecx], 0049FE0Ch
                  ret
                  push ebp
                  mov ebp, esp
                  push esi
                  mov esi, ecx
                  lea eax, dword ptr [esi+04h]
                  mov dword ptr [esi], 0049FDD0h
                  and dword ptr [eax], 00000000h
                  and dword ptr [eax+04h], 00000000h
                  push eax
                  mov eax, dword ptr [ebp+08h]
                  add eax, 04h
                  push eax
                  call 00007FE5E8CAB6BDh
                  pop ecx
                  pop ecx
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  lea eax, dword ptr [ecx+04h]
                  mov dword ptr [ecx], 0049FDD0h
                  push eax
                  call 00007FE5E8CAB708h
                  pop ecx
                  ret
                  push ebp
                  mov ebp, esp
                  push esi
                  mov esi, ecx
                  lea eax, dword ptr [esi+04h]
                  mov dword ptr [esi], 0049FDD0h
                  push eax
                  call 00007FE5E8CAB6F1h
                  test byte ptr [ebp+08h], 00000001h
                  pop ecx

                  Rich Headers

                  Programming Language:
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x85b04.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x15a0000x7594.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xd40000x85b040x85c00026debb6a481ad8c2dafe1207de58f51False0.9509747371495327data7.941152305886364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x15a0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                  RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                  RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                  RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                  RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                  RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                  RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                  RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                  RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                  RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                  RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xdc7b80x7cdccdata1.0003245762910706
                  RT_GROUP_ICON0x1595840x76dataEnglishGreat Britain0.6610169491525424
                  RT_GROUP_ICON0x1595fc0x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1596100x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x1596240x14dataEnglishGreat Britain1.25
                  RT_VERSION0x1596380xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x1597140x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                  MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                  WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                  USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                  USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                  GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                  SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                  OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-09-05T14:17:21.343263+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44973084.38.132.1037001TCP
                  2024-09-05T14:17:43.736278+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.45300984.38.132.1037001TCP
                  2024-09-05T14:18:06.103034+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.45301384.38.132.1037001TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 5, 2024 14:16:59.959072113 CEST497307001192.168.2.484.38.132.103
                  Sep 5, 2024 14:16:59.964044094 CEST70014973084.38.132.103192.168.2.4
                  Sep 5, 2024 14:16:59.964139938 CEST497307001192.168.2.484.38.132.103
                  Sep 5, 2024 14:16:59.968744993 CEST497307001192.168.2.484.38.132.103
                  Sep 5, 2024 14:16:59.973802090 CEST70014973084.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:21.343199968 CEST70014973084.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:21.343262911 CEST497307001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:21.343383074 CEST497307001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:21.348794937 CEST70014973084.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:22.348432064 CEST530097001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:22.353336096 CEST70015300984.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:22.353423119 CEST530097001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:22.357135057 CEST530097001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:22.362447023 CEST70015300984.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:43.736099005 CEST70015300984.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:43.736278057 CEST530097001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:43.736347914 CEST530097001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:43.741338968 CEST70015300984.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:44.742913008 CEST530137001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:44.748009920 CEST70015301384.38.132.103192.168.2.4
                  Sep 5, 2024 14:17:44.748114109 CEST530137001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:44.767834902 CEST530137001192.168.2.484.38.132.103
                  Sep 5, 2024 14:17:44.772671938 CEST70015301384.38.132.103192.168.2.4
                  Sep 5, 2024 14:18:06.102931023 CEST70015301384.38.132.103192.168.2.4
                  Sep 5, 2024 14:18:06.103034019 CEST530137001192.168.2.484.38.132.103
                  Sep 5, 2024 14:18:06.103122950 CEST530137001192.168.2.484.38.132.103
                  Sep 5, 2024 14:18:06.107887030 CEST70015301384.38.132.103192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 5, 2024 14:17:16.261231899 CEST53559821.1.1.1192.168.2.4

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:08:16:55
                  Start date:05/09/2024
                  Path:C:\Users\user\Desktop\3TpW2Sn68z.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\3TpW2Sn68z.exe"
                  Imagebase:0x560000
                  File size:1'426'944 bytes
                  MD5 hash:C7FC0CEE8CA35D709ED276E9F88DDBED
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:08:16:56
                  Start date:05/09/2024
                  Path:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\3TpW2Sn68z.exe"
                  Imagebase:0x7e0000
                  File size:1'426'944 bytes
                  MD5 hash:C7FC0CEE8CA35D709ED276E9F88DDBED
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000001.00000002.1695928275.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 50%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:08:16:57
                  Start date:05/09/2024
                  Path:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\RegAsymX.exe"
                  Imagebase:0x7e0000
                  File size:1'426'944 bytes
                  MD5 hash:C7FC0CEE8CA35D709ED276E9F88DDBED
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4144608465.0000000003CEF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4143971478.0000000001118000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.4143842254.0000000001040000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4143971478.0000000001148000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4144505602.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.4143167796.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:3
                  Start time:08:16:59
                  Start date:05/09/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:svchost.exe
                  Imagebase:0x900000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:08:17:02
                  Start date:05/09/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 568
                  Imagebase:0x500000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:08:17:08
                  Start date:05/09/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsymX.vbs"
                  Imagebase:0x7ff66f9c0000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:08:17:09
                  Start date:05/09/2024
                  Path:C:\Users\user\AppData\Local\directory\RegAsymX.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\RegAsymX.exe"
                  Imagebase:0x7e0000
                  File size:1'426'944 bytes
                  MD5 hash:C7FC0CEE8CA35D709ED276E9F88DDBED
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.4144035421.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4143940399.0000000001B5D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4143632839.0000000001938000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.4143019501.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:2.9%
                    Dynamic/Decrypted Code Coverage:0.9%
                    Signature Coverage:4.9%
                    Total number of Nodes:1983
                    Total number of Limit Nodes:46
                    execution_graph 94422 563156 94425 563170 94422->94425 94426 563187 94425->94426 94427 56318c 94426->94427 94428 5631eb 94426->94428 94465 5631e9 94426->94465 94429 563265 PostQuitMessage 94427->94429 94430 563199 94427->94430 94432 5a2dfb 94428->94432 94433 5631f1 94428->94433 94437 56316a 94429->94437 94435 5631a4 94430->94435 94436 5a2e7c 94430->94436 94431 5631d0 DefWindowProcW 94431->94437 94474 5618e2 10 API calls 94432->94474 94438 56321d SetTimer RegisterWindowMessageW 94433->94438 94439 5631f8 94433->94439 94441 5a2e68 94435->94441 94442 5631ae 94435->94442 94489 5cbf30 34 API calls ___scrt_fastfail 94436->94489 94438->94437 94443 563246 CreatePopupMenu 94438->94443 94445 5a2d9c 94439->94445 94446 563201 KillTimer 94439->94446 94440 5a2e1c 94475 57e499 42 API calls 94440->94475 94488 5cc161 27 API calls ___scrt_fastfail 94441->94488 94450 5a2e4d 94442->94450 94451 5631b9 94442->94451 94443->94437 94453 5a2da1 94445->94453 94454 5a2dd7 MoveWindow 94445->94454 94470 5630f2 Shell_NotifyIconW ___scrt_fastfail 94446->94470 94450->94431 94487 5c0ad7 22 API calls 94450->94487 94457 5631c4 94451->94457 94458 563253 94451->94458 94452 5a2e8e 94452->94431 94452->94437 94459 5a2dc6 SetFocus 94453->94459 94460 5a2da7 94453->94460 94454->94437 94455 563214 94471 563c50 DeleteObject DestroyWindow 94455->94471 94456 563263 94456->94437 94457->94431 94476 5630f2 Shell_NotifyIconW ___scrt_fastfail 94457->94476 94472 56326f 44 API calls ___scrt_fastfail 94458->94472 94459->94437 94460->94457 94464 5a2db0 94460->94464 94473 5618e2 10 API calls 94464->94473 94465->94431 94468 5a2e41 94477 563837 94468->94477 94470->94455 94471->94437 94472->94456 94473->94437 94474->94440 94475->94457 94476->94468 94478 563862 ___scrt_fastfail 94477->94478 94490 564212 94478->94490 94481 5638e8 94483 563906 Shell_NotifyIconW 94481->94483 94484 5a3386 Shell_NotifyIconW 94481->94484 94494 563923 94483->94494 94486 56391c 94486->94465 94487->94465 94488->94456 94489->94452 94491 5638b7 94490->94491 94492 5a35a4 94490->94492 94491->94481 94516 5cc874 42 API calls _strftime 94491->94516 94492->94491 94493 5a35ad DestroyIcon 94492->94493 94493->94491 94495 563a13 94494->94495 94496 56393f 94494->94496 94495->94486 94517 566270 94496->94517 94499 5a3393 LoadStringW 94502 5a33ad 94499->94502 94500 56395a 94522 566b57 94500->94522 94510 563994 ___scrt_fastfail 94502->94510 94543 56a8c7 94502->94543 94503 56396f 94504 5a33c9 94503->94504 94505 56397c 94503->94505 94508 566350 22 API calls 94504->94508 94505->94502 94507 563986 94505->94507 94534 566350 94507->94534 94511 5a33d7 94508->94511 94513 5639f9 Shell_NotifyIconW 94510->94513 94511->94510 94547 5633c6 94511->94547 94513->94495 94514 5a33f9 94515 5633c6 22 API calls 94514->94515 94515->94510 94516->94481 94556 57fe0b 94517->94556 94519 566295 94566 57fddb 94519->94566 94521 56394d 94521->94499 94521->94500 94523 566b67 _wcslen 94522->94523 94524 5a4ba1 94522->94524 94527 566ba2 94523->94527 94528 566b7d 94523->94528 94592 5693b2 94524->94592 94526 5a4baa 94526->94526 94530 57fddb 22 API calls 94527->94530 94591 566f34 22 API calls 94528->94591 94532 566bae 94530->94532 94531 566b85 __fread_nolock 94531->94503 94533 57fe0b 22 API calls 94532->94533 94533->94531 94535 566362 94534->94535 94536 5a4a51 94534->94536 94602 566373 94535->94602 94612 564a88 22 API calls __fread_nolock 94536->94612 94539 56636e 94539->94510 94540 5a4a5b 94541 56a8c7 22 API calls 94540->94541 94542 5a4a67 94540->94542 94541->94542 94544 56a8ea __fread_nolock 94543->94544 94545 56a8db 94543->94545 94544->94510 94545->94544 94546 57fe0b 22 API calls 94545->94546 94546->94544 94548 5a30bb 94547->94548 94549 5633dd 94547->94549 94551 57fddb 22 API calls 94548->94551 94618 5633ee 94549->94618 94553 5a30c5 _wcslen 94551->94553 94552 5633e8 94552->94514 94554 57fe0b 22 API calls 94553->94554 94555 5a30fe __fread_nolock 94554->94555 94558 57fddb 94556->94558 94559 57fdfa 94558->94559 94562 57fdfc 94558->94562 94576 58ea0c 94558->94576 94583 584ead 7 API calls 2 library calls 94558->94583 94559->94519 94561 58066d 94585 5832a4 RaiseException 94561->94585 94562->94561 94584 5832a4 RaiseException 94562->94584 94565 58068a 94565->94519 94568 57fde0 94566->94568 94567 58ea0c ___std_exception_copy 21 API calls 94567->94568 94568->94567 94569 57fdfa 94568->94569 94572 57fdfc 94568->94572 94588 584ead 7 API calls 2 library calls 94568->94588 94569->94521 94571 58066d 94590 5832a4 RaiseException 94571->94590 94572->94571 94589 5832a4 RaiseException 94572->94589 94575 58068a 94575->94521 94581 593820 _abort 94576->94581 94577 59385e 94587 58f2d9 20 API calls _abort 94577->94587 94579 593849 RtlAllocateHeap 94580 59385c 94579->94580 94579->94581 94580->94558 94581->94577 94581->94579 94586 584ead 7 API calls 2 library calls 94581->94586 94583->94558 94584->94561 94585->94565 94586->94581 94587->94580 94588->94568 94589->94571 94590->94575 94591->94531 94593 5693c9 __fread_nolock 94592->94593 94594 5693c0 94592->94594 94593->94526 94594->94593 94596 56aec9 94594->94596 94597 56aedc 94596->94597 94598 56aed9 __fread_nolock 94596->94598 94599 57fddb 22 API calls 94597->94599 94598->94593 94600 56aee7 94599->94600 94601 57fe0b 22 API calls 94600->94601 94601->94598 94604 566382 94602->94604 94608 5663b6 __fread_nolock 94602->94608 94603 5a4a82 94607 57fddb 22 API calls 94603->94607 94604->94603 94605 5663a9 94604->94605 94604->94608 94613 56a587 94605->94613 94609 5a4a91 94607->94609 94608->94539 94610 57fe0b 22 API calls 94609->94610 94611 5a4ac5 __fread_nolock 94610->94611 94612->94540 94614 56a598 __fread_nolock 94613->94614 94615 56a59d 94613->94615 94614->94608 94616 5af80f 94615->94616 94617 57fe0b 22 API calls 94615->94617 94617->94614 94619 5633fe _wcslen 94618->94619 94620 5a311d 94619->94620 94621 563411 94619->94621 94623 57fddb 22 API calls 94620->94623 94622 56a587 22 API calls 94621->94622 94624 56341e __fread_nolock 94622->94624 94625 5a3127 94623->94625 94624->94552 94626 57fe0b 22 API calls 94625->94626 94627 5a3157 __fread_nolock 94626->94627 94628 562e37 94707 56a961 94628->94707 94632 562e6b 94726 563a5a 94632->94726 94634 562e7f 94733 569cb3 94634->94733 94639 5a2cb0 94777 5d2cf9 94639->94777 94640 562ead 94643 56a8c7 22 API calls 94640->94643 94642 5a2cc3 94644 5a2ccf 94642->94644 94803 564f39 94642->94803 94645 562ec3 94643->94645 94649 564f39 68 API calls 94644->94649 94761 566f88 22 API calls 94645->94761 94648 562ecf 94651 569cb3 22 API calls 94648->94651 94650 5a2ce5 94649->94650 94809 563084 22 API calls 94650->94809 94652 562edc 94651->94652 94762 56a81b 41 API calls 94652->94762 94655 562eec 94657 569cb3 22 API calls 94655->94657 94656 5a2d02 94810 563084 22 API calls 94656->94810 94659 562f12 94657->94659 94763 56a81b 41 API calls 94659->94763 94660 5a2d1e 94662 563a5a 24 API calls 94660->94662 94664 5a2d44 94662->94664 94663 562f21 94666 56a961 22 API calls 94663->94666 94811 563084 22 API calls 94664->94811 94668 562f3f 94666->94668 94667 5a2d50 94669 56a8c7 22 API calls 94667->94669 94764 563084 22 API calls 94668->94764 94670 5a2d5e 94669->94670 94812 563084 22 API calls 94670->94812 94673 562f4b 94765 584a28 40 API calls 3 library calls 94673->94765 94674 5a2d6d 94678 56a8c7 22 API calls 94674->94678 94676 562f59 94676->94650 94677 562f63 94676->94677 94766 584a28 40 API calls 3 library calls 94677->94766 94680 5a2d83 94678->94680 94813 563084 22 API calls 94680->94813 94681 562f6e 94681->94656 94683 562f78 94681->94683 94767 584a28 40 API calls 3 library calls 94683->94767 94684 5a2d90 94686 562f83 94686->94660 94687 562f8d 94686->94687 94768 584a28 40 API calls 3 library calls 94687->94768 94689 562f98 94690 562fdc 94689->94690 94769 563084 22 API calls 94689->94769 94690->94674 94691 562fe8 94690->94691 94691->94684 94771 5663eb 22 API calls 94691->94771 94693 562fbf 94695 56a8c7 22 API calls 94693->94695 94697 562fcd 94695->94697 94696 562ff8 94772 566a50 22 API calls 94696->94772 94770 563084 22 API calls 94697->94770 94699 563006 94773 5670b0 23 API calls 94699->94773 94704 563021 94705 563065 94704->94705 94774 566f88 22 API calls 94704->94774 94775 5670b0 23 API calls 94704->94775 94776 563084 22 API calls 94704->94776 94708 57fe0b 22 API calls 94707->94708 94709 56a976 94708->94709 94710 57fddb 22 API calls 94709->94710 94711 562e4d 94710->94711 94712 564ae3 94711->94712 94713 564af0 __wsopen_s 94712->94713 94714 566b57 22 API calls 94713->94714 94715 564b22 94713->94715 94714->94715 94725 564b58 94715->94725 94814 564c6d 94715->94814 94717 564c6d 22 API calls 94717->94725 94718 569cb3 22 API calls 94722 564c52 94718->94722 94719 564c5e 94719->94632 94720 564c29 94720->94718 94720->94719 94721 569cb3 22 API calls 94721->94725 94723 56515f 22 API calls 94722->94723 94723->94719 94725->94717 94725->94720 94725->94721 94817 56515f 94725->94817 94823 5a1f50 94726->94823 94729 569cb3 22 API calls 94730 563a8d 94729->94730 94825 563aa2 94730->94825 94732 563a97 94732->94634 94734 569cc2 _wcslen 94733->94734 94735 57fe0b 22 API calls 94734->94735 94736 569cea __fread_nolock 94735->94736 94737 57fddb 22 API calls 94736->94737 94738 562e8c 94737->94738 94739 564ecb 94738->94739 94845 564e90 LoadLibraryA 94739->94845 94744 564ef6 LoadLibraryExW 94853 564e59 LoadLibraryA 94744->94853 94745 5a3ccf 94747 564f39 68 API calls 94745->94747 94749 5a3cd6 94747->94749 94751 564e59 3 API calls 94749->94751 94753 5a3cde 94751->94753 94752 564f20 94752->94753 94754 564f2c 94752->94754 94875 5650f5 94753->94875 94756 564f39 68 API calls 94754->94756 94758 562ea5 94756->94758 94758->94639 94758->94640 94760 5a3d05 94761->94648 94762->94655 94763->94663 94764->94673 94765->94676 94766->94681 94767->94686 94768->94689 94769->94693 94770->94690 94771->94696 94772->94699 94773->94704 94774->94704 94775->94704 94776->94704 94778 5d2d15 94777->94778 94779 56511f 64 API calls 94778->94779 94780 5d2d29 94779->94780 95127 5d2e66 75 API calls 94780->95127 94782 5d2d3b 94783 5650f5 40 API calls 94782->94783 94801 5d2d3f 94782->94801 94784 5d2d56 94783->94784 94785 5650f5 40 API calls 94784->94785 94786 5d2d66 94785->94786 94787 5650f5 40 API calls 94786->94787 94788 5d2d81 94787->94788 94789 5650f5 40 API calls 94788->94789 94790 5d2d9c 94789->94790 94791 56511f 64 API calls 94790->94791 94792 5d2db3 94791->94792 94793 58ea0c ___std_exception_copy 21 API calls 94792->94793 94794 5d2dba 94793->94794 94795 58ea0c ___std_exception_copy 21 API calls 94794->94795 94796 5d2dc4 94795->94796 94797 5650f5 40 API calls 94796->94797 94798 5d2dd8 94797->94798 95128 5d28fe 27 API calls 94798->95128 94800 5d2dee 94800->94801 95129 5d22ce 94800->95129 94801->94642 94804 564f43 94803->94804 94806 564f4a 94803->94806 94805 58e678 67 API calls 94804->94805 94805->94806 94807 564f6a FreeLibrary 94806->94807 94808 564f59 94806->94808 94807->94808 94808->94644 94809->94656 94810->94660 94811->94667 94812->94674 94813->94684 94815 56aec9 22 API calls 94814->94815 94816 564c78 94815->94816 94816->94715 94818 56516e 94817->94818 94822 56518f __fread_nolock 94817->94822 94820 57fe0b 22 API calls 94818->94820 94819 57fddb 22 API calls 94821 5651a2 94819->94821 94820->94822 94821->94725 94822->94819 94824 563a67 GetModuleFileNameW 94823->94824 94824->94729 94826 5a1f50 __wsopen_s 94825->94826 94827 563aaf GetFullPathNameW 94826->94827 94828 563ace 94827->94828 94829 563ae9 94827->94829 94831 566b57 22 API calls 94828->94831 94839 56a6c3 94829->94839 94832 563ada 94831->94832 94835 5637a0 94832->94835 94836 5637ae 94835->94836 94837 5693b2 22 API calls 94836->94837 94838 5637c2 94837->94838 94838->94732 94840 56a6d0 94839->94840 94841 56a6dd 94839->94841 94840->94832 94842 57fddb 22 API calls 94841->94842 94843 56a6e7 94842->94843 94844 57fe0b 22 API calls 94843->94844 94844->94840 94846 564ec6 94845->94846 94847 564ea8 GetProcAddress 94845->94847 94850 58e5eb 94846->94850 94848 564eb8 94847->94848 94848->94846 94849 564ebf FreeLibrary 94848->94849 94849->94846 94881 58e52a 94850->94881 94852 564eea 94852->94744 94852->94745 94854 564e6e GetProcAddress 94853->94854 94855 564e8d 94853->94855 94856 564e7e 94854->94856 94858 564f80 94855->94858 94856->94855 94857 564e86 FreeLibrary 94856->94857 94857->94855 94859 57fe0b 22 API calls 94858->94859 94860 564f95 94859->94860 94949 565722 94860->94949 94862 564fa1 __fread_nolock 94863 564fdc 94862->94863 94864 5650a5 94862->94864 94865 5a3d1d 94862->94865 94868 5650f5 40 API calls 94863->94868 94869 5a3d22 94863->94869 94873 56506e ISource 94863->94873 94958 56511f 94863->94958 94952 5642a2 CreateStreamOnHGlobal 94864->94952 94963 5d304d 74 API calls 94865->94963 94868->94863 94870 56511f 64 API calls 94869->94870 94871 5a3d45 94870->94871 94872 5650f5 40 API calls 94871->94872 94872->94873 94873->94752 94876 565107 94875->94876 94879 5a3d70 94875->94879 94985 58e8c4 94876->94985 94880 5d28fe 27 API calls 94880->94760 94883 58e536 ___BuildCatchObject 94881->94883 94882 58e544 94906 58f2d9 20 API calls _abort 94882->94906 94883->94882 94885 58e574 94883->94885 94887 58e579 94885->94887 94888 58e586 94885->94888 94886 58e549 94907 5927ec 26 API calls ___std_exception_copy 94886->94907 94908 58f2d9 20 API calls _abort 94887->94908 94898 598061 94888->94898 94892 58e58f 94893 58e5a2 94892->94893 94894 58e595 94892->94894 94910 58e5d4 LeaveCriticalSection __fread_nolock 94893->94910 94909 58f2d9 20 API calls _abort 94894->94909 94896 58e554 __fread_nolock 94896->94852 94899 59806d ___BuildCatchObject 94898->94899 94911 592f5e EnterCriticalSection 94899->94911 94901 59807b 94912 5980fb 94901->94912 94905 5980ac __fread_nolock 94905->94892 94906->94886 94907->94896 94908->94896 94909->94896 94910->94896 94911->94901 94913 59811e 94912->94913 94914 598177 94913->94914 94920 598088 94913->94920 94928 58918d EnterCriticalSection 94913->94928 94929 5891a1 LeaveCriticalSection 94913->94929 94930 594c7d 94914->94930 94919 598189 94919->94920 94943 593405 11 API calls 2 library calls 94919->94943 94925 5980b7 94920->94925 94922 5981a8 94944 58918d EnterCriticalSection 94922->94944 94948 592fa6 LeaveCriticalSection 94925->94948 94927 5980be 94927->94905 94928->94913 94929->94913 94935 594c8a _abort 94930->94935 94931 594cb5 RtlAllocateHeap 94933 594cc8 94931->94933 94931->94935 94932 594cca 94946 58f2d9 20 API calls _abort 94932->94946 94937 5929c8 94933->94937 94935->94931 94935->94932 94945 584ead 7 API calls 2 library calls 94935->94945 94938 5929fc _free 94937->94938 94939 5929d3 RtlFreeHeap 94937->94939 94938->94919 94939->94938 94940 5929e8 94939->94940 94947 58f2d9 20 API calls _abort 94940->94947 94942 5929ee GetLastError 94942->94938 94943->94922 94944->94920 94945->94935 94946->94933 94947->94942 94948->94927 94950 57fddb 22 API calls 94949->94950 94951 565734 94950->94951 94951->94862 94953 5642bc FindResourceExW 94952->94953 94957 5642d9 94952->94957 94954 5a35ba LoadResource 94953->94954 94953->94957 94955 5a35cf SizeofResource 94954->94955 94954->94957 94956 5a35e3 LockResource 94955->94956 94955->94957 94956->94957 94957->94863 94959 56512e 94958->94959 94960 5a3d90 94958->94960 94964 58ece3 94959->94964 94963->94869 94967 58eaaa 94964->94967 94966 56513c 94966->94863 94971 58eab6 ___BuildCatchObject 94967->94971 94968 58eac2 94980 58f2d9 20 API calls _abort 94968->94980 94970 58eae8 94982 58918d EnterCriticalSection 94970->94982 94971->94968 94971->94970 94972 58eac7 94981 5927ec 26 API calls ___std_exception_copy 94972->94981 94975 58eaf4 94983 58ec0a 62 API calls 2 library calls 94975->94983 94977 58eb08 94984 58eb27 LeaveCriticalSection __fread_nolock 94977->94984 94978 58ead2 __fread_nolock 94978->94966 94980->94972 94981->94978 94982->94975 94983->94977 94984->94978 94988 58e8e1 94985->94988 94987 565118 94987->94880 94989 58e8ed ___BuildCatchObject 94988->94989 94990 58e92d 94989->94990 94991 58e900 ___scrt_fastfail 94989->94991 94992 58e925 __fread_nolock 94989->94992 95001 58918d EnterCriticalSection 94990->95001 95015 58f2d9 20 API calls _abort 94991->95015 94992->94987 94994 58e937 95002 58e6f8 94994->95002 94997 58e91a 95016 5927ec 26 API calls ___std_exception_copy 94997->95016 95001->94994 95006 58e70a ___scrt_fastfail 95002->95006 95008 58e727 95002->95008 95003 58e717 95090 58f2d9 20 API calls _abort 95003->95090 95005 58e71c 95091 5927ec 26 API calls ___std_exception_copy 95005->95091 95006->95003 95006->95008 95011 58e76a __fread_nolock 95006->95011 95017 58e96c LeaveCriticalSection __fread_nolock 95008->95017 95009 58e886 ___scrt_fastfail 95093 58f2d9 20 API calls _abort 95009->95093 95011->95008 95011->95009 95018 58d955 95011->95018 95025 598d45 95011->95025 95092 58cf78 26 API calls 4 library calls 95011->95092 95015->94997 95016->94992 95017->94992 95019 58d961 95018->95019 95020 58d976 95018->95020 95094 58f2d9 20 API calls _abort 95019->95094 95020->95011 95022 58d966 95095 5927ec 26 API calls ___std_exception_copy 95022->95095 95024 58d971 95024->95011 95026 598d6f 95025->95026 95027 598d57 95025->95027 95028 5990d9 95026->95028 95033 598db4 95026->95033 95105 58f2c6 20 API calls _abort 95027->95105 95121 58f2c6 20 API calls _abort 95028->95121 95030 598d5c 95106 58f2d9 20 API calls _abort 95030->95106 95032 5990de 95122 58f2d9 20 API calls _abort 95032->95122 95036 598dbf 95033->95036 95039 598d64 95033->95039 95043 598def 95033->95043 95107 58f2c6 20 API calls _abort 95036->95107 95037 598dcc 95123 5927ec 26 API calls ___std_exception_copy 95037->95123 95039->95011 95040 598dc4 95108 58f2d9 20 API calls _abort 95040->95108 95044 598e08 95043->95044 95045 598e4a 95043->95045 95046 598e2e 95043->95046 95044->95046 95052 598e15 95044->95052 95112 593820 21 API calls 2 library calls 95045->95112 95109 58f2c6 20 API calls _abort 95046->95109 95048 598e33 95110 58f2d9 20 API calls _abort 95048->95110 95096 59f89b 95052->95096 95053 598e61 95056 5929c8 _free 20 API calls 95053->95056 95054 598e3a 95111 5927ec 26 API calls ___std_exception_copy 95054->95111 95055 598fb3 95058 599029 95055->95058 95062 598fcc GetConsoleMode 95055->95062 95059 598e6a 95056->95059 95061 59902d ReadFile 95058->95061 95060 5929c8 _free 20 API calls 95059->95060 95063 598e71 95060->95063 95064 5990a1 GetLastError 95061->95064 95065 599047 95061->95065 95062->95058 95066 598fdd 95062->95066 95067 598e7b 95063->95067 95068 598e96 95063->95068 95069 5990ae 95064->95069 95070 599005 95064->95070 95065->95064 95071 59901e 95065->95071 95066->95061 95072 598fe3 ReadConsoleW 95066->95072 95113 58f2d9 20 API calls _abort 95067->95113 95115 599424 28 API calls __wsopen_s 95068->95115 95119 58f2d9 20 API calls _abort 95069->95119 95088 598e45 __fread_nolock 95070->95088 95116 58f2a3 20 API calls 2 library calls 95070->95116 95083 59906c 95071->95083 95084 599083 95071->95084 95071->95088 95072->95071 95077 598fff GetLastError 95072->95077 95073 5929c8 _free 20 API calls 95073->95039 95077->95070 95078 598e80 95114 58f2c6 20 API calls _abort 95078->95114 95079 5990b3 95120 58f2c6 20 API calls _abort 95079->95120 95117 598a61 31 API calls 4 library calls 95083->95117 95086 59909a 95084->95086 95084->95088 95118 5988a1 29 API calls __wsopen_s 95086->95118 95088->95073 95089 59909f 95089->95088 95090->95005 95091->95008 95092->95011 95093->95005 95094->95022 95095->95024 95097 59f8a8 95096->95097 95098 59f8b5 95096->95098 95124 58f2d9 20 API calls _abort 95097->95124 95100 59f8c1 95098->95100 95125 58f2d9 20 API calls _abort 95098->95125 95100->95055 95102 59f8ad 95102->95055 95103 59f8e2 95126 5927ec 26 API calls ___std_exception_copy 95103->95126 95105->95030 95106->95039 95107->95040 95108->95037 95109->95048 95110->95054 95111->95088 95112->95053 95113->95078 95114->95088 95115->95052 95116->95088 95117->95088 95118->95089 95119->95079 95120->95088 95121->95032 95122->95037 95123->95039 95124->95102 95125->95103 95126->95102 95127->94782 95128->94800 95130 5d22d9 95129->95130 95131 5d22e7 95129->95131 95132 58e5eb 29 API calls 95130->95132 95133 5d232c 95131->95133 95134 58e5eb 29 API calls 95131->95134 95153 5d22f0 95131->95153 95132->95131 95158 5d2557 95133->95158 95136 5d2311 95134->95136 95136->95133 95138 5d231a 95136->95138 95137 5d2370 95139 5d2395 95137->95139 95140 5d2374 95137->95140 95143 58e678 67 API calls 95138->95143 95138->95153 95162 5d2171 95139->95162 95142 5d2381 95140->95142 95145 58e678 67 API calls 95140->95145 95148 58e678 67 API calls 95142->95148 95142->95153 95143->95153 95144 5d239d 95146 5d23c3 95144->95146 95147 5d23a3 95144->95147 95145->95142 95169 5d23f3 95146->95169 95149 5d23b0 95147->95149 95151 58e678 67 API calls 95147->95151 95148->95153 95152 58e678 67 API calls 95149->95152 95149->95153 95151->95149 95152->95153 95153->94801 95154 5d23de 95154->95153 95157 58e678 67 API calls 95154->95157 95155 5d23ca 95155->95154 95177 58e678 95155->95177 95157->95153 95159 5d257c 95158->95159 95161 5d2565 __fread_nolock 95158->95161 95160 58e8c4 __fread_nolock 40 API calls 95159->95160 95160->95161 95161->95137 95163 58ea0c ___std_exception_copy 21 API calls 95162->95163 95164 5d217f 95163->95164 95165 58ea0c ___std_exception_copy 21 API calls 95164->95165 95166 5d2190 95165->95166 95167 58ea0c ___std_exception_copy 21 API calls 95166->95167 95168 5d219c 95167->95168 95168->95144 95176 5d2408 95169->95176 95170 5d24c0 95194 5d2724 95170->95194 95172 5d21cc 40 API calls 95172->95176 95173 5d24c7 95173->95155 95176->95170 95176->95172 95176->95173 95190 5d2606 95176->95190 95198 5d2269 40 API calls 95176->95198 95178 58e684 ___BuildCatchObject 95177->95178 95179 58e6aa 95178->95179 95180 58e695 95178->95180 95189 58e6a5 __fread_nolock 95179->95189 95255 58918d EnterCriticalSection 95179->95255 95272 58f2d9 20 API calls _abort 95180->95272 95183 58e69a 95273 5927ec 26 API calls ___std_exception_copy 95183->95273 95184 58e6c6 95256 58e602 95184->95256 95187 58e6d1 95274 58e6ee LeaveCriticalSection __fread_nolock 95187->95274 95189->95154 95191 5d2617 95190->95191 95192 5d261d 95190->95192 95191->95192 95199 5d26d7 95191->95199 95192->95176 95195 5d2742 95194->95195 95196 5d2731 95194->95196 95195->95173 95197 58dbb3 65 API calls 95196->95197 95197->95195 95198->95176 95200 5d2714 95199->95200 95201 5d2703 95199->95201 95200->95191 95203 58dbb3 95201->95203 95204 58dbc1 95203->95204 95209 58dbdd 95203->95209 95205 58dbcd 95204->95205 95206 58dbe3 95204->95206 95204->95209 95215 58f2d9 20 API calls _abort 95205->95215 95212 58d9cc 95206->95212 95209->95200 95210 58dbd2 95216 5927ec 26 API calls ___std_exception_copy 95210->95216 95217 58d97b 95212->95217 95214 58d9f0 95214->95209 95215->95210 95216->95209 95218 58d987 ___BuildCatchObject 95217->95218 95225 58918d EnterCriticalSection 95218->95225 95220 58d995 95226 58d9f4 95220->95226 95224 58d9b3 __fread_nolock 95224->95214 95225->95220 95234 5949a1 95226->95234 95232 58d9a2 95233 58d9c0 LeaveCriticalSection __fread_nolock 95232->95233 95233->95224 95235 58d955 __fread_nolock 26 API calls 95234->95235 95236 5949b0 95235->95236 95237 59f89b __fread_nolock 26 API calls 95236->95237 95238 5949b6 95237->95238 95239 593820 _strftime 21 API calls 95238->95239 95242 58da09 95238->95242 95240 594a15 95239->95240 95241 5929c8 _free 20 API calls 95240->95241 95241->95242 95243 58da3a 95242->95243 95244 58da4c 95243->95244 95245 58da24 95243->95245 95244->95245 95246 58da5a 95244->95246 95252 58da85 __fread_nolock 95244->95252 95254 594a56 62 API calls 95245->95254 95247 58f2d9 _free 20 API calls 95246->95247 95248 58da5f 95247->95248 95249 5927ec ___std_exception_copy 26 API calls 95248->95249 95249->95245 95250 58dc0b 62 API calls 95250->95252 95251 58d955 __fread_nolock 26 API calls 95251->95252 95252->95245 95252->95250 95252->95251 95253 5959be __wsopen_s 62 API calls 95252->95253 95253->95252 95254->95232 95255->95184 95257 58e60f 95256->95257 95258 58e624 95256->95258 95300 58f2d9 20 API calls _abort 95257->95300 95270 58e61f 95258->95270 95275 58dc0b 95258->95275 95260 58e614 95301 5927ec 26 API calls ___std_exception_copy 95260->95301 95266 58d955 __fread_nolock 26 API calls 95267 58e646 95266->95267 95285 59862f 95267->95285 95270->95187 95271 5929c8 _free 20 API calls 95271->95270 95272->95183 95273->95189 95274->95189 95276 58dc1f 95275->95276 95277 58dc23 95275->95277 95281 594d7a 95276->95281 95277->95276 95278 58d955 __fread_nolock 26 API calls 95277->95278 95279 58dc43 95278->95279 95302 5959be 95279->95302 95282 594d90 95281->95282 95284 58e640 95281->95284 95283 5929c8 _free 20 API calls 95282->95283 95282->95284 95283->95284 95284->95266 95286 59863e 95285->95286 95287 598653 95285->95287 95425 58f2c6 20 API calls _abort 95286->95425 95289 59868e 95287->95289 95293 59867a 95287->95293 95427 58f2c6 20 API calls _abort 95289->95427 95290 598643 95426 58f2d9 20 API calls _abort 95290->95426 95422 598607 95293->95422 95294 598693 95428 58f2d9 20 API calls _abort 95294->95428 95297 58e64c 95297->95270 95297->95271 95298 59869b 95429 5927ec 26 API calls ___std_exception_copy 95298->95429 95300->95260 95301->95270 95303 5959ca ___BuildCatchObject 95302->95303 95304 5959d2 95303->95304 95306 5959ea 95303->95306 95381 58f2c6 20 API calls _abort 95304->95381 95305 595a88 95386 58f2c6 20 API calls _abort 95305->95386 95306->95305 95312 595a1f 95306->95312 95308 5959d7 95382 58f2d9 20 API calls _abort 95308->95382 95311 595a8d 95387 58f2d9 20 API calls _abort 95311->95387 95327 595147 EnterCriticalSection 95312->95327 95315 595a95 95388 5927ec 26 API calls ___std_exception_copy 95315->95388 95316 595a25 95318 595a41 95316->95318 95319 595a56 95316->95319 95383 58f2d9 20 API calls _abort 95318->95383 95328 595aa9 95319->95328 95321 5959df __fread_nolock 95321->95276 95323 595a51 95385 595a80 LeaveCriticalSection __wsopen_s 95323->95385 95324 595a46 95384 58f2c6 20 API calls _abort 95324->95384 95327->95316 95329 595ad7 95328->95329 95366 595ad0 95328->95366 95330 595adb 95329->95330 95331 595afa 95329->95331 95396 58f2c6 20 API calls _abort 95330->95396 95334 595b4b 95331->95334 95335 595b2e 95331->95335 95338 595b61 95334->95338 95402 599424 28 API calls __wsopen_s 95334->95402 95399 58f2c6 20 API calls _abort 95335->95399 95336 595cb1 95336->95323 95337 595ae0 95397 58f2d9 20 API calls _abort 95337->95397 95389 59564e 95338->95389 95342 595ae7 95398 5927ec 26 API calls ___std_exception_copy 95342->95398 95344 595b33 95400 58f2d9 20 API calls _abort 95344->95400 95348 595ba8 95351 595bbc 95348->95351 95352 595c02 WriteFile 95348->95352 95349 595b6f 95353 595b73 95349->95353 95354 595b95 95349->95354 95350 595b3b 95401 5927ec 26 API calls ___std_exception_copy 95350->95401 95356 595bf2 95351->95356 95357 595bc4 95351->95357 95359 595c25 GetLastError 95352->95359 95365 595b8b 95352->95365 95358 595c69 95353->95358 95403 5955e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 95353->95403 95404 59542e 45 API calls 3 library calls 95354->95404 95407 5956c4 7 API calls 2 library calls 95356->95407 95361 595bc9 95357->95361 95362 595be2 95357->95362 95358->95366 95411 58f2d9 20 API calls _abort 95358->95411 95359->95365 95361->95358 95367 595bd2 95361->95367 95406 595891 8 API calls 2 library calls 95362->95406 95365->95358 95365->95366 95372 595c45 95365->95372 95413 580a8c 95366->95413 95405 5957a3 7 API calls 2 library calls 95367->95405 95369 595be0 95369->95365 95371 595c8e 95412 58f2c6 20 API calls _abort 95371->95412 95375 595c4c 95372->95375 95376 595c60 95372->95376 95408 58f2d9 20 API calls _abort 95375->95408 95410 58f2a3 20 API calls 2 library calls 95376->95410 95379 595c51 95409 58f2c6 20 API calls _abort 95379->95409 95381->95308 95382->95321 95383->95324 95384->95323 95385->95321 95386->95311 95387->95315 95388->95321 95390 59f89b __fread_nolock 26 API calls 95389->95390 95391 59565e 95390->95391 95392 595663 95391->95392 95420 592d74 38 API calls 2 library calls 95391->95420 95392->95348 95392->95349 95394 595686 95394->95392 95395 5956a4 GetConsoleMode 95394->95395 95395->95392 95396->95337 95397->95342 95398->95366 95399->95344 95400->95350 95401->95366 95402->95338 95403->95365 95404->95365 95405->95369 95406->95369 95407->95369 95408->95379 95409->95366 95410->95366 95411->95371 95412->95366 95414 580a95 95413->95414 95415 580a97 IsProcessorFeaturePresent 95413->95415 95414->95336 95417 580c5d 95415->95417 95421 580c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95417->95421 95419 580d40 95419->95336 95420->95394 95421->95419 95430 598585 95422->95430 95424 59862b 95424->95297 95425->95290 95426->95297 95427->95294 95428->95298 95429->95297 95431 598591 ___BuildCatchObject 95430->95431 95441 595147 EnterCriticalSection 95431->95441 95433 59859f 95434 5985d1 95433->95434 95435 5985c6 95433->95435 95457 58f2d9 20 API calls _abort 95434->95457 95442 5986ae 95435->95442 95438 5985cc 95458 5985fb LeaveCriticalSection __wsopen_s 95438->95458 95440 5985ee __fread_nolock 95440->95424 95441->95433 95459 5953c4 95442->95459 95444 5986c4 95472 595333 21 API calls 3 library calls 95444->95472 95446 5986be 95446->95444 95449 5953c4 __wsopen_s 26 API calls 95446->95449 95456 5986f6 95446->95456 95447 5953c4 __wsopen_s 26 API calls 95450 598702 FindCloseChangeNotification 95447->95450 95448 59871c 95451 59873e 95448->95451 95473 58f2a3 20 API calls 2 library calls 95448->95473 95452 5986ed 95449->95452 95450->95444 95453 59870e GetLastError 95450->95453 95451->95438 95455 5953c4 __wsopen_s 26 API calls 95452->95455 95453->95444 95455->95456 95456->95444 95456->95447 95457->95438 95458->95440 95460 5953d1 95459->95460 95462 5953e6 95459->95462 95474 58f2c6 20 API calls _abort 95460->95474 95466 59540b 95462->95466 95476 58f2c6 20 API calls _abort 95462->95476 95463 5953d6 95475 58f2d9 20 API calls _abort 95463->95475 95466->95446 95467 595416 95477 58f2d9 20 API calls _abort 95467->95477 95468 5953de 95468->95446 95470 59541e 95478 5927ec 26 API calls ___std_exception_copy 95470->95478 95472->95448 95473->95451 95474->95463 95475->95468 95476->95467 95477->95470 95478->95468 95479 5990fa 95480 599107 95479->95480 95483 59911f 95479->95483 95529 58f2d9 20 API calls _abort 95480->95529 95482 59910c 95530 5927ec 26 API calls ___std_exception_copy 95482->95530 95485 59917a 95483->95485 95491 599117 95483->95491 95531 59fdc4 21 API calls 2 library calls 95483->95531 95487 58d955 __fread_nolock 26 API calls 95485->95487 95488 599192 95487->95488 95499 598c32 95488->95499 95490 599199 95490->95491 95492 58d955 __fread_nolock 26 API calls 95490->95492 95493 5991c5 95492->95493 95493->95491 95494 58d955 __fread_nolock 26 API calls 95493->95494 95495 5991d3 95494->95495 95495->95491 95496 58d955 __fread_nolock 26 API calls 95495->95496 95497 5991e3 95496->95497 95498 58d955 __fread_nolock 26 API calls 95497->95498 95498->95491 95500 598c3e ___BuildCatchObject 95499->95500 95501 598c46 95500->95501 95504 598c5e 95500->95504 95533 58f2c6 20 API calls _abort 95501->95533 95503 598d24 95540 58f2c6 20 API calls _abort 95503->95540 95504->95503 95509 598c97 95504->95509 95506 598c4b 95534 58f2d9 20 API calls _abort 95506->95534 95507 598d29 95541 58f2d9 20 API calls _abort 95507->95541 95511 598cbb 95509->95511 95512 598ca6 95509->95512 95532 595147 EnterCriticalSection 95511->95532 95535 58f2c6 20 API calls _abort 95512->95535 95514 598cb3 95542 5927ec 26 API calls ___std_exception_copy 95514->95542 95516 598cab 95536 58f2d9 20 API calls _abort 95516->95536 95517 598cc1 95519 598cdd 95517->95519 95520 598cf2 95517->95520 95537 58f2d9 20 API calls _abort 95519->95537 95524 598d45 __fread_nolock 38 API calls 95520->95524 95522 598c53 __fread_nolock 95522->95490 95526 598ced 95524->95526 95525 598ce2 95538 58f2c6 20 API calls _abort 95525->95538 95539 598d1c LeaveCriticalSection __wsopen_s 95526->95539 95529->95482 95530->95491 95531->95485 95532->95517 95533->95506 95534->95522 95535->95516 95536->95514 95537->95525 95538->95526 95539->95522 95540->95507 95541->95514 95542->95522 95543 5803fb 95544 580407 ___BuildCatchObject 95543->95544 95572 57feb1 95544->95572 95546 58040e 95547 580561 95546->95547 95550 580438 95546->95550 95599 58083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95547->95599 95549 580568 95600 584e52 28 API calls _abort 95549->95600 95561 580477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95550->95561 95583 59247d 95550->95583 95552 58056e 95601 584e04 28 API calls _abort 95552->95601 95556 580576 95557 580457 95559 5804d8 95591 580959 95559->95591 95561->95559 95595 584e1a 38 API calls 2 library calls 95561->95595 95563 5804de 95564 5804f3 95563->95564 95596 580992 GetModuleHandleW 95564->95596 95566 5804fa 95566->95549 95567 5804fe 95566->95567 95568 580507 95567->95568 95597 584df5 28 API calls _abort 95567->95597 95598 580040 13 API calls 2 library calls 95568->95598 95571 58050f 95571->95557 95573 57feba 95572->95573 95602 580698 IsProcessorFeaturePresent 95573->95602 95575 57fec6 95603 582c94 10 API calls 3 library calls 95575->95603 95577 57fecb 95582 57fecf 95577->95582 95604 592317 95577->95604 95579 57fee6 95579->95546 95582->95546 95584 592494 95583->95584 95585 580a8c CatchGuardHandler 5 API calls 95584->95585 95586 580451 95585->95586 95586->95557 95587 592421 95586->95587 95588 592450 95587->95588 95589 580a8c CatchGuardHandler 5 API calls 95588->95589 95590 592479 95589->95590 95590->95561 95655 582340 95591->95655 95594 58097f 95594->95563 95595->95559 95596->95566 95597->95568 95598->95571 95599->95549 95600->95552 95601->95556 95602->95575 95603->95577 95608 59d1f6 95604->95608 95607 582cbd 8 API calls 3 library calls 95607->95582 95609 59d213 95608->95609 95612 59d20f 95608->95612 95609->95612 95614 594bfb 95609->95614 95610 580a8c CatchGuardHandler 5 API calls 95611 57fed8 95610->95611 95611->95579 95611->95607 95612->95610 95615 594c07 ___BuildCatchObject 95614->95615 95626 592f5e EnterCriticalSection 95615->95626 95617 594c0e 95627 5950af 95617->95627 95619 594c1d 95620 594c2c 95619->95620 95640 594a8f 29 API calls 95619->95640 95642 594c48 LeaveCriticalSection _abort 95620->95642 95623 594c27 95641 594b45 GetStdHandle GetFileType 95623->95641 95624 594c3d __fread_nolock 95624->95609 95626->95617 95628 5950bb ___BuildCatchObject 95627->95628 95629 5950c8 95628->95629 95630 5950df 95628->95630 95651 58f2d9 20 API calls _abort 95629->95651 95643 592f5e EnterCriticalSection 95630->95643 95633 5950eb 95639 595117 95633->95639 95644 595000 95633->95644 95634 5950cd 95652 5927ec 26 API calls ___std_exception_copy 95634->95652 95637 5950d7 __fread_nolock 95637->95619 95653 59513e LeaveCriticalSection _abort 95639->95653 95640->95623 95641->95620 95642->95624 95643->95633 95645 594c7d _abort 20 API calls 95644->95645 95646 595012 95645->95646 95650 59501f 95646->95650 95654 593405 11 API calls 2 library calls 95646->95654 95647 5929c8 _free 20 API calls 95649 595071 95647->95649 95649->95633 95650->95647 95651->95634 95652->95637 95653->95637 95654->95646 95656 58096c GetStartupInfoW 95655->95656 95656->95594 95657 561033 95662 564c91 95657->95662 95661 561042 95663 56a961 22 API calls 95662->95663 95664 564cff 95663->95664 95670 563af0 95664->95670 95667 564d9c 95668 561038 95667->95668 95673 5651f7 22 API calls __fread_nolock 95667->95673 95669 5800a3 29 API calls __onexit 95668->95669 95669->95661 95674 563b1c 95670->95674 95673->95667 95675 563b0f 95674->95675 95676 563b29 95674->95676 95675->95667 95676->95675 95677 563b30 RegOpenKeyExW 95676->95677 95677->95675 95678 563b4a RegQueryValueExW 95677->95678 95679 563b80 RegCloseKey 95678->95679 95680 563b6b 95678->95680 95679->95675 95680->95679 95681 56df10 95684 56b710 95681->95684 95685 56b72b 95684->95685 95686 5b00f8 95685->95686 95687 5b0146 95685->95687 95714 56b750 95685->95714 95690 5b0102 95686->95690 95693 5b010f 95686->95693 95686->95714 95750 5e58a2 236 API calls 2 library calls 95687->95750 95748 5e5d33 236 API calls 95690->95748 95708 56ba20 95693->95708 95749 5e61d0 236 API calls 2 library calls 95693->95749 95696 5b03d9 95696->95696 95700 5b0322 95753 5e5c0c 82 API calls 95700->95753 95704 56ba4e 95708->95704 95754 5d359c 82 API calls __wsopen_s 95708->95754 95709 57d336 40 API calls 95709->95714 95710 56bbe0 40 API calls 95710->95714 95712 56a8c7 22 API calls 95712->95714 95714->95700 95714->95704 95714->95708 95714->95709 95714->95710 95714->95712 95715 56ec40 95714->95715 95739 56a81b 41 API calls 95714->95739 95740 57d2f0 40 API calls 95714->95740 95741 57a01b 236 API calls 95714->95741 95742 580242 5 API calls __Init_thread_wait 95714->95742 95743 57edcd 22 API calls 95714->95743 95744 5800a3 29 API calls __onexit 95714->95744 95745 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95714->95745 95746 57ee53 82 API calls 95714->95746 95747 57e5ca 236 API calls 95714->95747 95751 56aceb 23 API calls ISource 95714->95751 95752 5bf6bf 23 API calls 95714->95752 95733 56ec76 ISource 95715->95733 95716 57fddb 22 API calls 95716->95733 95718 56fef7 95724 56a8c7 22 API calls 95718->95724 95731 56ed9d ISource 95718->95731 95720 5b4600 95726 56a8c7 22 API calls 95720->95726 95720->95731 95721 5b4b0b 95758 5d359c 82 API calls __wsopen_s 95721->95758 95724->95731 95725 56a8c7 22 API calls 95725->95733 95726->95731 95728 580242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95728->95733 95729 56fbe3 95729->95731 95732 5b4bdc 95729->95732 95738 56f3ae ISource 95729->95738 95730 56a961 22 API calls 95730->95733 95731->95714 95759 5d359c 82 API calls __wsopen_s 95732->95759 95733->95716 95733->95718 95733->95720 95733->95721 95733->95725 95733->95728 95733->95729 95733->95730 95733->95731 95734 5800a3 29 API calls pre_c_initialization 95733->95734 95736 5b4beb 95733->95736 95737 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95733->95737 95733->95738 95755 5701e0 236 API calls 2 library calls 95733->95755 95756 5706a0 41 API calls ISource 95733->95756 95734->95733 95760 5d359c 82 API calls __wsopen_s 95736->95760 95737->95733 95738->95731 95757 5d359c 82 API calls __wsopen_s 95738->95757 95739->95714 95740->95714 95741->95714 95742->95714 95743->95714 95744->95714 95745->95714 95746->95714 95747->95714 95748->95693 95749->95708 95750->95714 95751->95714 95752->95714 95753->95708 95754->95696 95755->95733 95756->95733 95757->95731 95758->95731 95759->95736 95760->95731 95761 56f7bf 95762 56fcb6 95761->95762 95763 56f7d3 95761->95763 95855 56aceb 23 API calls ISource 95762->95855 95765 56fcc2 95763->95765 95766 57fddb 22 API calls 95763->95766 95856 56aceb 23 API calls ISource 95765->95856 95768 56f7e5 95766->95768 95768->95765 95769 56f83e 95768->95769 95770 56fd3d 95768->95770 95775 56ed9d ISource 95769->95775 95796 571310 95769->95796 95857 5d1155 22 API calls 95770->95857 95773 57fddb 22 API calls 95794 56ec76 ISource 95773->95794 95774 5b4beb 95861 5d359c 82 API calls __wsopen_s 95774->95861 95777 56fef7 95777->95775 95782 56a8c7 22 API calls 95777->95782 95779 5b4b0b 95859 5d359c 82 API calls __wsopen_s 95779->95859 95782->95775 95783 5b4600 95783->95775 95785 56a8c7 22 API calls 95783->95785 95784 56f3ae ISource 95784->95775 95858 5d359c 82 API calls __wsopen_s 95784->95858 95785->95775 95787 56a8c7 22 API calls 95787->95794 95788 580242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95788->95794 95789 56fbe3 95789->95775 95789->95784 95791 5b4bdc 95789->95791 95790 56a961 22 API calls 95790->95794 95860 5d359c 82 API calls __wsopen_s 95791->95860 95793 5800a3 29 API calls pre_c_initialization 95793->95794 95794->95773 95794->95774 95794->95775 95794->95777 95794->95779 95794->95783 95794->95784 95794->95787 95794->95788 95794->95789 95794->95790 95794->95793 95795 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95794->95795 95853 5701e0 236 API calls 2 library calls 95794->95853 95854 5706a0 41 API calls ISource 95794->95854 95795->95794 95797 571376 95796->95797 95798 5717b0 95796->95798 95799 571390 95797->95799 95800 5b6331 95797->95800 95968 580242 5 API calls __Init_thread_wait 95798->95968 95862 571940 95799->95862 95973 5e709c 236 API calls 95800->95973 95804 5717ba 95805 5717fb 95804->95805 95808 569cb3 22 API calls 95804->95808 95811 5b6346 95805->95811 95813 57182c 95805->95813 95807 5b633d 95807->95794 95816 5717d4 95808->95816 95809 571940 9 API calls 95810 5713b6 95809->95810 95810->95805 95812 5713ec 95810->95812 95974 5d359c 82 API calls __wsopen_s 95811->95974 95812->95811 95835 571408 __fread_nolock 95812->95835 95970 56aceb 23 API calls ISource 95813->95970 95969 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95816->95969 95817 5b6369 95817->95794 95818 571839 95971 57d217 236 API calls 95818->95971 95821 5b636e 95975 5d359c 82 API calls __wsopen_s 95821->95975 95823 5b63d1 95977 5e5745 54 API calls _wcslen 95823->95977 95824 57153c 95826 571940 9 API calls 95824->95826 95827 571549 95826->95827 95832 571940 9 API calls 95827->95832 95838 5b64fa 95827->95838 95828 57fddb 22 API calls 95828->95835 95829 571872 95972 57faeb 23 API calls 95829->95972 95830 57fe0b 22 API calls 95830->95835 95834 571563 95832->95834 95834->95838 95841 56a8c7 22 API calls 95834->95841 95843 5715c7 ISource 95834->95843 95835->95817 95835->95818 95835->95821 95835->95828 95835->95830 95836 56ec40 236 API calls 95835->95836 95837 57152f 95835->95837 95839 5b63b2 95835->95839 95836->95835 95837->95823 95837->95824 95838->95817 95978 5d359c 82 API calls __wsopen_s 95838->95978 95976 5d359c 82 API calls __wsopen_s 95839->95976 95841->95843 95842 571940 9 API calls 95842->95843 95843->95817 95843->95829 95843->95838 95843->95842 95846 57167b ISource 95843->95846 95852 564f39 68 API calls 95843->95852 95872 5e959f 95843->95872 95875 5e958b 95843->95875 95878 5cd4ce 95843->95878 95881 5d6ef1 95843->95881 95961 5e9b55 95843->95961 95844 57171d 95844->95794 95846->95844 95967 57ce17 22 API calls ISource 95846->95967 95852->95843 95853->95794 95854->95794 95855->95765 95856->95770 95857->95775 95858->95775 95859->95775 95860->95774 95861->95775 95863 571981 95862->95863 95868 57195d 95862->95868 95979 580242 5 API calls __Init_thread_wait 95863->95979 95866 57198b 95866->95868 95980 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95866->95980 95867 578727 95871 5713a0 95867->95871 95982 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95867->95982 95868->95871 95981 580242 5 API calls __Init_thread_wait 95868->95981 95871->95809 95983 5e7f59 95872->95983 95874 5e95af 95874->95843 95876 5e7f59 120 API calls 95875->95876 95877 5e959b 95876->95877 95877->95843 96116 5cdbbe lstrlenW 95878->96116 95882 56a961 22 API calls 95881->95882 95883 5d6f1d 95882->95883 95884 56a961 22 API calls 95883->95884 95885 5d6f26 95884->95885 95886 5d6f3a 95885->95886 96272 56b567 39 API calls 95885->96272 95888 567510 53 API calls 95886->95888 95889 5d6f57 _wcslen 95888->95889 95890 5d6fbc 95889->95890 95891 5d70bf 95889->95891 95901 5d70e9 95889->95901 95892 567510 53 API calls 95890->95892 95893 564ecb 94 API calls 95891->95893 95894 5d6fc8 95892->95894 95895 5d70d0 95893->95895 95899 56a8c7 22 API calls 95894->95899 95903 5d6fdb 95894->95903 95896 5d70e5 95895->95896 95897 564ecb 94 API calls 95895->95897 95898 56a961 22 API calls 95896->95898 95896->95901 95897->95896 95900 5d711a 95898->95900 95899->95903 95902 56a961 22 API calls 95900->95902 95901->95843 95906 5d7126 95902->95906 95904 5d7027 95903->95904 95907 5d7005 95903->95907 95908 56a8c7 22 API calls 95903->95908 95905 567510 53 API calls 95904->95905 95910 5d7034 95905->95910 95911 56a961 22 API calls 95906->95911 95909 5633c6 22 API calls 95907->95909 95908->95907 95912 5d700f 95909->95912 95913 5d703d 95910->95913 95914 5d7047 95910->95914 95915 5d712f 95911->95915 95916 567510 53 API calls 95912->95916 95917 56a8c7 22 API calls 95913->95917 96273 5ce199 GetFileAttributesW 95914->96273 95919 56a961 22 API calls 95915->95919 95920 5d701b 95916->95920 95917->95914 95922 5d7138 95919->95922 95924 566350 22 API calls 95920->95924 95921 5d7050 95925 5d7063 95921->95925 95926 564c6d 22 API calls 95921->95926 95923 567510 53 API calls 95922->95923 95927 5d7145 95923->95927 95924->95904 95928 567510 53 API calls 95925->95928 95934 5d7069 95925->95934 95926->95925 96121 56525f 95927->96121 95930 5d70a0 95928->95930 96274 5cd076 57 API calls 95930->96274 95931 5d7166 95933 564c6d 22 API calls 95931->95933 95935 5d7175 95933->95935 95934->95901 95936 5d71a9 95935->95936 95937 564c6d 22 API calls 95935->95937 95938 56a8c7 22 API calls 95936->95938 95939 5d7186 95937->95939 95940 5d71ba 95938->95940 95939->95936 95943 566b57 22 API calls 95939->95943 95941 566350 22 API calls 95940->95941 95942 5d71c8 95941->95942 95944 566350 22 API calls 95942->95944 95945 5d719b 95943->95945 95946 5d71d6 95944->95946 95947 566b57 22 API calls 95945->95947 95948 566350 22 API calls 95946->95948 95947->95936 95949 5d71e4 95948->95949 95950 567510 53 API calls 95949->95950 95951 5d71f0 95950->95951 96163 5cd7bc 95951->96163 95953 5d7201 95954 5cd4ce 4 API calls 95953->95954 95955 5d720b 95954->95955 95956 5d7239 95955->95956 95957 567510 53 API calls 95955->95957 95960 564f39 68 API calls 95956->95960 95958 5d7229 95957->95958 96217 5d2947 95958->96217 95960->95901 95962 5e9b68 95961->95962 95963 567510 53 API calls 95962->95963 95966 5e9b77 95962->95966 95964 5e9bd5 95963->95964 96303 5d0eea 95964->96303 95966->95843 95967->95846 95968->95804 95969->95805 95970->95818 95971->95829 95972->95829 95973->95807 95974->95817 95975->95817 95976->95817 95977->95834 95978->95817 95979->95866 95980->95868 95981->95867 95982->95871 96021 567510 95983->96021 95987 5e8281 95988 5e844f 95987->95988 95993 5e828f 95987->95993 96085 5e8ee4 60 API calls 95988->96085 95991 5e845e 95992 5e846a 95991->95992 95991->95993 96006 5e7fd5 ISource 95992->96006 96057 5e7e86 95993->96057 95994 567510 53 API calls 96011 5e8049 95994->96011 95999 5e82c8 96072 57fc70 95999->96072 96002 5e82e8 96078 5d359c 82 API calls __wsopen_s 96002->96078 96003 5e8302 96079 5663eb 22 API calls 96003->96079 96006->95874 96007 5e8311 96080 566a50 22 API calls 96007->96080 96008 5e82f3 GetCurrentProcess TerminateProcess 96008->96003 96010 5e832a 96020 5e8352 96010->96020 96081 5704f0 22 API calls 96010->96081 96011->95987 96011->95994 96011->96006 96076 5c417d 22 API calls __fread_nolock 96011->96076 96077 5e851d 42 API calls _strftime 96011->96077 96013 5e84c5 96013->96006 96015 5e84d9 FreeLibrary 96013->96015 96014 5e8341 96082 5e8b7b 75 API calls 96014->96082 96015->96006 96020->96013 96083 5704f0 22 API calls 96020->96083 96084 56aceb 23 API calls ISource 96020->96084 96086 5e8b7b 75 API calls 96020->96086 96022 567525 96021->96022 96038 567522 96021->96038 96023 56752d 96022->96023 96024 56755b 96022->96024 96087 5851c6 26 API calls 96023->96087 96026 5a50f6 96024->96026 96029 5a500f 96024->96029 96030 56756d 96024->96030 96090 585183 26 API calls 96026->96090 96027 56753d 96034 57fddb 22 API calls 96027->96034 96037 57fe0b 22 API calls 96029->96037 96043 5a5088 96029->96043 96088 57fb21 51 API calls 96030->96088 96031 5a510e 96031->96031 96035 567547 96034->96035 96036 569cb3 22 API calls 96035->96036 96036->96038 96039 5a5058 96037->96039 96038->96006 96044 5e8cd3 96038->96044 96040 57fddb 22 API calls 96039->96040 96041 5a507f 96040->96041 96042 569cb3 22 API calls 96041->96042 96042->96043 96089 57fb21 51 API calls 96043->96089 96045 56aec9 22 API calls 96044->96045 96046 5e8cee CharLowerBuffW 96045->96046 96091 5c8e54 96046->96091 96050 56a961 22 API calls 96051 5e8d2a 96050->96051 96098 566d25 96051->96098 96053 5e8d3e 96054 5693b2 22 API calls 96053->96054 96056 5e8d48 _wcslen 96054->96056 96055 5e8e5e _wcslen 96055->96011 96056->96055 96111 5e851d 42 API calls _strftime 96056->96111 96058 5e7eec 96057->96058 96059 5e7ea1 96057->96059 96063 5e9096 96058->96063 96060 57fe0b 22 API calls 96059->96060 96061 5e7ec3 96060->96061 96061->96058 96062 57fddb 22 API calls 96061->96062 96062->96061 96064 5e92ab ISource 96063->96064 96065 5e90ba _strcat _wcslen 96063->96065 96064->95999 96065->96064 96066 56b567 39 API calls 96065->96066 96067 56b38f 39 API calls 96065->96067 96068 56b6b5 39 API calls 96065->96068 96069 567510 53 API calls 96065->96069 96070 58ea0c 21 API calls ___std_exception_copy 96065->96070 96115 5cefae 24 API calls _wcslen 96065->96115 96066->96065 96067->96065 96068->96065 96069->96065 96070->96065 96074 57fc85 96072->96074 96073 57fd1d VirtualAlloc 96075 57fceb 96073->96075 96074->96073 96074->96075 96075->96002 96075->96003 96076->96011 96077->96011 96078->96008 96079->96007 96080->96010 96081->96014 96082->96020 96083->96020 96084->96020 96085->95991 96086->96020 96087->96027 96088->96027 96089->96026 96090->96031 96093 5c8e74 _wcslen 96091->96093 96092 5c8f63 96092->96050 96092->96056 96093->96092 96094 5c8ea9 96093->96094 96097 5c8f68 96093->96097 96094->96092 96112 57ce60 41 API calls 96094->96112 96097->96092 96113 57ce60 41 API calls 96097->96113 96099 566d34 96098->96099 96100 566d91 96098->96100 96099->96100 96101 566d3f 96099->96101 96102 5693b2 22 API calls 96100->96102 96104 5a4c9d 96101->96104 96105 566d5a 96101->96105 96103 566d62 __fread_nolock 96102->96103 96103->96053 96107 57fddb 22 API calls 96104->96107 96114 566f34 22 API calls 96105->96114 96108 5a4ca7 96107->96108 96109 57fe0b 22 API calls 96108->96109 96110 5a4cda 96109->96110 96111->96055 96112->96094 96113->96097 96114->96103 96115->96065 96117 5cdbdc GetFileAttributesW 96116->96117 96118 5cd4d5 96116->96118 96117->96118 96119 5cdbe8 FindFirstFileW 96117->96119 96118->95843 96119->96118 96120 5cdbf9 FindClose 96119->96120 96120->96118 96122 56a961 22 API calls 96121->96122 96123 565275 96122->96123 96124 56a961 22 API calls 96123->96124 96125 56527d 96124->96125 96126 56a961 22 API calls 96125->96126 96127 565285 96126->96127 96128 56a961 22 API calls 96127->96128 96129 56528d 96128->96129 96130 5652c1 96129->96130 96131 5a3df5 96129->96131 96132 566d25 22 API calls 96130->96132 96133 56a8c7 22 API calls 96131->96133 96134 5652cf 96132->96134 96135 5a3dfe 96133->96135 96137 5693b2 22 API calls 96134->96137 96136 56a6c3 22 API calls 96135->96136 96139 565304 96136->96139 96138 5652d9 96137->96138 96138->96139 96140 566d25 22 API calls 96138->96140 96141 565349 96139->96141 96142 565325 96139->96142 96158 5a3e20 96139->96158 96144 5652fa 96140->96144 96143 566d25 22 API calls 96141->96143 96142->96141 96147 564c6d 22 API calls 96142->96147 96145 56535a 96143->96145 96146 5693b2 22 API calls 96144->96146 96148 565370 96145->96148 96153 56a8c7 22 API calls 96145->96153 96146->96139 96149 565332 96147->96149 96151 565384 96148->96151 96155 56a8c7 22 API calls 96148->96155 96149->96141 96154 566d25 22 API calls 96149->96154 96150 566b57 22 API calls 96160 5a3ee0 96150->96160 96152 56538f 96151->96152 96156 56a8c7 22 API calls 96151->96156 96157 56a8c7 22 API calls 96152->96157 96161 56539a 96152->96161 96153->96148 96154->96141 96155->96151 96156->96152 96157->96161 96158->96150 96159 564c6d 22 API calls 96159->96160 96160->96141 96160->96159 96275 5649bd 22 API calls __fread_nolock 96160->96275 96161->95931 96164 5cd7d8 96163->96164 96165 5cd7dd 96164->96165 96166 5cd7f3 96164->96166 96167 5cd7ee 96165->96167 96170 56a8c7 22 API calls 96165->96170 96168 56a961 22 API calls 96166->96168 96167->95953 96169 5cd7fb 96168->96169 96171 56a961 22 API calls 96169->96171 96170->96167 96172 5cd803 96171->96172 96173 56a961 22 API calls 96172->96173 96174 5cd80e 96173->96174 96175 56a961 22 API calls 96174->96175 96176 5cd816 96175->96176 96177 56a961 22 API calls 96176->96177 96178 5cd81e 96177->96178 96179 56a961 22 API calls 96178->96179 96180 5cd826 96179->96180 96181 56a961 22 API calls 96180->96181 96182 5cd82e 96181->96182 96183 56a961 22 API calls 96182->96183 96184 5cd836 96183->96184 96185 56525f 22 API calls 96184->96185 96186 5cd84d 96185->96186 96187 56525f 22 API calls 96186->96187 96188 5cd866 96187->96188 96189 564c6d 22 API calls 96188->96189 96190 5cd872 96189->96190 96191 5cd885 96190->96191 96192 5693b2 22 API calls 96190->96192 96193 564c6d 22 API calls 96191->96193 96192->96191 96194 5cd88e 96193->96194 96195 5cd89e 96194->96195 96196 5693b2 22 API calls 96194->96196 96197 5cd8b0 96195->96197 96199 56a8c7 22 API calls 96195->96199 96196->96195 96198 566350 22 API calls 96197->96198 96200 5cd8bb 96198->96200 96199->96197 96276 5cd978 22 API calls 96200->96276 96202 5cd8ca 96277 5cd978 22 API calls 96202->96277 96204 5cd8dd 96205 564c6d 22 API calls 96204->96205 96206 5cd8e7 96205->96206 96207 5cd8ec 96206->96207 96208 5cd8fe 96206->96208 96209 5633c6 22 API calls 96207->96209 96210 564c6d 22 API calls 96208->96210 96211 5cd8f9 96209->96211 96212 5cd907 96210->96212 96214 566350 22 API calls 96211->96214 96213 5cd925 96212->96213 96216 5633c6 22 API calls 96212->96216 96215 566350 22 API calls 96213->96215 96214->96213 96215->96167 96216->96211 96218 5d2954 __wsopen_s 96217->96218 96219 57fe0b 22 API calls 96218->96219 96220 5d2971 96219->96220 96221 565722 22 API calls 96220->96221 96222 5d297b 96221->96222 96278 5d274e 96222->96278 96224 5d2986 96225 56511f 64 API calls 96224->96225 96226 5d299b 96225->96226 96227 5d2a6c 96226->96227 96228 5d29bf 96226->96228 96288 5d2e66 75 API calls 96227->96288 96285 5d2e66 75 API calls 96228->96285 96231 5d29c4 96237 5d2a75 ISource 96231->96237 96286 58d583 26 API calls 96231->96286 96233 5650f5 40 API calls 96234 5d2a91 96233->96234 96235 5650f5 40 API calls 96234->96235 96236 5d2aa1 96235->96236 96239 5650f5 40 API calls 96236->96239 96237->95956 96238 5d29ed 96287 58d583 26 API calls 96238->96287 96241 5d2abc 96239->96241 96242 5650f5 40 API calls 96241->96242 96243 5d2acc 96242->96243 96244 5650f5 40 API calls 96243->96244 96246 5d2ae7 96244->96246 96245 5d2a38 96245->96233 96245->96237 96247 5650f5 40 API calls 96246->96247 96248 5d2af7 96247->96248 96249 5650f5 40 API calls 96248->96249 96250 5d2b07 96249->96250 96251 5650f5 40 API calls 96250->96251 96252 5d2b17 96251->96252 96281 5d3017 GetTempPathW GetTempFileNameW 96252->96281 96254 5d2b22 96255 58e5eb 29 API calls 96254->96255 96265 5d2b33 96255->96265 96256 5d2bed 96257 58e678 67 API calls 96256->96257 96258 5d2bf8 96257->96258 96260 5d2bfe DeleteFileW 96258->96260 96261 5d2c12 96258->96261 96259 5650f5 40 API calls 96259->96265 96260->96237 96262 5d2c91 CopyFileW 96261->96262 96268 5d2c18 96261->96268 96263 5d2cb9 DeleteFileW 96262->96263 96264 5d2ca7 DeleteFileW 96262->96264 96282 5d2fd8 CreateFileW 96263->96282 96264->96237 96265->96237 96265->96256 96265->96259 96267 58dbb3 65 API calls 96265->96267 96267->96265 96269 5d22ce 79 API calls 96268->96269 96270 5d2c7c 96269->96270 96270->96263 96271 5d2c80 DeleteFileW 96270->96271 96271->96237 96272->95886 96273->95921 96274->95934 96275->96160 96276->96202 96277->96204 96289 58e4e8 96278->96289 96280 5d275d 96280->96224 96281->96254 96283 5d2fff SetFileTime CloseHandle 96282->96283 96284 5d3013 96282->96284 96283->96284 96284->96237 96285->96231 96286->96238 96287->96245 96288->96245 96292 58e469 96289->96292 96291 58e505 96291->96280 96293 58e478 96292->96293 96294 58e48c 96292->96294 96300 58f2d9 20 API calls _abort 96293->96300 96299 58e488 __alldvrm 96294->96299 96302 59333f 11 API calls 2 library calls 96294->96302 96297 58e47d 96301 5927ec 26 API calls ___std_exception_copy 96297->96301 96299->96291 96300->96297 96301->96299 96302->96299 96304 5d0ef7 96303->96304 96305 57fddb 22 API calls 96304->96305 96306 5d0efe 96305->96306 96309 5cf2fb 96306->96309 96308 5d0f38 96308->95966 96310 56aec9 22 API calls 96309->96310 96311 5cf30e CharLowerBuffW 96310->96311 96315 5cf321 96311->96315 96312 564c6d 22 API calls 96312->96315 96313 5cf32b ___scrt_fastfail 96313->96308 96314 5cf35f 96316 5cf371 96314->96316 96317 564c6d 22 API calls 96314->96317 96315->96312 96315->96313 96315->96314 96318 57fe0b 22 API calls 96316->96318 96317->96316 96322 5cf39f 96318->96322 96321 5cf3fe 96321->96313 96324 57fddb 22 API calls 96321->96324 96323 5cf3c1 96322->96323 96342 5cf233 22 API calls 96322->96342 96327 5cf452 96323->96327 96325 5cf418 96324->96325 96326 57fe0b 22 API calls 96325->96326 96326->96313 96328 56a961 22 API calls 96327->96328 96329 5cf484 96328->96329 96330 56a961 22 API calls 96329->96330 96331 5cf48d 96330->96331 96332 56a961 22 API calls 96331->96332 96333 5cf496 96332->96333 96334 566b57 22 API calls 96333->96334 96335 5cf75a 96333->96335 96336 5649bd 22 API calls 96333->96336 96337 586388 GetStringTypeW 96333->96337 96339 5862d1 39 API calls 96333->96339 96340 5cf452 41 API calls 96333->96340 96341 56a8c7 22 API calls 96333->96341 96343 5863b2 GetStringTypeW _strftime 96333->96343 96334->96333 96335->96321 96336->96333 96337->96333 96339->96333 96340->96333 96341->96333 96342->96322 96343->96333 96344 56105b 96349 56344d 96344->96349 96346 56106a 96380 5800a3 29 API calls __onexit 96346->96380 96348 561074 96350 56345d __wsopen_s 96349->96350 96351 56a961 22 API calls 96350->96351 96352 563513 96351->96352 96353 563a5a 24 API calls 96352->96353 96354 56351c 96353->96354 96381 563357 96354->96381 96357 5633c6 22 API calls 96358 563535 96357->96358 96359 56515f 22 API calls 96358->96359 96360 563544 96359->96360 96361 56a961 22 API calls 96360->96361 96362 56354d 96361->96362 96363 56a6c3 22 API calls 96362->96363 96364 563556 RegOpenKeyExW 96363->96364 96365 5a3176 RegQueryValueExW 96364->96365 96370 563578 96364->96370 96366 5a320c RegCloseKey 96365->96366 96367 5a3193 96365->96367 96366->96370 96379 5a321e _wcslen 96366->96379 96368 57fe0b 22 API calls 96367->96368 96369 5a31ac 96368->96369 96371 565722 22 API calls 96369->96371 96370->96346 96372 5a31b7 RegQueryValueExW 96371->96372 96374 5a31d4 96372->96374 96376 5a31ee ISource 96372->96376 96373 564c6d 22 API calls 96373->96379 96375 566b57 22 API calls 96374->96375 96375->96376 96376->96366 96377 569cb3 22 API calls 96377->96379 96378 56515f 22 API calls 96378->96379 96379->96370 96379->96373 96379->96377 96379->96378 96380->96348 96382 5a1f50 __wsopen_s 96381->96382 96383 563364 GetFullPathNameW 96382->96383 96384 563386 96383->96384 96385 566b57 22 API calls 96384->96385 96386 5633a4 96385->96386 96386->96357 96387 561098 96392 5642de 96387->96392 96391 5610a7 96393 56a961 22 API calls 96392->96393 96394 5642f5 GetVersionExW 96393->96394 96395 566b57 22 API calls 96394->96395 96396 564342 96395->96396 96397 5693b2 22 API calls 96396->96397 96406 564378 96396->96406 96398 56436c 96397->96398 96400 5637a0 22 API calls 96398->96400 96399 56441b GetCurrentProcess IsWow64Process 96401 564437 96399->96401 96400->96406 96402 56444f LoadLibraryA 96401->96402 96403 5a3824 GetSystemInfo 96401->96403 96404 564460 GetProcAddress 96402->96404 96405 56449c GetSystemInfo 96402->96405 96404->96405 96408 564470 GetNativeSystemInfo 96404->96408 96409 564476 96405->96409 96406->96399 96407 5a37df 96406->96407 96408->96409 96410 56109d 96409->96410 96411 56447a FreeLibrary 96409->96411 96412 5800a3 29 API calls __onexit 96410->96412 96411->96410 96412->96391 96413 5b3f75 96424 57ceb1 96413->96424 96415 5b3f8b 96423 5b4006 96415->96423 96491 57e300 23 API calls 96415->96491 96419 5b4052 96420 5b4a88 96419->96420 96493 5d359c 82 API calls __wsopen_s 96419->96493 96421 5b3fe6 96421->96419 96492 5d1abf 22 API calls 96421->96492 96433 56bf40 96423->96433 96425 57ced2 96424->96425 96426 57cebf 96424->96426 96428 57ced7 96425->96428 96429 57cf05 96425->96429 96494 56aceb 23 API calls ISource 96426->96494 96431 57fddb 22 API calls 96428->96431 96495 56aceb 23 API calls ISource 96429->96495 96432 57cec9 96431->96432 96432->96415 96496 56adf0 96433->96496 96435 56bf9d 96436 5b04b6 96435->96436 96437 56bfa9 96435->96437 96509 5d359c 82 API calls __wsopen_s 96436->96509 96439 5b04c6 96437->96439 96440 56c01e 96437->96440 96510 5d359c 82 API calls __wsopen_s 96439->96510 96501 56ac91 96440->96501 96443 5c7120 22 API calls 96487 56c039 ISource __fread_nolock 96443->96487 96444 56c7da 96448 57fe0b 22 API calls 96444->96448 96453 56c808 __fread_nolock 96448->96453 96450 5b04f5 96454 5b055a 96450->96454 96511 57d217 236 API calls 96450->96511 96458 57fe0b 22 API calls 96453->96458 96476 56c603 96454->96476 96512 5d359c 82 API calls __wsopen_s 96454->96512 96455 56ec40 236 API calls 96455->96487 96456 56af8a 22 API calls 96456->96487 96457 5b091a 96522 5d3209 23 API calls 96457->96522 96488 56c350 ISource __fread_nolock 96458->96488 96461 5b08a5 96462 56ec40 236 API calls 96461->96462 96463 5b08cf 96462->96463 96463->96476 96520 56a81b 41 API calls 96463->96520 96465 5b0591 96513 5d359c 82 API calls __wsopen_s 96465->96513 96468 5b08f6 96521 5d359c 82 API calls __wsopen_s 96468->96521 96471 56bbe0 40 API calls 96471->96487 96472 56c237 96474 56c253 96472->96474 96475 56a8c7 22 API calls 96472->96475 96477 5b0976 96474->96477 96482 56c297 ISource 96474->96482 96475->96474 96476->96419 96523 56aceb 23 API calls ISource 96477->96523 96480 5b09bf 96480->96476 96524 5d359c 82 API calls __wsopen_s 96480->96524 96481 57fddb 22 API calls 96481->96487 96482->96480 96506 56aceb 23 API calls ISource 96482->96506 96484 56c335 96484->96480 96485 56c342 96484->96485 96507 56a704 22 API calls ISource 96485->96507 96487->96443 96487->96444 96487->96450 96487->96453 96487->96454 96487->96455 96487->96456 96487->96457 96487->96461 96487->96465 96487->96468 96487->96471 96487->96472 96487->96476 96487->96480 96487->96481 96489 57fe0b 22 API calls 96487->96489 96505 56ad81 22 API calls 96487->96505 96514 5c7099 22 API calls __fread_nolock 96487->96514 96515 5e5745 54 API calls _wcslen 96487->96515 96516 57aa42 22 API calls ISource 96487->96516 96517 5cf05c 40 API calls 96487->96517 96518 56a993 41 API calls 96487->96518 96519 56aceb 23 API calls ISource 96487->96519 96490 56c3ac 96488->96490 96508 57ce17 22 API calls ISource 96488->96508 96489->96487 96490->96419 96491->96421 96492->96423 96493->96420 96494->96432 96495->96432 96497 56ae01 96496->96497 96500 56ae1c ISource 96496->96500 96498 56aec9 22 API calls 96497->96498 96499 56ae09 CharUpperBuffW 96498->96499 96499->96500 96500->96435 96502 56acae 96501->96502 96503 56acd1 96502->96503 96525 5d359c 82 API calls __wsopen_s 96502->96525 96503->96487 96505->96487 96506->96484 96507->96488 96508->96488 96509->96439 96510->96476 96511->96454 96512->96476 96513->96476 96514->96487 96515->96487 96516->96487 96517->96487 96518->96487 96519->96487 96520->96468 96521->96476 96522->96472 96523->96480 96524->96476 96525->96503 96526 561044 96531 5610f3 96526->96531 96528 56104a 96567 5800a3 29 API calls __onexit 96528->96567 96530 561054 96568 561398 96531->96568 96535 56116a 96536 56a961 22 API calls 96535->96536 96537 561174 96536->96537 96538 56a961 22 API calls 96537->96538 96539 56117e 96538->96539 96540 56a961 22 API calls 96539->96540 96541 561188 96540->96541 96542 56a961 22 API calls 96541->96542 96543 5611c6 96542->96543 96544 56a961 22 API calls 96543->96544 96545 561292 96544->96545 96578 56171c 96545->96578 96549 5612c4 96550 56a961 22 API calls 96549->96550 96551 5612ce 96550->96551 96552 571940 9 API calls 96551->96552 96553 5612f9 96552->96553 96599 561aab 96553->96599 96555 561315 96556 561325 GetStdHandle 96555->96556 96557 56137a 96556->96557 96558 5a2485 96556->96558 96561 561387 OleInitialize 96557->96561 96558->96557 96559 5a248e 96558->96559 96560 57fddb 22 API calls 96559->96560 96562 5a2495 96560->96562 96561->96528 96606 5d011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96562->96606 96564 5a249e 96607 5d0944 CreateThread 96564->96607 96566 5a24aa CloseHandle 96566->96557 96567->96530 96608 5613f1 96568->96608 96571 5613f1 22 API calls 96572 5613d0 96571->96572 96573 56a961 22 API calls 96572->96573 96574 5613dc 96573->96574 96575 566b57 22 API calls 96574->96575 96576 561129 96575->96576 96577 561bc3 6 API calls 96576->96577 96577->96535 96579 56a961 22 API calls 96578->96579 96580 56172c 96579->96580 96581 56a961 22 API calls 96580->96581 96582 561734 96581->96582 96583 56a961 22 API calls 96582->96583 96584 56174f 96583->96584 96585 57fddb 22 API calls 96584->96585 96586 56129c 96585->96586 96587 561b4a 96586->96587 96588 561b58 96587->96588 96589 56a961 22 API calls 96588->96589 96590 561b63 96589->96590 96591 56a961 22 API calls 96590->96591 96592 561b6e 96591->96592 96593 56a961 22 API calls 96592->96593 96594 561b79 96593->96594 96595 56a961 22 API calls 96594->96595 96596 561b84 96595->96596 96597 57fddb 22 API calls 96596->96597 96598 561b96 RegisterWindowMessageW 96597->96598 96598->96549 96600 5a272d 96599->96600 96601 561abb 96599->96601 96615 5d3209 23 API calls 96600->96615 96602 57fddb 22 API calls 96601->96602 96605 561ac3 96602->96605 96604 5a2738 96605->96555 96606->96564 96607->96566 96616 5d092a 28 API calls 96607->96616 96609 56a961 22 API calls 96608->96609 96610 5613fc 96609->96610 96611 56a961 22 API calls 96610->96611 96612 561404 96611->96612 96613 56a961 22 API calls 96612->96613 96614 5613c6 96613->96614 96614->96571 96615->96604 96617 20223d0 96631 2020000 96617->96631 96619 20224b0 96634 20222c0 96619->96634 96621 20224d9 CreateFileW 96623 202252d 96621->96623 96630 2022528 96621->96630 96624 2022544 VirtualAlloc 96623->96624 96623->96630 96625 2022565 ReadFile 96624->96625 96624->96630 96626 2022580 96625->96626 96625->96630 96627 2021070 12 API calls 96626->96627 96628 202259a 96627->96628 96629 2022070 GetPEB 96628->96629 96629->96630 96637 20234f0 GetPEB 96631->96637 96633 202068b 96633->96619 96635 20222c9 Sleep 96634->96635 96636 20222d7 96635->96636 96638 202351a 96637->96638 96638->96633 96639 562de3 96640 562df0 __wsopen_s 96639->96640 96641 5a2c2b ___scrt_fastfail 96640->96641 96642 562e09 96640->96642 96644 5a2c47 GetOpenFileNameW 96641->96644 96643 563aa2 23 API calls 96642->96643 96645 562e12 96643->96645 96646 5a2c96 96644->96646 96655 562da5 96645->96655 96648 566b57 22 API calls 96646->96648 96650 5a2cab 96648->96650 96650->96650 96652 562e27 96673 5644a8 96652->96673 96656 5a1f50 __wsopen_s 96655->96656 96657 562db2 GetLongPathNameW 96656->96657 96658 566b57 22 API calls 96657->96658 96659 562dda 96658->96659 96660 563598 96659->96660 96661 56a961 22 API calls 96660->96661 96662 5635aa 96661->96662 96663 563aa2 23 API calls 96662->96663 96664 5635b5 96663->96664 96665 5a32eb 96664->96665 96666 5635c0 96664->96666 96670 5a330d 96665->96670 96708 57ce60 41 API calls 96665->96708 96668 56515f 22 API calls 96666->96668 96669 5635cc 96668->96669 96702 5635f3 96669->96702 96672 5635df 96672->96652 96674 564ecb 94 API calls 96673->96674 96675 5644cd 96674->96675 96676 5a3833 96675->96676 96677 564ecb 94 API calls 96675->96677 96678 5d2cf9 80 API calls 96676->96678 96679 5644e1 96677->96679 96680 5a3848 96678->96680 96679->96676 96681 5644e9 96679->96681 96682 5a3869 96680->96682 96683 5a384c 96680->96683 96685 5644f5 96681->96685 96686 5a3854 96681->96686 96684 57fe0b 22 API calls 96682->96684 96687 564f39 68 API calls 96683->96687 96701 5a38ae 96684->96701 96723 56940c 136 API calls 2 library calls 96685->96723 96724 5cda5a 82 API calls 96686->96724 96687->96686 96690 562e31 96691 5a3862 96691->96682 96692 564f39 68 API calls 96695 5a3a5f 96692->96695 96695->96692 96728 5c989b 82 API calls __wsopen_s 96695->96728 96698 569cb3 22 API calls 96698->96701 96701->96695 96701->96698 96709 56a4a1 96701->96709 96717 563ff7 96701->96717 96725 5c967e 22 API calls __fread_nolock 96701->96725 96726 5c95ad 42 API calls _wcslen 96701->96726 96727 5d0b5a 22 API calls 96701->96727 96703 563605 96702->96703 96707 563624 __fread_nolock 96702->96707 96705 57fe0b 22 API calls 96703->96705 96704 57fddb 22 API calls 96706 56363b 96704->96706 96705->96707 96706->96672 96707->96704 96708->96665 96710 56a52b 96709->96710 96715 56a4b1 __fread_nolock 96709->96715 96712 57fe0b 22 API calls 96710->96712 96711 57fddb 22 API calls 96713 56a4b8 96711->96713 96712->96715 96714 57fddb 22 API calls 96713->96714 96716 56a4d6 96713->96716 96714->96716 96715->96711 96716->96701 96718 56400a 96717->96718 96721 5640ae 96717->96721 96719 57fe0b 22 API calls 96718->96719 96722 56403c 96718->96722 96719->96722 96720 57fddb 22 API calls 96720->96722 96721->96701 96722->96720 96722->96721 96723->96690 96724->96691 96725->96701 96726->96701 96727->96701 96728->96695 96729 598402 96734 5981be 96729->96734 96732 59842a 96739 5981ef try_get_first_available_module 96734->96739 96736 5983ee 96753 5927ec 26 API calls ___std_exception_copy 96736->96753 96738 598343 96738->96732 96746 5a0984 96738->96746 96742 598338 96739->96742 96749 588e0b 40 API calls 2 library calls 96739->96749 96741 59838c 96741->96742 96750 588e0b 40 API calls 2 library calls 96741->96750 96742->96738 96752 58f2d9 20 API calls _abort 96742->96752 96744 5983ab 96744->96742 96751 588e0b 40 API calls 2 library calls 96744->96751 96754 5a0081 96746->96754 96748 5a099f 96748->96732 96749->96741 96750->96744 96751->96742 96752->96736 96753->96738 96755 5a008d ___BuildCatchObject 96754->96755 96756 5a009b 96755->96756 96759 5a00d4 96755->96759 96811 58f2d9 20 API calls _abort 96756->96811 96758 5a00a0 96812 5927ec 26 API calls ___std_exception_copy 96758->96812 96765 5a065b 96759->96765 96764 5a00aa __fread_nolock 96764->96748 96766 5a0678 96765->96766 96767 5a068d 96766->96767 96768 5a06a6 96766->96768 96828 58f2c6 20 API calls _abort 96767->96828 96814 595221 96768->96814 96771 5a0692 96829 58f2d9 20 API calls _abort 96771->96829 96772 5a06ab 96773 5a06cb 96772->96773 96774 5a06b4 96772->96774 96827 5a039a CreateFileW 96773->96827 96830 58f2c6 20 API calls _abort 96774->96830 96778 5a06b9 96831 58f2d9 20 API calls _abort 96778->96831 96779 5a0781 GetFileType 96782 5a078c GetLastError 96779->96782 96783 5a07d3 96779->96783 96781 5a0756 GetLastError 96833 58f2a3 20 API calls 2 library calls 96781->96833 96834 58f2a3 20 API calls 2 library calls 96782->96834 96836 59516a 21 API calls 3 library calls 96783->96836 96784 5a0704 96784->96779 96784->96781 96832 5a039a CreateFileW 96784->96832 96788 5a079a CloseHandle 96788->96771 96791 5a07c3 96788->96791 96790 5a0749 96790->96779 96790->96781 96835 58f2d9 20 API calls _abort 96791->96835 96792 5a07f4 96794 5a0840 96792->96794 96837 5a05ab 72 API calls 4 library calls 96792->96837 96799 5a086d 96794->96799 96838 5a014d 72 API calls 4 library calls 96794->96838 96795 5a07c8 96795->96771 96798 5a0866 96798->96799 96801 5a087e 96798->96801 96800 5986ae __wsopen_s 29 API calls 96799->96800 96802 5a00f8 96800->96802 96801->96802 96803 5a08fc CloseHandle 96801->96803 96813 5a0121 LeaveCriticalSection __wsopen_s 96802->96813 96839 5a039a CreateFileW 96803->96839 96805 5a0927 96806 5a095d 96805->96806 96807 5a0931 GetLastError 96805->96807 96806->96802 96840 58f2a3 20 API calls 2 library calls 96807->96840 96809 5a093d 96841 595333 21 API calls 3 library calls 96809->96841 96811->96758 96812->96764 96813->96764 96815 59522d ___BuildCatchObject 96814->96815 96842 592f5e EnterCriticalSection 96815->96842 96817 59527b 96843 59532a 96817->96843 96819 595259 96822 595000 __wsopen_s 21 API calls 96819->96822 96820 595234 96820->96817 96820->96819 96824 5952c7 EnterCriticalSection 96820->96824 96821 5952a4 __fread_nolock 96821->96772 96823 59525e 96822->96823 96823->96817 96846 595147 EnterCriticalSection 96823->96846 96824->96817 96825 5952d4 LeaveCriticalSection 96824->96825 96825->96820 96827->96784 96828->96771 96829->96802 96830->96778 96831->96771 96832->96790 96833->96771 96834->96788 96835->96795 96836->96792 96837->96794 96838->96798 96839->96805 96840->96809 96841->96806 96842->96820 96847 592fa6 LeaveCriticalSection 96843->96847 96845 595331 96845->96821 96846->96817 96847->96845 96848 5b2a00 96852 56d7b0 ISource 96848->96852 96849 56d9d5 96850 56db11 PeekMessageW 96850->96852 96851 56d807 GetInputState 96851->96850 96851->96852 96852->96849 96852->96850 96852->96851 96853 5b1cbe TranslateAcceleratorW 96852->96853 96855 56db73 TranslateMessage DispatchMessageW 96852->96855 96856 56db8f PeekMessageW 96852->96856 96857 56da04 timeGetTime 96852->96857 96858 56dbaf Sleep 96852->96858 96859 5b2b74 Sleep 96852->96859 96861 5b1dda timeGetTime 96852->96861 96876 56ec40 236 API calls 96852->96876 96877 571310 236 API calls 96852->96877 96878 56bf40 236 API calls 96852->96878 96880 56dd50 96852->96880 96887 56dfd0 96852->96887 96910 57edf6 IsDialogMessageW GetClassLongW 96852->96910 96912 5d3a2a 23 API calls 96852->96912 96913 5d359c 82 API calls __wsopen_s 96852->96913 96853->96852 96855->96856 96856->96852 96857->96852 96860 56dbc0 96858->96860 96859->96860 96860->96849 96860->96852 96862 57e551 timeGetTime 96860->96862 96865 5b2c0b GetExitCodeProcess 96860->96865 96869 5b2a31 96860->96869 96870 5f29bf GetForegroundWindow 96860->96870 96871 5b2ca9 Sleep 96860->96871 96914 5e5658 23 API calls 96860->96914 96915 5ce97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96860->96915 96916 5cd4dc 47 API calls 96860->96916 96911 57e300 23 API calls 96861->96911 96862->96860 96867 5b2c21 WaitForSingleObject 96865->96867 96868 5b2c37 CloseHandle 96865->96868 96867->96852 96867->96868 96868->96860 96869->96849 96870->96860 96871->96852 96876->96852 96877->96852 96878->96852 96881 56dd83 96880->96881 96882 56dd6f 96880->96882 96918 5d359c 82 API calls __wsopen_s 96881->96918 96917 56d260 236 API calls 2 library calls 96882->96917 96884 56dd7a 96884->96852 96886 5b2f75 96886->96886 96888 56e010 96887->96888 96893 56e0dc ISource 96888->96893 96921 580242 5 API calls __Init_thread_wait 96888->96921 96891 5b2fca 96891->96893 96894 56a961 22 API calls 96891->96894 96892 56a961 22 API calls 96892->96893 96893->96892 96902 56ec40 236 API calls 96893->96902 96904 56a8c7 22 API calls 96893->96904 96905 5d359c 82 API calls 96893->96905 96906 56e3e1 96893->96906 96907 5704f0 22 API calls 96893->96907 96919 56a81b 41 API calls 96893->96919 96920 57a308 236 API calls 96893->96920 96924 580242 5 API calls __Init_thread_wait 96893->96924 96925 5800a3 29 API calls __onexit 96893->96925 96926 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96893->96926 96927 5e47d4 236 API calls 96893->96927 96928 5e68c1 236 API calls 96893->96928 96897 5b2fe4 96894->96897 96922 5800a3 29 API calls __onexit 96897->96922 96900 5b2fee 96923 5801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96900->96923 96902->96893 96904->96893 96905->96893 96906->96852 96907->96893 96910->96852 96911->96852 96912->96852 96913->96852 96914->96860 96915->96860 96916->96860 96917->96884 96918->96886 96919->96893 96920->96893 96921->96891 96922->96900 96923->96893 96924->96893 96925->96893 96926->96893 96927->96893 96928->96893 96929 561cad SystemParametersInfoW 96930 5a2ba5 96931 562b25 96930->96931 96932 5a2baf 96930->96932 96958 562b83 7 API calls 96931->96958 96934 563a5a 24 API calls 96932->96934 96936 5a2bb8 96934->96936 96938 569cb3 22 API calls 96936->96938 96940 5a2bc6 96938->96940 96939 562b2f 96941 562b44 96939->96941 96944 563837 49 API calls 96939->96944 96942 5a2bce 96940->96942 96943 5a2bf5 96940->96943 96950 562b5f 96941->96950 96962 5630f2 Shell_NotifyIconW ___scrt_fastfail 96941->96962 96945 5633c6 22 API calls 96942->96945 96946 5633c6 22 API calls 96943->96946 96944->96941 96947 5a2bd9 96945->96947 96948 5a2bf1 GetForegroundWindow ShellExecuteW 96946->96948 96951 566350 22 API calls 96947->96951 96952 5a2c26 96948->96952 96955 562b66 SetCurrentDirectoryW 96950->96955 96954 5a2be7 96951->96954 96952->96950 96956 5633c6 22 API calls 96954->96956 96957 562b7a 96955->96957 96956->96948 96963 562cd4 7 API calls 96958->96963 96960 562b2a 96961 562c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96960->96961 96961->96939 96962->96950 96963->96960

                    Executed Functions

                    Function 005642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 234 5642de-56434d call 56a961 GetVersionExW call 566b57 239 564353 234->239 240 5a3617-5a362a 234->240 241 564355-564357 239->241 242 5a362b-5a362f 240->242 245 56435d-5643bc call 5693b2 call 5637a0 241->245 246 5a3656 241->246 243 5a3632-5a363e 242->243 244 5a3631 242->244 243->242 247 5a3640-5a3642 243->247 244->243 263 5643c2-5643c4 245->263 264 5a37df-5a37e6 245->264 250 5a365d-5a3660 246->250 247->241 249 5a3648-5a364f 247->249 249->240 252 5a3651 249->252 253 5a3666-5a36a8 250->253 254 56441b-564435 GetCurrentProcess IsWow64Process 250->254 252->246 253->254 258 5a36ae-5a36b1 253->258 256 564437 254->256 257 564494-56449a 254->257 260 56443d-564449 256->260 257->260 261 5a36db-5a36e5 258->261 262 5a36b3-5a36bd 258->262 265 56444f-56445e LoadLibraryA 260->265 266 5a3824-5a3828 GetSystemInfo 260->266 270 5a36f8-5a3702 261->270 271 5a36e7-5a36f3 261->271 267 5a36ca-5a36d6 262->267 268 5a36bf-5a36c5 262->268 263->250 269 5643ca-5643dd 263->269 272 5a37e8 264->272 273 5a3806-5a3809 264->273 279 564460-56446e GetProcAddress 265->279 280 56449c-5644a6 GetSystemInfo 265->280 267->254 268->254 281 5643e3-5643e5 269->281 282 5a3726-5a372f 269->282 275 5a3704-5a3710 270->275 276 5a3715-5a3721 270->276 271->254 274 5a37ee 272->274 277 5a380b-5a381a 273->277 278 5a37f4-5a37fc 273->278 274->278 275->254 276->254 277->274 287 5a381c-5a3822 277->287 278->273 279->280 288 564470-564474 GetNativeSystemInfo 279->288 289 564476-564478 280->289 283 5a374d-5a3762 281->283 284 5643eb-5643ee 281->284 285 5a373c-5a3748 282->285 286 5a3731-5a3737 282->286 292 5a376f-5a377b 283->292 293 5a3764-5a376a 283->293 290 5643f4-56440f 284->290 291 5a3791-5a3794 284->291 285->254 286->254 287->278 288->289 294 564481-564493 289->294 295 56447a-56447b FreeLibrary 289->295 296 564415 290->296 297 5a3780-5a378c 290->297 291->254 298 5a379a-5a37c1 291->298 292->254 293->254 295->294 296->254 297->254 299 5a37ce-5a37da 298->299 300 5a37c3-5a37c9 298->300 299->254 300->254
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 0056430D
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                    • GetCurrentProcess.KERNEL32(?,005FCB64,00000000,?,?), ref: 00564422
                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 00564429
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00564454
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00564466
                    • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00564474
                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0056447B
                    • GetSystemInfo.KERNEL32(?,?,?), ref: 005644A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                    • String ID: GetNativeSystemInfo$kernel32.dll$|O
                    • API String ID: 3290436268-3101561225
                    • Opcode ID: 5b2b953a7ffffba6c5690f58dbe99c9d8d7f41f5979583e88c770c245f3262cb
                    • Instruction ID: 61f969268761befac822268f4a501e8e46d037c5b8ff529e8cb3de88cf3bd3de
                    • Opcode Fuzzy Hash: 5b2b953a7ffffba6c5690f58dbe99c9d8d7f41f5979583e88c770c245f3262cb
                    • Instruction Fuzzy Hash: A1A1A571D0A2D0DFEB11C769BC415A97FA6BB37344B0878A9E0419FB22D6344608DFA1
                    Function 005642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1354 5642a2-5642ba CreateStreamOnHGlobal 1355 5642bc-5642d3 FindResourceExW 1354->1355 1356 5642da-5642dd 1354->1356 1357 5a35ba-5a35c9 LoadResource 1355->1357 1358 5642d9 1355->1358 1357->1358 1359 5a35cf-5a35dd SizeofResource 1357->1359 1358->1356 1359->1358 1360 5a35e3-5a35ee LockResource 1359->1360 1360->1358 1361 5a35f4-5a3612 1360->1361 1361->1358
                    APIs
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005650AA,?,?,00000000,00000000), ref: 005642B2
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005650AA,?,?,00000000,00000000), ref: 005642C9
                    • LoadResource.KERNEL32(?,00000000,?,?,005650AA,?,?,00000000,00000000,?,?,?,?,?,?,00564F20), ref: 005A35BE
                    • SizeofResource.KERNEL32(?,00000000,?,?,005650AA,?,?,00000000,00000000,?,?,?,?,?,?,00564F20), ref: 005A35D3
                    • LockResource.KERNEL32(005650AA,?,?,005650AA,?,?,00000000,00000000,?,?,?,?,?,?,00564F20,?), ref: 005A35E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT
                    • API String ID: 3051347437-3967369404
                    • Opcode ID: 05e4ffe187c261871bf36afa8bda0f24c67d0efb9ee6ff0e7b5638c802280439
                    • Instruction ID: 8f4675ce843b8751f1b86a5b545e455af76653ea70486b332e21d7224f79cbf7
                    • Opcode Fuzzy Hash: 05e4ffe187c261871bf36afa8bda0f24c67d0efb9ee6ff0e7b5638c802280439
                    • Instruction Fuzzy Hash: 19115A78240604AFD7218B65DD58F277FB9FBD5B51F208569F402D6250DB71D814DA20
                    Function 005A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00562B6B
                      • Part of subcall function 00563A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00631418,?,00562E7F,?,?,?,00000000), ref: 00563A78
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • GetForegroundWindow.USER32(runas,?,?,?,?,?,00622224), ref: 005A2C10
                    • ShellExecuteW.SHELL32(00000000,?,?,00622224), ref: 005A2C17
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                    • String ID: runas
                    • API String ID: 448630720-4000483414
                    • Opcode ID: 8e60513334e272eb44827784a8d07dd8e912a8973c80dec0a4bb04b2de862393
                    • Instruction ID: e1d791292cf98f436e9748f69490b94ade04c8d9bcefc0abb4a6369911e2e4a1
                    • Opcode Fuzzy Hash: 8e60513334e272eb44827784a8d07dd8e912a8973c80dec0a4bb04b2de862393
                    • Instruction Fuzzy Hash: 9511A231608646AAC714FF64D85A9BEBFA5FBE1350F04182DF082571B2CF358A49D752
                    Function 005CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,005A5222), ref: 005CDBCE
                    • GetFileAttributesW.KERNELBASE(?), ref: 005CDBDD
                    • FindFirstFileW.KERNELBASE(?,?), ref: 005CDBEE
                    • FindClose.KERNEL32(00000000), ref: 005CDBFA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirstlstrlen
                    • String ID:
                    • API String ID: 2695905019-0
                    • Opcode ID: 12f8301f4f8e973a3ec1d70aae661506ef2731b91deae1be18032db543e42cdb
                    • Instruction ID: a1ad79b8282bd1d37a71195b75bfdb84e1ab597b7dfa4743838b3de016cc30d4
                    • Opcode Fuzzy Hash: 12f8301f4f8e973a3ec1d70aae661506ef2731b91deae1be18032db543e42cdb
                    • Instruction Fuzzy Hash: 6CF0A7304105145B82206BB89D0DD7A3F7CAF41334B104726F476C20E0EBB46D58D9A5
                    Function 0056BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: p#c
                    • API String ID: 3964851224-3248682689
                    • Opcode ID: 3ea3968ae30307592bbd2b0bc7a0db2b1059ea89fa11846afa2a43e4a8845ab6
                    • Instruction ID: 0e26d86e0ec3d29d00ca305b62fbabaeb44202147fed8b596d9d012861138a0f
                    • Opcode Fuzzy Hash: 3ea3968ae30307592bbd2b0bc7a0db2b1059ea89fa11846afa2a43e4a8845ab6
                    • Instruction Fuzzy Hash: 9EA258706083419FD724DF28C484B6ABFE1BF89304F14996DE89A9B392D771EC45CB92
                    Function 0056D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetInputState.USER32 ref: 0056D807
                    • timeGetTime.WINMM ref: 0056DA07
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0056DB28
                    • TranslateMessage.USER32(?), ref: 0056DB7B
                    • DispatchMessageW.USER32(?), ref: 0056DB89
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0056DB9F
                    • Sleep.KERNEL32(0000000A), ref: 0056DBB1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                    • String ID:
                    • API String ID: 2189390790-0
                    • Opcode ID: 437f23b6df0f000832a03ae8a7bb29185748b952ea09eca0a157ff57d0a5e386
                    • Instruction ID: dc1a6d43b5abcd25fdabea302799c904a16c96d86fb113c2effeb48066a7050d
                    • Opcode Fuzzy Hash: 437f23b6df0f000832a03ae8a7bb29185748b952ea09eca0a157ff57d0a5e386
                    • Instruction Fuzzy Hash: A142D130B08746DFD728CF24C899BAABFB1BF85304F14895DE4558B2A1D774E844DBA2
                    Function 00562CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00562D07
                    • RegisterClassExW.USER32(00000030), ref: 00562D31
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00562D42
                    • InitCommonControlsEx.COMCTL32(?), ref: 00562D5F
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00562D6F
                    • LoadIconW.USER32(000000A9), ref: 00562D85
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00562D94
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 14b93da2cbb3038dc3b3365b5ab41a0703abce4c28661776f2301a48c61b2d31
                    • Instruction ID: a3d5c1df377036dab655ea3565a450044223d36f3c41e424699f3b2dc8ca8750
                    • Opcode Fuzzy Hash: 14b93da2cbb3038dc3b3365b5ab41a0703abce4c28661776f2301a48c61b2d31
                    • Instruction Fuzzy Hash: E021E4B594120CAFDB00DFA4E949BEDBFB9FB09701F00412AE611EA2A0D7B51548DF90
                    Function 00598D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 302 598d45-598d55 303 598d6f-598d71 302->303 304 598d57-598d6a call 58f2c6 call 58f2d9 302->304 305 5990d9-5990e6 call 58f2c6 call 58f2d9 303->305 306 598d77-598d7d 303->306 318 5990f1 304->318 323 5990ec call 5927ec 305->323 306->305 308 598d83-598dae 306->308 308->305 312 598db4-598dbd 308->312 316 598dbf-598dd2 call 58f2c6 call 58f2d9 312->316 317 598dd7-598dd9 312->317 316->323 321 598ddf-598de3 317->321 322 5990d5-5990d7 317->322 324 5990f4-5990f9 318->324 321->322 326 598de9-598ded 321->326 322->324 323->318 326->316 329 598def-598e06 326->329 331 598e08-598e0b 329->331 332 598e23-598e2c 329->332 335 598e0d-598e13 331->335 336 598e15-598e1e 331->336 333 598e4a-598e54 332->333 334 598e2e-598e45 call 58f2c6 call 58f2d9 call 5927ec 332->334 339 598e5b-598e79 call 593820 call 5929c8 * 2 333->339 340 598e56-598e58 333->340 367 59900c 334->367 335->334 335->336 337 598ebf-598ed9 336->337 342 598fad-598fb6 call 59f89b 337->342 343 598edf-598eef 337->343 371 598e7b-598e91 call 58f2d9 call 58f2c6 339->371 372 598e96-598ebc call 599424 339->372 340->339 354 599029 342->354 355 598fb8-598fca 342->355 343->342 347 598ef5-598ef7 343->347 347->342 351 598efd-598f23 347->351 351->342 356 598f29-598f3c 351->356 359 59902d-599045 ReadFile 354->359 355->354 361 598fcc-598fdb GetConsoleMode 355->361 356->342 362 598f3e-598f40 356->362 365 5990a1-5990ac GetLastError 359->365 366 599047-59904d 359->366 361->354 368 598fdd-598fe1 361->368 362->342 363 598f42-598f6d 362->363 363->342 370 598f6f-598f82 363->370 373 5990ae-5990c0 call 58f2d9 call 58f2c6 365->373 374 5990c5-5990c8 365->374 366->365 375 59904f 366->375 369 59900f-599019 call 5929c8 367->369 368->359 376 598fe3-598ffd ReadConsoleW 368->376 369->324 370->342 378 598f84-598f86 370->378 371->367 372->337 373->367 385 5990ce-5990d0 374->385 386 599005-59900b call 58f2a3 374->386 382 599052-599064 375->382 383 598fff GetLastError 376->383 384 59901e-599027 376->384 378->342 388 598f88-598fa8 378->388 382->369 392 599066-59906a 382->392 383->386 384->382 385->369 386->367 388->342 396 59906c-59907c call 598a61 392->396 397 599083-59908e 392->397 409 59907f-599081 396->409 402 59909a-59909f call 5988a1 397->402 403 599090 call 598bb1 397->403 407 599095-599098 402->407 403->407 407->409 409->369
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: .X
                    • API String ID: 0-3424028424
                    • Opcode ID: e56c67a1fc268f65d071d3f7f8614ee006e32597ef6d7950720cb13014a9ede6
                    • Instruction ID: e2b5bd2e92181e02627f278b66505ebe0c2b042f6c94020243623e92e12ebd6b
                    • Opcode Fuzzy Hash: e56c67a1fc268f65d071d3f7f8614ee006e32597ef6d7950720cb13014a9ede6
                    • Instruction Fuzzy Hash: A8C1C07490424AAFDF11EFACC849BBDBFB5BF4A310F144099E825A7292D7349941CB61
                    Function 005A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 410 5a065b-5a068b call 5a042f 413 5a068d-5a0698 call 58f2c6 410->413 414 5a06a6-5a06b2 call 595221 410->414 419 5a069a-5a06a1 call 58f2d9 413->419 420 5a06cb-5a0714 call 5a039a 414->420 421 5a06b4-5a06c9 call 58f2c6 call 58f2d9 414->421 430 5a097d-5a0983 419->430 428 5a0781-5a078a GetFileType 420->428 429 5a0716-5a071f 420->429 421->419 434 5a078c-5a07bd GetLastError call 58f2a3 CloseHandle 428->434 435 5a07d3-5a07d6 428->435 432 5a0721-5a0725 429->432 433 5a0756-5a077c GetLastError call 58f2a3 429->433 432->433 439 5a0727-5a0754 call 5a039a 432->439 433->419 434->419 449 5a07c3-5a07ce call 58f2d9 434->449 437 5a07d8-5a07dd 435->437 438 5a07df-5a07e5 435->438 442 5a07e9-5a0837 call 59516a 437->442 438->442 443 5a07e7 438->443 439->428 439->433 452 5a0839-5a0845 call 5a05ab 442->452 453 5a0847-5a086b call 5a014d 442->453 443->442 449->419 452->453 459 5a086f-5a0879 call 5986ae 452->459 460 5a087e-5a08c1 453->460 461 5a086d 453->461 459->430 462 5a08e2-5a08f0 460->462 463 5a08c3-5a08c7 460->463 461->459 466 5a097b 462->466 467 5a08f6-5a08fa 462->467 463->462 465 5a08c9-5a08dd 463->465 465->462 466->430 467->466 469 5a08fc-5a092f CloseHandle call 5a039a 467->469 472 5a0963-5a0977 469->472 473 5a0931-5a095d GetLastError call 58f2a3 call 595333 469->473 472->466 473->472
                    APIs
                      • Part of subcall function 005A039A: CreateFileW.KERNELBASE(00000000,00000000,?,005A0704,?,?,00000000,?,005A0704,00000000,0000000C), ref: 005A03B7
                    • GetLastError.KERNEL32 ref: 005A076F
                    • __dosmaperr.LIBCMT ref: 005A0776
                    • GetFileType.KERNELBASE(00000000), ref: 005A0782
                    • GetLastError.KERNEL32 ref: 005A078C
                    • __dosmaperr.LIBCMT ref: 005A0795
                    • CloseHandle.KERNEL32(00000000), ref: 005A07B5
                    • CloseHandle.KERNEL32(?), ref: 005A08FF
                    • GetLastError.KERNEL32 ref: 005A0931
                    • __dosmaperr.LIBCMT ref: 005A0938
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                    • String ID: H
                    • API String ID: 4237864984-2852464175
                    • Opcode ID: 42c53fef9b73047e104182fba69e0a37c921e6db1ed7ceae364d08ae05a0ba98
                    • Instruction ID: 24bd7fa640777d56b1c5f8438d4837006a25f35c938c8ef7d52d92bcb478e007
                    • Opcode Fuzzy Hash: 42c53fef9b73047e104182fba69e0a37c921e6db1ed7ceae364d08ae05a0ba98
                    • Instruction Fuzzy Hash: D1A13132A201098FDF19AF68DC65BAE3FA1FB4A320F14115DF815EB2D1DB359816CB91
                    Function 0056344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00563A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00631418,?,00562E7F,?,?,?,00000000), ref: 00563A78
                      • Part of subcall function 00563357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00563379
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0056356A
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005A318D
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005A31CE
                    • RegCloseKey.ADVAPI32(?), ref: 005A3210
                    • _wcslen.LIBCMT ref: 005A3277
                    • _wcslen.LIBCMT ref: 005A3286
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 98802146-2727554177
                    • Opcode ID: fe304c84a75a1d0b0275f2ce8fe01a0434acd6fed14cad7e4bc0a4ba577c7f68
                    • Instruction ID: 531cfb115dc3b169e7b6beb16b33258e29543e5bfb18344e336f2e4d4b56ec91
                    • Opcode Fuzzy Hash: fe304c84a75a1d0b0275f2ce8fe01a0434acd6fed14cad7e4bc0a4ba577c7f68
                    • Instruction Fuzzy Hash: 6971CF714043069EE314EF25EC959AFBFE9FF95740F40182EF545931A0EB349A48CBA2
                    Function 00562B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00562B8E
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00562B9D
                    • LoadIconW.USER32(00000063), ref: 00562BB3
                    • LoadIconW.USER32(000000A4), ref: 00562BC5
                    • LoadIconW.USER32(000000A2), ref: 00562BD7
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00562BEF
                    • RegisterClassExW.USER32(?), ref: 00562C40
                      • Part of subcall function 00562CD4: GetSysColorBrush.USER32(0000000F), ref: 00562D07
                      • Part of subcall function 00562CD4: RegisterClassExW.USER32(00000030), ref: 00562D31
                      • Part of subcall function 00562CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00562D42
                      • Part of subcall function 00562CD4: InitCommonControlsEx.COMCTL32(?), ref: 00562D5F
                      • Part of subcall function 00562CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00562D6F
                      • Part of subcall function 00562CD4: LoadIconW.USER32(000000A9), ref: 00562D85
                      • Part of subcall function 00562CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00562D94
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: d5aca4a943831ccf46f56f027072ad3ef251e8ebb375812944c41639d57716e7
                    • Instruction ID: e93db6060310267db3081e45d51b725678bf2757de96db0202d7f99e8deb6712
                    • Opcode Fuzzy Hash: d5aca4a943831ccf46f56f027072ad3ef251e8ebb375812944c41639d57716e7
                    • Instruction Fuzzy Hash: 17214F71E01318ABEB109F95ED45AA97FB6FB49B50F00202AE500EB6A0D3B51A44DFD0
                    Function 0056B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 0056BB4E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Init_thread_footer
                    • String ID: p#c$p#c$p#c$p#c$p%c$p%c$x#c$x#c
                    • API String ID: 1385522511-1800814543
                    • Opcode ID: b6a0278c35a5b566361984d9ac5ebb6d551e906f413198a4394f2e62412d88f2
                    • Instruction ID: 588eae6379e8060a26c8e85224ea41533fa3790f7c64bab08d486479836f3d72
                    • Opcode Fuzzy Hash: b6a0278c35a5b566361984d9ac5ebb6d551e906f413198a4394f2e62412d88f2
                    • Instruction Fuzzy Hash: 4232A175A0020ADFEB24CF58C898ABEBFB5FF44314F148459E905AB2A1D774ED81CB91
                    Function 00563170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 758 563170-563185 759 563187-56318a 758->759 760 5631e5-5631e7 758->760 761 56318c-563193 759->761 762 5631eb 759->762 760->759 763 5631e9 760->763 764 563265-56326d PostQuitMessage 761->764 765 563199-56319e 761->765 767 5a2dfb-5a2e23 call 5618e2 call 57e499 762->767 768 5631f1-5631f6 762->768 766 5631d0-5631d8 DefWindowProcW 763->766 773 563219-56321b 764->773 770 5631a4-5631a8 765->770 771 5a2e7c-5a2e90 call 5cbf30 765->771 772 5631de-5631e4 766->772 803 5a2e28-5a2e2f 767->803 774 56321d-563244 SetTimer RegisterWindowMessageW 768->774 775 5631f8-5631fb 768->775 777 5a2e68-5a2e77 call 5cc161 770->777 778 5631ae-5631b3 770->778 771->773 796 5a2e96 771->796 773->772 774->773 779 563246-563251 CreatePopupMenu 774->779 781 5a2d9c-5a2d9f 775->781 782 563201-563214 KillTimer call 5630f2 call 563c50 775->782 777->773 786 5a2e4d-5a2e54 778->786 787 5631b9-5631be 778->787 779->773 789 5a2da1-5a2da5 781->789 790 5a2dd7-5a2df6 MoveWindow 781->790 782->773 786->766 799 5a2e5a-5a2e63 call 5c0ad7 786->799 794 5631c4-5631ca 787->794 795 563253-563263 call 56326f 787->795 797 5a2dc6-5a2dd2 SetFocus 789->797 798 5a2da7-5a2daa 789->798 790->773 794->766 794->803 795->773 796->766 797->773 798->794 804 5a2db0-5a2dc1 call 5618e2 798->804 799->766 803->766 807 5a2e35-5a2e48 call 5630f2 call 563837 803->807 804->773 807->766
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0056316A,?,?), ref: 005631D8
                    • KillTimer.USER32(?,00000001,?,?,?,?,?,0056316A,?,?), ref: 00563204
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00563227
                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0056316A,?,?), ref: 00563232
                    • CreatePopupMenu.USER32 ref: 00563246
                    • PostQuitMessage.USER32(00000000), ref: 00563267
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated
                    • API String ID: 129472671-2362178303
                    • Opcode ID: 6878a0364e080f53bd33c25155252e4b927877a31f05f088078d669549678290
                    • Instruction ID: dfa0422477fbf606d7dd18d50c7ace49d8f50848135bc63979d1c32f62ce3e6c
                    • Opcode Fuzzy Hash: 6878a0364e080f53bd33c25155252e4b927877a31f05f088078d669549678290
                    • Instruction Fuzzy Hash: 5B412535244209ABEB142B78DD6EB7D3E5AFB47310F040529FA02CB2A2CB759A44D7E1
                    Function 0056DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: D%c$D%c$D%c$D%c$D%cD%c$Variable must be of type 'Object'.
                    • API String ID: 0-2667386776
                    • Opcode ID: f820eceaee3b96664357d67525fab4e0d068b5501209ca282e583c63643915b3
                    • Instruction ID: 9b02e48610f30253262971ab55f7a53b1d4b9c81a882c609a23da6241b1d3534
                    • Opcode Fuzzy Hash: f820eceaee3b96664357d67525fab4e0d068b5501209ca282e583c63643915b3
                    • Instruction Fuzzy Hash: 9AC2CE79A01205CFCB24CF98C886AADBBF1FF59310F248569E906AB391D731ED41CB91
                    Function 02020920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1324 2020920-2020972 call 2020820 CreateFileW 1327 2020974-2020976 1324->1327 1328 202097b-2020988 1324->1328 1329 2020ad4-2020ad8 1327->1329 1331 202098a-2020996 1328->1331 1332 202099b-20209b2 VirtualAlloc 1328->1332 1331->1329 1333 20209b4-20209b6 1332->1333 1334 20209bb-20209e1 CreateFileW 1332->1334 1333->1329 1336 20209e3-2020a00 1334->1336 1337 2020a05-2020a1f ReadFile 1334->1337 1336->1329 1338 2020a43-2020a47 1337->1338 1339 2020a21-2020a3e 1337->1339 1340 2020a68-2020a7f WriteFile 1338->1340 1341 2020a49-2020a66 1338->1341 1339->1329 1343 2020a81-2020aa8 1340->1343 1344 2020aaa-2020acf FindCloseChangeNotification VirtualFree 1340->1344 1341->1329 1343->1329 1344->1329
                    APIs
                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02020965
                    Memory Dump Source
                    • Source File: 00000000.00000002.1683870797.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2020000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction ID: c2008adc62431c10e36eef60857e6d835692a5b0c7d07d92e3a355d9a3c86425
                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction Fuzzy Hash: 04510476A10308FBEF64DFA0CC49FEE77B9AF48700F508514F60AEA180DA749A44DB60
                    Function 00562C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1364 562c63-562cd3 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00562C91
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00562CB2
                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00561CAD,?), ref: 00562CC6
                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00561CAD,?), ref: 00562CCF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: eed32cf2f63875d4f90a01039d4b537d05e762241e7548d82fd9fac75a516c04
                    • Instruction ID: 3606be0f7192f0872952bc87345f144e9fb9980ef51615cde42c9d4d992744df
                    • Opcode Fuzzy Hash: eed32cf2f63875d4f90a01039d4b537d05e762241e7548d82fd9fac75a516c04
                    • Instruction Fuzzy Hash: 5CF0DA755402987BFB311717AD08EB76EBEE7C7F50B00106EFA00EB5A0C6651858DEB0
                    Function 005D2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1479 5d2947-5d29b9 call 5a1f50 call 5d25d6 call 57fe0b call 565722 call 5d274e call 56511f call 585232 1494 5d2a6c-5d2a73 call 5d2e66 1479->1494 1495 5d29bf-5d29c6 call 5d2e66 1479->1495 1500 5d2a7c 1494->1500 1501 5d2a75-5d2a77 1494->1501 1495->1501 1502 5d29cc-5d2a6a call 58d583 call 584983 call 589038 call 58d583 call 589038 * 2 1495->1502 1505 5d2a7f-5d2b3a call 5650f5 * 8 call 5d3017 call 58e5eb 1500->1505 1503 5d2cb6-5d2cb7 1501->1503 1502->1505 1506 5d2cd5-5d2cdb 1503->1506 1544 5d2b3c-5d2b3e 1505->1544 1545 5d2b43-5d2b5e call 5d2792 1505->1545 1509 5d2cdd-5d2ce8 call 57fdcd call 57fe14 1506->1509 1510 5d2cf0-5d2cf6 1506->1510 1522 5d2ced 1509->1522 1522->1510 1544->1503 1548 5d2b64-5d2b6c 1545->1548 1549 5d2bf0-5d2bfc call 58e678 1545->1549 1550 5d2b6e-5d2b72 1548->1550 1551 5d2b74 1548->1551 1556 5d2bfe-5d2c0d DeleteFileW 1549->1556 1557 5d2c12-5d2c16 1549->1557 1553 5d2b79-5d2b97 call 5650f5 1550->1553 1551->1553 1563 5d2b99-5d2b9e 1553->1563 1564 5d2bc1-5d2bd7 call 5d211d call 58dbb3 1553->1564 1556->1503 1559 5d2c18-5d2c7e call 5d25d6 call 58d2eb * 2 call 5d22ce 1557->1559 1560 5d2c91-5d2ca5 CopyFileW 1557->1560 1561 5d2cb9-5d2ccf DeleteFileW call 5d2fd8 1559->1561 1584 5d2c80-5d2c8f DeleteFileW 1559->1584 1560->1561 1562 5d2ca7-5d2cb4 DeleteFileW 1560->1562 1571 5d2cd4 1561->1571 1562->1503 1568 5d2ba1-5d2bb4 call 5d28d2 1563->1568 1578 5d2bdc-5d2be7 1564->1578 1579 5d2bb6-5d2bbf 1568->1579 1571->1506 1578->1548 1581 5d2bed 1578->1581 1579->1564 1581->1549 1584->1503
                    APIs
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005D2C05
                    • DeleteFileW.KERNEL32(?), ref: 005D2C87
                    • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005D2C9D
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005D2CAE
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005D2CC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: File$Delete$Copy
                    • String ID:
                    • API String ID: 3226157194-0
                    • Opcode ID: 47a714e1e05911286d513c8b431fc154972cf59bad2fde3918f5b28c6ed8232e
                    • Instruction ID: ed9ceb542e9c93fe5c4681706075997788d39914b53eff44b4cf39e5f49a839d
                    • Opcode Fuzzy Hash: 47a714e1e05911286d513c8b431fc154972cf59bad2fde3918f5b28c6ed8232e
                    • Instruction Fuzzy Hash: 7AB11E7190011AABDF21EBA4CC89EDE7B7DFF59350F1040A7F909E7251EA709E448B61
                    Function 00595AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1859 595aa9-595ace 1860 595ad0-595ad2 1859->1860 1861 595ad7-595ad9 1859->1861 1862 595ca5-595cb4 call 580a8c 1860->1862 1863 595adb-595af5 call 58f2c6 call 58f2d9 call 5927ec 1861->1863 1864 595afa-595b1f 1861->1864 1863->1862 1865 595b21-595b24 1864->1865 1866 595b26-595b2c 1864->1866 1865->1866 1869 595b4e-595b53 1865->1869 1870 595b4b 1866->1870 1871 595b2e-595b46 call 58f2c6 call 58f2d9 call 5927ec 1866->1871 1874 595b55-595b61 call 599424 1869->1874 1875 595b64-595b6d call 59564e 1869->1875 1870->1869 1910 595c9c-595c9f 1871->1910 1874->1875 1887 595ba8-595bba 1875->1887 1888 595b6f-595b71 1875->1888 1890 595bbc-595bc2 1887->1890 1891 595c02-595c23 WriteFile 1887->1891 1892 595b73-595b78 1888->1892 1893 595b95-595b9e call 59542e 1888->1893 1895 595bf2-595c00 call 5956c4 1890->1895 1896 595bc4-595bc7 1890->1896 1899 595c2e 1891->1899 1900 595c25-595c2b GetLastError 1891->1900 1897 595c6c-595c7e 1892->1897 1898 595b7e-595b8b call 5955e1 1892->1898 1909 595ba3-595ba6 1893->1909 1895->1909 1903 595bc9-595bcc 1896->1903 1904 595be2-595bf0 call 595891 1896->1904 1907 595c89-595c99 call 58f2d9 call 58f2c6 1897->1907 1908 595c80-595c83 1897->1908 1921 595b8e-595b90 1898->1921 1911 595c31-595c3c 1899->1911 1900->1899 1903->1897 1914 595bd2-595be0 call 5957a3 1903->1914 1904->1909 1907->1910 1908->1907 1919 595c85-595c87 1908->1919 1909->1921 1915 595ca4 1910->1915 1912 595c3e-595c43 1911->1912 1913 595ca1 1911->1913 1923 595c69 1912->1923 1924 595c45-595c4a 1912->1924 1913->1915 1914->1909 1915->1862 1919->1915 1921->1911 1923->1897 1928 595c4c-595c5e call 58f2d9 call 58f2c6 1924->1928 1929 595c60-595c67 call 58f2a3 1924->1929 1928->1910 1929->1910
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: JOV
                    • API String ID: 0-2007332367
                    • Opcode ID: 059accd76d8384798f906a994c78eefcd157aed41164099d1e60c0e3943d4c33
                    • Instruction ID: 41ef1f8c03cd8a66136ec65ef2af7dee9c64a09b68a0378802fde69364d43b83
                    • Opcode Fuzzy Hash: 059accd76d8384798f906a994c78eefcd157aed41164099d1e60c0e3943d4c33
                    • Instruction Fuzzy Hash: 7951A175D0060AAFDF22AFA4C849EAE7FB9BF49310F140459F806A7291E7359D21CB61
                    Function 020223D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1938 20223d0-2022526 call 2020000 call 20222c0 CreateFileW 1945 2022528 1938->1945 1946 202252d-202253d 1938->1946 1947 20225f8-20225fd 1945->1947 1949 2022544-202255e VirtualAlloc 1946->1949 1950 202253f 1946->1950 1951 2022560 1949->1951 1952 2022565-202257c ReadFile 1949->1952 1950->1947 1951->1947 1953 2022580-2022595 call 2021070 1952->1953 1954 202257e 1952->1954 1956 202259a-20225d2 call 2022300 call 2022070 1953->1956 1954->1947 1961 20225d4-20225e9 call 2022350 1956->1961 1962 20225ee-20225f6 1956->1962 1961->1962 1962->1947
                    APIs
                      • Part of subcall function 020222C0: Sleep.KERNELBASE(000001F4), ref: 020222D1
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0202251C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1683870797.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2020000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: V9URKD7PJU93666E0OKG
                    • API String ID: 2694422964-1109333133
                    • Opcode ID: e9388efb9a0409f610d264edff241395ede204190fe806a4c930118ab3d02ab0
                    • Instruction ID: 531a7d9288c0282389e3d9faf7dc031950d39d694ab19e790098933e295f1e02
                    • Opcode Fuzzy Hash: e9388efb9a0409f610d264edff241395ede204190fe806a4c930118ab3d02ab0
                    • Instruction Fuzzy Hash: D4619130D14258DBEF11DBE4C864BEEBBB9AF15300F004199E608BB2C0D7BA1B49CB65
                    Function 00563B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00563B0F,SwapMouseButtons,00000004,?), ref: 00563B40
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00563B0F,SwapMouseButtons,00000004,?), ref: 00563B61
                    • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00563B0F,SwapMouseButtons,00000004,?), ref: 00563B83
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: c2060c0693db0dfdde6473abcd08fe2feb08696fee93b13a426cbdf163dd4107
                    • Instruction ID: f3b9c3511c79be3855dac458c078de7300088e4863b287ab49e09befa22b0cef
                    • Opcode Fuzzy Hash: c2060c0693db0dfdde6473abcd08fe2feb08696fee93b13a426cbdf163dd4107
                    • Instruction Fuzzy Hash: AA112AB5511208FFDB208FA5DC48EEEBBBCFF05744B104969A805D7160E6319E45A760
                    Function 00563923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005A33A2
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00563A04
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_wcslen
                    • String ID: Line:
                    • API String ID: 2289894680-1585850449
                    • Opcode ID: 212af2244fc065c53e37d46b8c31cce26cf4336526e812ccf33f1e6cdc88c8d4
                    • Instruction ID: b1a2d5e2054b52df1a2798e10788fce9242baed08c72d227fdf53948ca77d24a
                    • Opcode Fuzzy Hash: 212af2244fc065c53e37d46b8c31cce26cf4336526e812ccf33f1e6cdc88c8d4
                    • Instruction Fuzzy Hash: 0131C171508305AAD721EB20DC49BEFBBD8BB81714F10492AF599931A1EB709A48CBC2
                    Function 00562DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • GetOpenFileNameW.COMDLG32(?), ref: 005A2C8C
                      • Part of subcall function 00563AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00563A97,?,?,00562E7F,?,?,?,00000000), ref: 00563AC2
                      • Part of subcall function 00562DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00562DC4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen
                    • String ID: X$`eb
                    • API String ID: 779396738-317726664
                    • Opcode ID: 223e0ed0c9937614dd6beb8d37501c1f02421ba25403e7689642cb820a148d79
                    • Instruction ID: f50e9279a5a7bb6c8b5275856e66fafbeea22f6d8c399aab1f071f4ec9beaf94
                    • Opcode Fuzzy Hash: 223e0ed0c9937614dd6beb8d37501c1f02421ba25403e7689642cb820a148d79
                    • Instruction Fuzzy Hash: 27218171A00698ABDB01AF94D849BEE7FFDAF89314F008059E405A7241DFB45A898FA1
                    Function 0057FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00580668
                      • Part of subcall function 005832A4: RaiseException.KERNEL32(?,?,?,0058068A,?,00631444,?,?,?,?,?,?,0058068A,00561129,00628738,00561129), ref: 00583304
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00580685
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Exception@8Throw$ExceptionRaise
                    • String ID: Unknown exception
                    • API String ID: 3476068407-410509341
                    • Opcode ID: 51f696177720d82b90b07b62eeb76bd887de933b6c1c4b40295b780cfa479c78
                    • Instruction ID: df18cc162a88ce3e648aed537f24cba5d60aab9468d90d882609bcab0aa2822f
                    • Opcode Fuzzy Hash: 51f696177720d82b90b07b62eeb76bd887de933b6c1c4b40295b780cfa479c78
                    • Instruction Fuzzy Hash: 3DF0C234A0020EB78F10F665EC4AC9E7F6C7E80710B608531BD28E65D1EF71DA29CB90
                    Function 02021000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 02021045
                    • ExitProcess.KERNEL32(00000000), ref: 02021064
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1683870797.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2020000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$CreateExit
                    • String ID: D
                    • API String ID: 126409537-2746444292
                    • Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                    • Instruction ID: 3a69f23e650886aefb26c6a017e18376548b41421a9454ac72605ae36d2860c9
                    • Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                    • Instruction Fuzzy Hash: DDF0FF7254025CABDB60DFE0CC49FEE777CBF04701F108509FB0A9A180DB7896089B61
                    Function 005D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005D302F
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 005D3044
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: e168724e0a51347c72c94badaf26bb9f4cc5eba589b77d9146494b25b575626c
                    • Instruction ID: 1e940e852701f797a45fa78a1f15af35249c28f0346693676e9785994a9c677b
                    • Opcode Fuzzy Hash: e168724e0a51347c72c94badaf26bb9f4cc5eba589b77d9146494b25b575626c
                    • Instruction Fuzzy Hash: A8D05E76500328A7DA20A7A4AD0EFDB3E6CDB04750F0002A1B695E20A2DAB49988CBD0
                    Function 005E7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 005E82F5
                    • TerminateProcess.KERNEL32(00000000), ref: 005E82FC
                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 005E84DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$CurrentFreeLibraryTerminate
                    • String ID:
                    • API String ID: 146820519-0
                    • Opcode ID: 425e3b34f2335e6489f7de335c571390ac2a85fd09f27998f85af9fdcbff81c4
                    • Instruction ID: 444793fc17bff5639e946d94dcff7131f19a980684062d20e6fbeeea67e10551
                    • Opcode Fuzzy Hash: 425e3b34f2335e6489f7de335c571390ac2a85fd09f27998f85af9fdcbff81c4
                    • Instruction Fuzzy Hash: 71125B719083419FC724DF29C484B2ABBE5FF88318F14895DE9998B392DB31ED45CB92
                    Function 005610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00561BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00561BF4
                      • Part of subcall function 00561BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00561BFC
                      • Part of subcall function 00561BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00561C07
                      • Part of subcall function 00561BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00561C12
                      • Part of subcall function 00561BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00561C1A
                      • Part of subcall function 00561BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00561C22
                      • Part of subcall function 00561B4A: RegisterWindowMessageW.USER32(00000004,?,005612C4), ref: 00561BA2
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0056136A
                    • OleInitialize.OLE32 ref: 00561388
                    • CloseHandle.KERNEL32(00000000,00000000), ref: 005A24AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID:
                    • API String ID: 1986988660-0
                    • Opcode ID: eef156051805e3e63ce0df9fd28bd0b153e52bec5b30f89239bde120b066d41c
                    • Instruction ID: c748520d7dc737723554cd326da12ffff4f693210efa9dc276df866a1231ea75
                    • Opcode Fuzzy Hash: eef156051805e3e63ce0df9fd28bd0b153e52bec5b30f89239bde120b066d41c
                    • Instruction Fuzzy Hash: 6871ABF59112098FC384DF79AE496653EE2FB8B364714A62AD14ACF362EB304445CFD8
                    Function 005986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,005985CC,?,00628CC8,0000000C), ref: 00598704
                    • GetLastError.KERNEL32(?,005985CC,?,00628CC8,0000000C), ref: 0059870E
                    • __dosmaperr.LIBCMT ref: 00598739
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                    • String ID:
                    • API String ID: 490808831-0
                    • Opcode ID: 7e2c7a659d17286528747e278bf0f6f0545b9a34dda734c2482b3a9b5db17862
                    • Instruction ID: b2e649caa150290754a43eaa3e7a9dbe4dfede93ba3caa85cf2d8b4e62f1900d
                    • Opcode Fuzzy Hash: 7e2c7a659d17286528747e278bf0f6f0545b9a34dda734c2482b3a9b5db17862
                    • Instruction Fuzzy Hash: 04016633A0422026DE216774E849B7E2F4AABE37B4F390519FD04CF1D2EEA18C81C290
                    Function 005D2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,005D2CD4,?,?,?,00000004,00000001), ref: 005D2FF2
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,005D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005D3006
                    • CloseHandle.KERNEL32(00000000,?,005D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005D300D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: 3b52ffaf5945756046b250b27f47bbe081405f32416356663740c62c487b2245
                    • Instruction ID: 8148fff020ce8394ee8c1defd5c2bf8567098bdc6f21197d955d3feff88ffd98
                    • Opcode Fuzzy Hash: 3b52ffaf5945756046b250b27f47bbe081405f32416356663740c62c487b2245
                    • Instruction Fuzzy Hash: B6E0863228161477D2301759BD0DF9B3E1CD786B71F114221F719F51D046A41515E2A8
                    Function 00571310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 005717F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Init_thread_footer
                    • String ID: CALL
                    • API String ID: 1385522511-4196123274
                    • Opcode ID: 4bcac6d8b794389487c008985375614712867a8bf7ea9686bb362a07b6b9138e
                    • Instruction ID: 7b6e0f512903d247e7f42a4c747181363337e67e11c500bc67aa7b600ee77c32
                    • Opcode Fuzzy Hash: 4bcac6d8b794389487c008985375614712867a8bf7ea9686bb362a07b6b9138e
                    • Instruction Fuzzy Hash: 9522AB706086029FC714CF18D484A2ABFF1BF85314F24892DF48A8B3A2D735E945EB96
                    Function 005D6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 005D6F6B
                      • Part of subcall function 00564ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564EFD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LibraryLoad_wcslen
                    • String ID: >>>AUTOIT SCRIPT<<<
                    • API String ID: 3312870042-2806939583
                    • Opcode ID: e863fedaa2864536abd2264c6380717b89b04c7cadbda46d4a0599f4dce8c92a
                    • Instruction ID: 55618c176c93978e4b1a8c4857a61f8198b14f05b46b6a7094c97ec09ce7f39c
                    • Opcode Fuzzy Hash: e863fedaa2864536abd2264c6380717b89b04c7cadbda46d4a0599f4dce8c92a
                    • Instruction Fuzzy Hash: 7BB183311086068FDB24EF24C49596EBBE5BFD8304F14495EF496973A2EB30ED49CB92
                    Function 005D2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID: EA06
                    • API String ID: 2638373210-3962188686
                    • Opcode ID: aceffa5cd50a2d96cdbc1f3e216f961843e6061123af7a1065f02208ce14bf8f
                    • Instruction ID: a98566a476afd44ddd04838407dc571d9e58e185f6abe5bad02e0eab0e139daf
                    • Opcode Fuzzy Hash: aceffa5cd50a2d96cdbc1f3e216f961843e6061123af7a1065f02208ce14bf8f
                    • Instruction Fuzzy Hash: 8A01B9719042587EDF28D7A8C85AEAEBFF8DB15301F00455BF552E61C1E5B4E6088B60
                    Function 00563837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00563908
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: IconNotifyShell_
                    • String ID:
                    • API String ID: 1144537725-0
                    • Opcode ID: da32294ee9addcfdd8199a4d0c1a5ded55af73fe40a94034eae42a13b97e6e88
                    • Instruction ID: bfa2bf33ea4e4cc8b6c059c9d4a1172b9771551972d71b6ed4f2399a7fe5c568
                    • Opcode Fuzzy Hash: da32294ee9addcfdd8199a4d0c1a5ded55af73fe40a94034eae42a13b97e6e88
                    • Instruction Fuzzy Hash: 8B3171715057019FE720DF64D8857DBBFE8FB8A708F00092EF59A97250E771AA48CB92
                    Function 02021070 Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 020208E0: GetFileAttributesW.KERNELBASE(?), ref: 020208EB
                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 020211C3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1683870797.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2020000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AttributesCreateDirectoryFile
                    • String ID:
                    • API String ID: 3401506121-0
                    • Opcode ID: 15b0b85d54f58addc4ebaea3910ff6c394666464b01fb38b087fed29f4c26c94
                    • Instruction ID: aba63393abb9d85f59700e48f076e6c0d152c5c64d95014643b356cc9fa27b32
                    • Opcode Fuzzy Hash: 15b0b85d54f58addc4ebaea3910ff6c394666464b01fb38b087fed29f4c26c94
                    • Instruction Fuzzy Hash: 83515331A1121896DF14EFA0D854BEFB37AEF58300F108569E50DF7290EB799B48CBA5
                    Function 005CF2FB Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 005CF314
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: BuffCharLower
                    • String ID:
                    • API String ID: 2358735015-0
                    • Opcode ID: 3a4fac144f46364917222dd8f348328816e5d2076b8c114e8b4f36e61ba600ec
                    • Instruction ID: a22f9eeb717dde634c6451af8b9aeabb57ac95b21ff0c97c36050254efd9a55f
                    • Opcode Fuzzy Hash: 3a4fac144f46364917222dd8f348328816e5d2076b8c114e8b4f36e61ba600ec
                    • Instruction Fuzzy Hash: EC41F772500205AFCB15EFA4C884EAF7BBAFF84314B20893EE55697251EB70DE45CB50
                    Function 00564ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00564E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00564EDD,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564E9C
                      • Part of subcall function 00564E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00564EAE
                      • Part of subcall function 00564E90: FreeLibrary.KERNEL32(00000000,?,?,00564EDD,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564EC0
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564EFD
                      • Part of subcall function 00564E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005A3CDE,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564E62
                      • Part of subcall function 00564E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00564E74
                      • Part of subcall function 00564E59: FreeLibrary.KERNEL32(00000000,?,?,005A3CDE,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564E87
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Library$Load$AddressFreeProc
                    • String ID:
                    • API String ID: 2632591731-0
                    • Opcode ID: 55eec1a0990acebc044b28602d5841f3ab9a23be3e71adcc2fadd8da58006699
                    • Instruction ID: d5371178f7c80e52af6a9924bc2fc3fb5dd90cce2e0cd430de7f07e21e686b8e
                    • Opcode Fuzzy Hash: 55eec1a0990acebc044b28602d5841f3ab9a23be3e71adcc2fadd8da58006699
                    • Instruction Fuzzy Hash: 26112731600306AACF25BB60DC0AFADBFA4BF80710F10842EF542A72C1EE719E059B90
                    Function 00598402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: __wsopen_s
                    • String ID:
                    • API String ID: 3347428461-0
                    • Opcode ID: 061e8103beef77c8eab26febb8b78389b6c22a86683d9eada68af0866077f584
                    • Instruction ID: 993a2d9ce033df2e1931e4b702f49534513d94bffc6786991b074cf873020765
                    • Opcode Fuzzy Hash: 061e8103beef77c8eab26febb8b78389b6c22a86683d9eada68af0866077f584
                    • Instruction Fuzzy Hash: 5711487190410AAFCF05DF58E9409AE7BF9FF49304F104069F808AB312DA31DA11CBA4
                    Function 00595000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00594C7D: RtlAllocateHeap.NTDLL(00000008,00561129,00000000,?,00592E29,00000001,00000364,?,?,?,0058F2DE,00593863,00631444,?,0057FDF5,?), ref: 00594CBE
                    • _free.LIBCMT ref: 0059506C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                    • Instruction ID: 2bd7c8f2b119f0e63222dfdf46951ab1876bbe7e4019de8f9dd92a6920311119
                    • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                    • Instruction Fuzzy Hash: D5012B722047056BEB22CE55984995AFFE8FB85370F65061DE18483280E6306805C7B4
                    Function 0058E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                    • Instruction ID: 3e1767bf12fe37cef258ed45fb7c8f79e40c8083ac65fdfe4264adfd439113e5
                    • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                    • Instruction Fuzzy Hash: D5F0F932510A15A6DB313A6AAC0EB563FA8BFD3330F140715FC25B21D1EB7098028BA5
                    Function 00594C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,00561129,00000000,?,00592E29,00000001,00000364,?,?,?,0058F2DE,00593863,00631444,?,0057FDF5,?), ref: 00594CBE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 0a56ba087c2d39a78bad55224d8beb8cc815414038849eec6971b42ee9b1dbd2
                    • Instruction ID: 31c05d72e917ba25b47d1df675c445b337aa72be548f5f1649a2f0bd4380539c
                    • Opcode Fuzzy Hash: 0a56ba087c2d39a78bad55224d8beb8cc815414038849eec6971b42ee9b1dbd2
                    • Instruction Fuzzy Hash: 75F0E9316022256FDF216F629C09F5A3F8CBF917A1B144625BC16EA281CB30DC02CFE0
                    Function 00593820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,?,00631444,?,0057FDF5,?,?,0056A976,00000010,00631440,005613FC,?,005613C6,?,00561129), ref: 00593852
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 1e637d3bb46a135c890fe28074254d114092eab6d831f6b86d0e42ef4fdf4dc7
                    • Instruction ID: 9a24541bb70629b7439eba79d0218b494749ed152aa238fe94784ba5dbf8c83a
                    • Opcode Fuzzy Hash: 1e637d3bb46a135c890fe28074254d114092eab6d831f6b86d0e42ef4fdf4dc7
                    • Instruction Fuzzy Hash: 3AE0E531202226D6EF2136679C08B9A3E49BF827B0F050431BC05A6980CB10DD0196E1
                    Function 00564F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564F6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: e4fe43ee4e97d21d09e30310d282174c79b40c55bfc5a20e62ee29912b59be86
                    • Instruction ID: db2a35593e30a16efdd1f306a5109a365c6272b943cddfbb3e6c67ee843df83d
                    • Opcode Fuzzy Hash: e4fe43ee4e97d21d09e30310d282174c79b40c55bfc5a20e62ee29912b59be86
                    • Instruction Fuzzy Hash: 4BF01C71105752CFDB389F64D494822FFE5BF243193108A7EE1DA83611C7319848DF10
                    Function 00562DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00562DC4
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LongNamePath_wcslen
                    • String ID:
                    • API String ID: 541455249-0
                    • Opcode ID: 8367f80a164099600d66bbbb99e0ee221496cebc9d541ac7e9d2c296cb2de524
                    • Instruction ID: 377d722ff6cd5009401eeec6090e54421aa104eeb31afa96b4342c8a684ba572
                    • Opcode Fuzzy Hash: 8367f80a164099600d66bbbb99e0ee221496cebc9d541ac7e9d2c296cb2de524
                    • Instruction Fuzzy Hash: 44E0CD766001245BC7109658DC09FEA7BDDEFC8790F044071FD09D7258D964AD84C550
                    Function 005D2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                    • Instruction ID: 5eba2913b87b43f952c61ec43c07a34de176182621cc09c062c562caa6ff2294
                    • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                    • Instruction Fuzzy Hash: 5AE048B06097005FDF395A28A8517B67BE4AF49300F10045FF59FD2352E5726845CA4D
                    Function 00562B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00563837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00563908
                      • Part of subcall function 0056D730: GetInputState.USER32 ref: 0056D807
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00562B6B
                      • Part of subcall function 005630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0056314E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$CurrentDirectoryInputState
                    • String ID:
                    • API String ID: 3667716007-0
                    • Opcode ID: fb4862e89fa554f351c924d8f96923236a0791f8dd917974a8bc2faa55eaa1d8
                    • Instruction ID: 61ad2452b79b0d5a762fdf3f65311a41163c47c4e44652e3826206c4b3064e04
                    • Opcode Fuzzy Hash: fb4862e89fa554f351c924d8f96923236a0791f8dd917974a8bc2faa55eaa1d8
                    • Instruction Fuzzy Hash: 7FE0862170424606C708BB75A85A5BDAF9AFBE2351F40193EF542872A3CE2546498252
                    Function 020208E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?), ref: 020208EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1683870797.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2020000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction ID: 438810b4bfd6fc2a38b59eeddafdbeb71cf6c3407bfc75c4cbc586d128e11146
                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction Fuzzy Hash: 59E0CD7150531CDBD750CBB8CC086AD73E6D724310F004756E457D31C0D6308948E754
                    Function 005A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000000,00000000,?,005A0704,?,?,00000000,?,005A0704,00000000,0000000C), ref: 005A03B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 5b10183a33320e5e34236ba13df26030a475e1153b921b8dd6e47c7ec350848f
                    • Instruction ID: 895ef4f8e746235e960ab876434527a564fe459d882ae90aa1053e4d5f9a3775
                    • Opcode Fuzzy Hash: 5b10183a33320e5e34236ba13df26030a475e1153b921b8dd6e47c7ec350848f
                    • Instruction Fuzzy Hash: F6D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014010BE1896020C736E831EB90
                    Function 020208B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?), ref: 020208BB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1683870797.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2020000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction ID: c112b28d60722eae029b43c6863e3e1a7b6b30af9c882ee6d80d7ac64612f468
                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction Fuzzy Hash: 89D05E3090630CABCB10CAB49804A9A73A89B14320F004756E91593280D6319944A7A0
                    Function 00561CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00561CBC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: InfoParametersSystem
                    • String ID:
                    • API String ID: 3098949447-0
                    • Opcode ID: e643c6a4c3d9f80140e6736a423ae5020ec5ab5e4a7cadf4471121a77075c573
                    • Instruction ID: 7e0457b6a4e1b35536ac8acfd1bfcead4348ba37d7a977bbf7752c7c6c666b66
                    • Opcode Fuzzy Hash: e643c6a4c3d9f80140e6736a423ae5020ec5ab5e4a7cadf4471121a77075c573
                    • Instruction Fuzzy Hash: 2BC09236280309AFF3148B80BD5AF207B66A358B11F049001F609AA5E3C3A22828EA90
                    Function 0057FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: 0b5b596258b5e5bf5549b3652c3846b1a23bf94001587716e5263fdc81cfd9b2
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: BD311274A04109DBC729CF59E480969FBA6FF49300B24C6A5E809CF652D731EDC1EBC0
                    Function 020222C0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 020222D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1683870797.0000000002020000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2020000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: ca3161beec2534bf7957fcd085ec5ed241ba7a356b3db8d4a8151185bf4dade9
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: A0E0E67494020DEFDB00EFF4D94969E7FB4EF04302F100161FD01D2280D6319D549A62

                    Non-executed Functions

                    Function 005F9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00579BB2
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005F961A
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005F965B
                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005F969F
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005F96C9
                    • SendMessageW.USER32 ref: 005F96F2
                    • GetKeyState.USER32(00000011), ref: 005F978B
                    • GetKeyState.USER32(00000009), ref: 005F9798
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005F97AE
                    • GetKeyState.USER32(00000010), ref: 005F97B8
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005F97E9
                    • SendMessageW.USER32 ref: 005F9810
                    • SendMessageW.USER32(?,00001030,?,005F7E95), ref: 005F9918
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005F992E
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005F9941
                    • SetCapture.USER32(?), ref: 005F994A
                    • ClientToScreen.USER32(?,?), ref: 005F99AF
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005F99BC
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005F99D6
                    • ReleaseCapture.USER32 ref: 005F99E1
                    • GetCursorPos.USER32(?), ref: 005F9A19
                    • ScreenToClient.USER32(?,?), ref: 005F9A26
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 005F9A80
                    • SendMessageW.USER32 ref: 005F9AAE
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 005F9AEB
                    • SendMessageW.USER32 ref: 005F9B1A
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005F9B3B
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 005F9B4A
                    • GetCursorPos.USER32(?), ref: 005F9B68
                    • ScreenToClient.USER32(?,?), ref: 005F9B75
                    • GetParent.USER32(?), ref: 005F9B93
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 005F9BFA
                    • SendMessageW.USER32 ref: 005F9C2B
                    • ClientToScreen.USER32(?,?), ref: 005F9C84
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005F9CB4
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 005F9CDE
                    • SendMessageW.USER32 ref: 005F9D01
                    • ClientToScreen.USER32(?,?), ref: 005F9D4E
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005F9D82
                      • Part of subcall function 00579944: GetWindowLongW.USER32(?,000000EB), ref: 00579952
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F9E05
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                    • String ID: @GUI_DRAGID$F$p#c
                    • API String ID: 3429851547-1068676463
                    • Opcode ID: 670718a24c28732bde16183ce8815a88d955e06398b3d38241fec8cfd8008c94
                    • Instruction ID: eb2f6e0e3133b02300aa4f1c2fe6e69915d36ff06578ba63896efd55e2bc44bf
                    • Opcode Fuzzy Hash: 670718a24c28732bde16183ce8815a88d955e06398b3d38241fec8cfd8008c94
                    • Instruction Fuzzy Hash: 1E428C34208649AFDB20DF28CD44BBABFE5FF89710F100A19F699CB2A1D7359854DB91
                    Function 005F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005F48F3
                    • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005F4908
                    • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005F4927
                    • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005F494B
                    • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005F495C
                    • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005F497B
                    • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005F49AE
                    • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005F49D4
                    • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005F4A0F
                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005F4A56
                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005F4A7E
                    • IsMenu.USER32(?), ref: 005F4A97
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005F4AF2
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005F4B20
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F4B94
                    • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005F4BE3
                    • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005F4C82
                    • wsprintfW.USER32 ref: 005F4CAE
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005F4CC9
                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 005F4CF1
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005F4D13
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005F4D33
                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 005F4D5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                    • String ID: %d/%02d/%02d
                    • API String ID: 4054740463-328681919
                    • Opcode ID: fa5b9e95074d7a01d9a20e8e56cbf985fa3c706e9538f84c04a7f2227486b3a5
                    • Instruction ID: b90c71db3b8727ea3b99fb63c9d8c17043f4475779711214d26cf9051d101418
                    • Opcode Fuzzy Hash: fa5b9e95074d7a01d9a20e8e56cbf985fa3c706e9538f84c04a7f2227486b3a5
                    • Instruction Fuzzy Hash: 2F12D071600259ABEB248F28CD49FBF7FA9BF85310F104529FA19DB2A1DB789944CF50
                    Function 0057F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0057F998
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005BF474
                    • IsIconic.USER32(00000000), ref: 005BF47D
                    • ShowWindow.USER32(00000000,00000009), ref: 005BF48A
                    • SetForegroundWindow.USER32(00000000), ref: 005BF494
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005BF4AA
                    • GetCurrentThreadId.KERNEL32 ref: 005BF4B1
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005BF4BD
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 005BF4CE
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 005BF4D6
                    • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 005BF4DE
                    • SetForegroundWindow.USER32(00000000), ref: 005BF4E1
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 005BF4F6
                    • keybd_event.USER32(00000012,00000000), ref: 005BF501
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 005BF50B
                    • keybd_event.USER32(00000012,00000000), ref: 005BF510
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 005BF519
                    • keybd_event.USER32(00000012,00000000), ref: 005BF51E
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 005BF528
                    • keybd_event.USER32(00000012,00000000), ref: 005BF52D
                    • SetForegroundWindow.USER32(00000000), ref: 005BF530
                    • AttachThreadInput.USER32(?,000000FF,00000000), ref: 005BF557
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: 85cc95fe4a588b003705b53d42e390bd9dafba54df3e8ba4b17d3651f35de13d
                    • Instruction ID: 57948dee5c691e6eb4a13d54ad89aae031ac2a9eeefdbda19e27505456dbfed7
                    • Opcode Fuzzy Hash: 85cc95fe4a588b003705b53d42e390bd9dafba54df3e8ba4b17d3651f35de13d
                    • Instruction Fuzzy Hash: 6D313D71A4021CBBEB306BB55D4AFBF7E6CEB44B50F100475FA01EA1D1C6B56900EBA0
                    Function 005C1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005C170D
                      • Part of subcall function 005C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005C173A
                      • Part of subcall function 005C16C3: GetLastError.KERNEL32 ref: 005C174A
                    • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 005C1286
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005C12A8
                    • CloseHandle.KERNEL32(?), ref: 005C12B9
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005C12D1
                    • GetProcessWindowStation.USER32 ref: 005C12EA
                    • SetProcessWindowStation.USER32(00000000), ref: 005C12F4
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005C1310
                      • Part of subcall function 005C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005C11FC), ref: 005C10D4
                      • Part of subcall function 005C10BF: CloseHandle.KERNEL32(?,?,005C11FC), ref: 005C10E9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                    • String ID: $default$winsta0$Zb
                    • API String ID: 22674027-1349916648
                    • Opcode ID: f29fdbe0957eb47113e5e90df8a7d49d83f1f7965826902e88a000f9e2496106
                    • Instruction ID: 9335009c686410cad8d42c49d0e789f970d4f54a547c225d69870303e468877c
                    • Opcode Fuzzy Hash: f29fdbe0957eb47113e5e90df8a7d49d83f1f7965826902e88a000f9e2496106
                    • Instruction Fuzzy Hash: 5A818571900609AFDF259FA8DD89FAE7FB9FF05700F144169F910E62A2D7348948DB28
                    Function 005C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005C1114
                      • Part of subcall function 005C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C1120
                      • Part of subcall function 005C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C112F
                      • Part of subcall function 005C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C1136
                      • Part of subcall function 005C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005C114D
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005C0BCC
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005C0C00
                    • GetLengthSid.ADVAPI32(?), ref: 005C0C17
                    • GetAce.ADVAPI32(?,00000000,?), ref: 005C0C51
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005C0C6D
                    • GetLengthSid.ADVAPI32(?), ref: 005C0C84
                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 005C0C8C
                    • HeapAlloc.KERNEL32(00000000), ref: 005C0C93
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005C0CB4
                    • CopySid.ADVAPI32(00000000), ref: 005C0CBB
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005C0CEA
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005C0D0C
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005C0D1E
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C0D45
                    • HeapFree.KERNEL32(00000000), ref: 005C0D4C
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C0D55
                    • HeapFree.KERNEL32(00000000), ref: 005C0D5C
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C0D65
                    • HeapFree.KERNEL32(00000000), ref: 005C0D6C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 005C0D78
                    • HeapFree.KERNEL32(00000000), ref: 005C0D7F
                      • Part of subcall function 005C1193: GetProcessHeap.KERNEL32(00000008,005C0BB1,?,00000000,?,005C0BB1,?), ref: 005C11A1
                      • Part of subcall function 005C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005C0BB1,?), ref: 005C11A8
                      • Part of subcall function 005C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005C0BB1,?), ref: 005C11B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                    • String ID:
                    • API String ID: 4175595110-0
                    • Opcode ID: 1fd64ed63722a0a5a1c1c2131adeeee4ac4701191549c8e12e27e0bb1a0387ba
                    • Instruction ID: 10c566c8f1d9901c463c22a8a9f425a95016f9a91ea513339851f7f4e4721925
                    • Opcode Fuzzy Hash: 1fd64ed63722a0a5a1c1c2131adeeee4ac4701191549c8e12e27e0bb1a0387ba
                    • Instruction Fuzzy Hash: 07716B7290020AEFDF109FE4DD48FAEBFB8BF14700F045629E915E6191DB75A909CB60
                    Function 005DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(005FCC08), ref: 005DEB29
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 005DEB37
                    • GetClipboardData.USER32(0000000D), ref: 005DEB43
                    • CloseClipboard.USER32 ref: 005DEB4F
                    • GlobalLock.KERNEL32(00000000), ref: 005DEB87
                    • CloseClipboard.USER32 ref: 005DEB91
                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 005DEBBC
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 005DEBC9
                    • GetClipboardData.USER32(00000001), ref: 005DEBD1
                    • GlobalLock.KERNEL32(00000000), ref: 005DEBE2
                    • GlobalUnlock.KERNEL32(00000000,?), ref: 005DEC22
                    • IsClipboardFormatAvailable.USER32(0000000F), ref: 005DEC38
                    • GetClipboardData.USER32(0000000F), ref: 005DEC44
                    • GlobalLock.KERNEL32(00000000), ref: 005DEC55
                    • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 005DEC77
                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005DEC94
                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005DECD2
                    • GlobalUnlock.KERNEL32(00000000,?,?), ref: 005DECF3
                    • CountClipboardFormats.USER32 ref: 005DED14
                    • CloseClipboard.USER32 ref: 005DED59
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                    • String ID:
                    • API String ID: 420908878-0
                    • Opcode ID: 60a73f24d2277c27243f93af2ff454593820e0bbedd73faa4afa35d746f5f0dc
                    • Instruction ID: 5421286ff81a364647a77baba02a4dc6e61928d89975972d8225b61dbcff6c93
                    • Opcode Fuzzy Hash: 60a73f24d2277c27243f93af2ff454593820e0bbedd73faa4afa35d746f5f0dc
                    • Instruction Fuzzy Hash: D5619C342042069FD310EF28C98AE7A7FA4BB95704F14452EF456DB2A1CB35E949DB62
                    Function 005D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 005D69BE
                    • FindClose.KERNEL32(00000000), ref: 005D6A12
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005D6A4E
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005D6A75
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 005D6AB2
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 005D6ADF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                    • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                    • API String ID: 3830820486-3289030164
                    • Opcode ID: 2d28d4abaf9e7b002c67a5c5d45128fe5243e7fb9f54f212b15161e7887e793a
                    • Instruction ID: 71f653071bc3f267b548902b6fd90f33504fcfab6d9553a3db4e5ffc4517dbdd
                    • Opcode Fuzzy Hash: 2d28d4abaf9e7b002c67a5c5d45128fe5243e7fb9f54f212b15161e7887e793a
                    • Instruction Fuzzy Hash: 7DD14F71508345AAC310EBA4D985EABBBECBFD8704F04491EF589C7291EB74DA44CB62
                    Function 005D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005D9663
                    • GetFileAttributesW.KERNEL32(?), ref: 005D96A1
                    • SetFileAttributesW.KERNEL32(?,?), ref: 005D96BB
                    • FindNextFileW.KERNEL32(00000000,?), ref: 005D96D3
                    • FindClose.KERNEL32(00000000), ref: 005D96DE
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 005D96FA
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D974A
                    • SetCurrentDirectoryW.KERNEL32(00626B7C), ref: 005D9768
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 005D9772
                    • FindClose.KERNEL32(00000000), ref: 005D977F
                    • FindClose.KERNEL32(00000000), ref: 005D978F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1409584000-438819550
                    • Opcode ID: a200e2e609bd2d8995b0df360680f5779652b5d2236f837188ef892e174f4caa
                    • Instruction ID: c125709ebdc10ec35988c00f9b532813d1ac3c4d0935a0c443e84c16b7a9f51e
                    • Opcode Fuzzy Hash: a200e2e609bd2d8995b0df360680f5779652b5d2236f837188ef892e174f4caa
                    • Instruction Fuzzy Hash: 7431B33654061D6ADB24AFB8ED08AEE7FACEF49321F104167F915E22A0EB34D944CB50
                    Function 005D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005D97BE
                    • FindNextFileW.KERNEL32(00000000,?), ref: 005D9819
                    • FindClose.KERNEL32(00000000), ref: 005D9824
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 005D9840
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D9890
                    • SetCurrentDirectoryW.KERNEL32(00626B7C), ref: 005D98AE
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 005D98B8
                    • FindClose.KERNEL32(00000000), ref: 005D98C5
                    • FindClose.KERNEL32(00000000), ref: 005D98D5
                      • Part of subcall function 005CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005CDB00
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 2640511053-438819550
                    • Opcode ID: 5436fa2b5c61028b64d461f67581f8f817cca8603359768ccaddcbd6983ba2a9
                    • Instruction ID: 825a4e9f6e506e574e151c854edb42649490635c1a9f3ececaf7111f77ca68cc
                    • Opcode Fuzzy Hash: 5436fa2b5c61028b64d461f67581f8f817cca8603359768ccaddcbd6983ba2a9
                    • Instruction Fuzzy Hash: 6C31C63154061D6ADF20AFA8EC48AEE7F6CBF46721F104167E950E2290DB34D949DB50
                    Function 005D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?), ref: 005D8257
                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005D8267
                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005D8273
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005D8310
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D8324
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D8356
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005D838C
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D8395
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CurrentDirectoryTime$File$Local$System
                    • String ID: *.*
                    • API String ID: 1464919966-438819550
                    • Opcode ID: 69825bbe25103c17597b20b23fa85cdd0dafcdb63819a6e57264988d3b6b33ea
                    • Instruction ID: 2ef77a87c93f084d3159f1789cbb761b0d2274912f768a543865f7e52974f949
                    • Opcode Fuzzy Hash: 69825bbe25103c17597b20b23fa85cdd0dafcdb63819a6e57264988d3b6b33ea
                    • Instruction Fuzzy Hash: 15617A765043469FC720EF64C8459AEBBE8FF89310F04492EF989D7251EB31E949CB92
                    Function 005CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00563AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00563A97,?,?,00562E7F,?,?,?,00000000), ref: 00563AC2
                      • Part of subcall function 005CE199: GetFileAttributesW.KERNEL32(?,005CCF95), ref: 005CE19A
                    • FindFirstFileW.KERNEL32(?,?), ref: 005CD122
                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 005CD1DD
                    • MoveFileW.KERNEL32(?,?), ref: 005CD1F0
                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 005CD20D
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 005CD237
                      • Part of subcall function 005CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,005CD21C,?,?), ref: 005CD2B2
                    • FindClose.KERNEL32(00000000,?,?,?), ref: 005CD253
                    • FindClose.KERNEL32(00000000), ref: 005CD264
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 1946585618-1173974218
                    • Opcode ID: ad53bc4e9202db3998a75abba2042e5c955cdb20a7e62a94fb96af800962b595
                    • Instruction ID: 903178dbebdae5f3d995a257ac4094e2d6082461670d86228e057d4e28727467
                    • Opcode Fuzzy Hash: ad53bc4e9202db3998a75abba2042e5c955cdb20a7e62a94fb96af800962b595
                    • Instruction Fuzzy Hash: F061193580110E9ECF05EBE0DA96EEDBBB9BF95300F244169E402B7191EB359F09DB60
                    Function 005DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: d3a1528275fab8ed811e19fa7e814f5f40d1ec0c9ddafa6fa8f9b7e6a367ab71
                    • Instruction ID: cd4092065705f0ad1559d78d61414230014a48686b19e18d2d65393462ab7ac0
                    • Opcode Fuzzy Hash: d3a1528275fab8ed811e19fa7e814f5f40d1ec0c9ddafa6fa8f9b7e6a367ab71
                    • Instruction Fuzzy Hash: 80417A35204612AFE720EF19D88AB29BFA5FF54318F1480AAE455CF762CB75EC45CB90
                    Function 005CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005C170D
                      • Part of subcall function 005C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005C173A
                      • Part of subcall function 005C16C3: GetLastError.KERNEL32 ref: 005C174A
                    • ExitWindowsEx.USER32(?,00000000), ref: 005CE932
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $ $@$SeShutdownPrivilege
                    • API String ID: 2234035333-3163812486
                    • Opcode ID: c3a4dc640c2b138f4e22f3bc77aefad8c6459a965ef2b32bf1cbe097270f49c3
                    • Instruction ID: 1781fa51943b03d2d1b3d2f83451f1acb558bcd592c4facf3cac806ce63a0678
                    • Opcode Fuzzy Hash: c3a4dc640c2b138f4e22f3bc77aefad8c6459a965ef2b32bf1cbe097270f49c3
                    • Instruction Fuzzy Hash: 5E012632610215AFEB5422F49C8BFBF7A5CB715740F154929F803E21D2D9B45C848294
                    Function 005E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005E1276
                    • WSAGetLastError.WSOCK32 ref: 005E1283
                    • bind.WSOCK32(00000000,?,00000010), ref: 005E12BA
                    • WSAGetLastError.WSOCK32 ref: 005E12C5
                    • closesocket.WSOCK32(00000000), ref: 005E12F4
                    • listen.WSOCK32(00000000,00000005), ref: 005E1303
                    • WSAGetLastError.WSOCK32 ref: 005E130D
                    • closesocket.WSOCK32(00000000), ref: 005E133C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLast$closesocket$bindlistensocket
                    • String ID:
                    • API String ID: 540024437-0
                    • Opcode ID: bd1e2242ced91501f1fb67f4484e63a08e93d1b42e795ef7c4e5fb73dfc9bd61
                    • Instruction ID: cf8c583aef19b703914c5878e094c04caf9df1fe0f55950d616dbc5ec752218d
                    • Opcode Fuzzy Hash: bd1e2242ced91501f1fb67f4484e63a08e93d1b42e795ef7c4e5fb73dfc9bd61
                    • Instruction Fuzzy Hash: 8D41C135A005419FD714DF25C988B69BFE6BF86318F188098E9968F292C771EC85CBE1
                    Function 005CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00563AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00563A97,?,?,00562E7F,?,?,?,00000000), ref: 00563AC2
                      • Part of subcall function 005CE199: GetFileAttributesW.KERNEL32(?,005CCF95), ref: 005CE19A
                    • FindFirstFileW.KERNEL32(?,?), ref: 005CD420
                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 005CD470
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 005CD481
                    • FindClose.KERNEL32(00000000), ref: 005CD498
                    • FindClose.KERNEL32(00000000), ref: 005CD4A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                    • String ID: \*.*
                    • API String ID: 2649000838-1173974218
                    • Opcode ID: 8c454e6a82cf575a0208df295db824834956a1a82854d8c0e1f8a9f17c807cfd
                    • Instruction ID: bd53ec99f1607f886a082843e2479ac03a294be6428022d5d6065b25039e32f5
                    • Opcode Fuzzy Hash: 8c454e6a82cf575a0208df295db824834956a1a82854d8c0e1f8a9f17c807cfd
                    • Instruction Fuzzy Hash: D5316D310083469FC704EFA4D9959AFBFA8BEE1304F444E2DF4D593191EB74AA09DB62
                    Function 0059E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: __floor_pentium4
                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                    • API String ID: 4168288129-2761157908
                    • Opcode ID: f1dbbaf30649ecdf9da16db292f25356d07c799ef1fc004b4bd6d0966f258ab9
                    • Instruction ID: 1a061817357847212dca2e1eeb114fa098929ce715f1df6fabe5506bdb8988fa
                    • Opcode Fuzzy Hash: f1dbbaf30649ecdf9da16db292f25356d07c799ef1fc004b4bd6d0966f258ab9
                    • Instruction Fuzzy Hash: 04C23971E046298BDF25CE28DD457EABBB9FB44304F1445EAD84EE7241E778AE818F40
                    Function 005D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 005D64DC
                    • CoInitialize.OLE32(00000000), ref: 005D6639
                    • CoCreateInstance.OLE32(005FFCF8,00000000,00000001,005FFB68,?), ref: 005D6650
                    • CoUninitialize.OLE32 ref: 005D68D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                    • String ID: .lnk
                    • API String ID: 886957087-24824748
                    • Opcode ID: 87ae4519e56e7e0a6b172745e4114074b66bb1c1a33a19ad9945c991255e3346
                    • Instruction ID: 94127e758e2df0b673ff8d424aef73391e561a8730498a5b1b7f84873b9c9f86
                    • Opcode Fuzzy Hash: 87ae4519e56e7e0a6b172745e4114074b66bb1c1a33a19ad9945c991255e3346
                    • Instruction Fuzzy Hash: 48D14B71508202AFD314EF24C88596BBBE8FFD8704F40496EF5958B291DB71ED46CBA2
                    Function 005E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,00000000), ref: 005E22E8
                      • Part of subcall function 005DE4EC: GetWindowRect.USER32(?,?), ref: 005DE504
                    • GetDesktopWindow.USER32 ref: 005E2312
                    • GetWindowRect.USER32(00000000), ref: 005E2319
                    • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005E2355
                    • GetCursorPos.USER32(?), ref: 005E2381
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005E23DF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                    • String ID:
                    • API String ID: 2387181109-0
                    • Opcode ID: 461094d60fbba3bdd7c240ad30c16204c6653a0c9cdffe8b872430ab4753ee2a
                    • Instruction ID: 9082d031d8f77196f6a9a5917f01b1b32fff3b0e104dd5a8ea2cde25b57285cc
                    • Opcode Fuzzy Hash: 461094d60fbba3bdd7c240ad30c16204c6653a0c9cdffe8b872430ab4753ee2a
                    • Instruction Fuzzy Hash: 5F31BE72505359AFC724DF55C849F6BBBAAFB88310F000919F985D7181DA34E908CB92
                    Function 005D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005D9B78
                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005D9C8B
                      • Part of subcall function 005D3874: GetInputState.USER32 ref: 005D38CB
                      • Part of subcall function 005D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005D3966
                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005D9BA8
                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005D9C75
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                    • String ID: *.*
                    • API String ID: 1972594611-438819550
                    • Opcode ID: b7c5afe5c0cd408378d3522aa15718330d28033c01f237235bd70d71ff7f0695
                    • Instruction ID: f03da3ec677a6f924602bf2b350ac4c2fa34a3a29661952bd14e98003e92bcaf
                    • Opcode Fuzzy Hash: b7c5afe5c0cd408378d3522aa15718330d28033c01f237235bd70d71ff7f0695
                    • Instruction Fuzzy Hash: 27415E7190420A9BDF24DF68C949AEE7FB8FF55310F244467E805A32A1EB309E44DF61
                    Function 0057997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00579BB2
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00579A4E
                    • GetSysColor.USER32(0000000F), ref: 00579B23
                    • SetBkColor.GDI32(?,00000000), ref: 00579B36
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Color$LongProcWindow
                    • String ID:
                    • API String ID: 3131106179-0
                    • Opcode ID: 6219f5e035c3965872febf28260673128b1386df43f75b1e88c08f068655119b
                    • Instruction ID: 3ecbbc0f0acff0c104d72a748f2ddc641d78a8514b56a6703bf2987be54ed828
                    • Opcode Fuzzy Hash: 6219f5e035c3965872febf28260673128b1386df43f75b1e88c08f068655119b
                    • Instruction Fuzzy Hash: 23A13A70109418AEE728AE3DAC5CEBB2E5DFBC6300F258509F106CA6D5CA25AD01E372
                    Function 005E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005E307A
                      • Part of subcall function 005E304E: _wcslen.LIBCMT ref: 005E309B
                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005E185D
                    • WSAGetLastError.WSOCK32 ref: 005E1884
                    • bind.WSOCK32(00000000,?,00000010), ref: 005E18DB
                    • WSAGetLastError.WSOCK32 ref: 005E18E6
                    • closesocket.WSOCK32(00000000), ref: 005E1915
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 1601658205-0
                    • Opcode ID: dc454a4c85567a35ff8965434e8d17e0a959b9d068f12171351a233f52cb326c
                    • Instruction ID: d79d8d1a7a8f81db06ece7dc2188e00dbd30255e59d5ddac0a0d6318c3466651
                    • Opcode Fuzzy Hash: dc454a4c85567a35ff8965434e8d17e0a959b9d068f12171351a233f52cb326c
                    • Instruction Fuzzy Hash: DF51B475A002019FDB14AF24C88AF6A7FE5BB84718F088498F9469F3D3D771AD41CBA1
                    Function 005F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: e63aa9f34e5f3bba08f2e3667e03360999f7b50fd312933b48a4b85b9a4336be
                    • Instruction ID: 5c5e89e551cb89bc69af6c6ff233faff521d39560bcb4c2bf3c85a0f9610a5fb
                    • Opcode Fuzzy Hash: e63aa9f34e5f3bba08f2e3667e03360999f7b50fd312933b48a4b85b9a4336be
                    • Instruction Fuzzy Hash: 6E21A031740A099FD7208F2AC844B3A7FA5BF95324B188468E946CB351CB79EC46CB98
                    Function 00568060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                    • API String ID: 0-1546025612
                    • Opcode ID: 56251b50aea9293fdbf0657b47aa1c180695a39b65da558a9c670396409c901d
                    • Instruction ID: 0fba2633607a2656a34db8a07356923c57f0d5a1735183d685799b79d0651056
                    • Opcode Fuzzy Hash: 56251b50aea9293fdbf0657b47aa1c180695a39b65da558a9c670396409c901d
                    • Instruction Fuzzy Hash: E8A28174E0061ACBDF24CF58C8547BDBBB1BF55314F2486AAE815A7285EB709D81CF90
                    Function 005C8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 005C82AA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($tbb$|
                    • API String ID: 1659193697-2205570525
                    • Opcode ID: 789b49f781115ec8fc281968e54bede0cffb950055ea9cdfb23c70342c91ecd0
                    • Instruction ID: bfdcd8bde9808145f4e0ffc87cfd699a647111b4d67994d1758ebc2723609d80
                    • Opcode Fuzzy Hash: 789b49f781115ec8fc281968e54bede0cffb950055ea9cdfb23c70342c91ecd0
                    • Instruction Fuzzy Hash: C5322674A006059FCB28CF59C481E6ABBF0FF48710B15C96EE59ADB7A1EB70E941CB44
                    Function 005EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 005EA6AC
                    • Process32FirstW.KERNEL32(00000000,?), ref: 005EA6BA
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • Process32NextW.KERNEL32(00000000,?), ref: 005EA79C
                    • CloseHandle.KERNEL32(00000000), ref: 005EA7AB
                      • Part of subcall function 0057CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,005A3303,?), ref: 0057CE8A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                    • String ID:
                    • API String ID: 1991900642-0
                    • Opcode ID: f9d0fd235fb288905842010fbf53bf4c2ebd0aecc76e40a0a2bd40f547f80d39
                    • Instruction ID: 74ca0802c5b97e905c0e3fa57b291bac6c1c2306be395dccfb3303b011d17f20
                    • Opcode Fuzzy Hash: f9d0fd235fb288905842010fbf53bf4c2ebd0aecc76e40a0a2bd40f547f80d39
                    • Instruction Fuzzy Hash: F1513A715083419FD714EF25C88AA6BBBE8FFD9754F00892DF58997291EB30E904CB92
                    Function 005CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 005CAAAC
                    • SetKeyboardState.USER32(00000080), ref: 005CAAC8
                    • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 005CAB36
                    • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 005CAB88
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 74064e8c035e0f6a1e68ccee6b39b7b7ca60847d91792b359a53230126f6a9e0
                    • Instruction ID: 7b4ab838cf8a823cf7653ba927656f9afc15adcc477f62ba7deb31511a2f2b85
                    • Opcode Fuzzy Hash: 74064e8c035e0f6a1e68ccee6b39b7b7ca60847d91792b359a53230126f6a9e0
                    • Instruction Fuzzy Hash: D031F370A4024CAEFB258AA8CC09FFA7FAABB94318F04421EF181961D1D7758D85D762
                    Function 0059BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0059BB7F
                      • Part of subcall function 005929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000), ref: 005929DE
                      • Part of subcall function 005929C8: GetLastError.KERNEL32(00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000,00000000), ref: 005929F0
                    • GetTimeZoneInformation.KERNEL32 ref: 0059BB91
                    • WideCharToMultiByte.KERNEL32(00000000,?,0063121C,000000FF,?,0000003F,?,?), ref: 0059BC09
                    • WideCharToMultiByte.KERNEL32(00000000,?,00631270,000000FF,?,0000003F,?,?,?,0063121C,000000FF,?,0000003F,?,?), ref: 0059BC36
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                    • String ID:
                    • API String ID: 806657224-0
                    • Opcode ID: b353b2f9c660b7f1dab6a79a774ad613b39582936089a39321115c0bca952733
                    • Instruction ID: 5f8c610d07481ed277de90c01b9993496d9c32451a7e812c25bda67d85ed782e
                    • Opcode Fuzzy Hash: b353b2f9c660b7f1dab6a79a774ad613b39582936089a39321115c0bca952733
                    • Instruction Fuzzy Hash: 3331C170904206DFEF10DF69ED8092EBFBAFF56310B14566AE010DB2A1D7309E80CB90
                    Function 005DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetReadFile.WININET(?,?,00000400,?), ref: 005DCE89
                    • GetLastError.KERNEL32(?,00000000), ref: 005DCEEA
                    • SetEvent.KERNEL32(?,?,00000000), ref: 005DCEFE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorEventFileInternetLastRead
                    • String ID:
                    • API String ID: 234945975-0
                    • Opcode ID: 5279ce10ae57def5c80d89112694d0ebfb0adc14cd00b9f61afe8bbc4acccf2f
                    • Instruction ID: e9e71278b963e9fff4ae19667500017ee16b1d7342436fafe483b891b77836a2
                    • Opcode Fuzzy Hash: 5279ce10ae57def5c80d89112694d0ebfb0adc14cd00b9f61afe8bbc4acccf2f
                    • Instruction Fuzzy Hash: FC21ACB15003069BEB319FA9C949BAA7FFCFB50354F10482FE546E2251E774EA48DB60
                    Function 005D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 005D5CC1
                    • FindNextFileW.KERNEL32(00000000,?), ref: 005D5D17
                    • FindClose.KERNEL32(?), ref: 005D5D5F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Find$File$CloseFirstNext
                    • String ID:
                    • API String ID: 3541575487-0
                    • Opcode ID: 1ba97654beacd7048acebf4b3dc9fee246e5b137d0526fac6d9d8e79cbaa1563
                    • Instruction ID: f2b3e03d39828be93f8af2ed8d54faafe930afe8da1f5190703401cd3018b5bd
                    • Opcode Fuzzy Hash: 1ba97654beacd7048acebf4b3dc9fee246e5b137d0526fac6d9d8e79cbaa1563
                    • Instruction Fuzzy Hash: 6F518C746046029FC724DF28C498E96BBE5FF49314F14855EE99A8B3A1DB30ED44CFA1
                    Function 00592622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0059271A
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00592724
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00592731
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: d1257cd9cb6a392b7e6620d006f4d78d9e23925f59c5f08cf81019f225b24b8b
                    • Instruction ID: 7597a224e4e54f1b9a5236920b62d1971e3cd83f557029c3c464b5687446c37d
                    • Opcode Fuzzy Hash: d1257cd9cb6a392b7e6620d006f4d78d9e23925f59c5f08cf81019f225b24b8b
                    • Instruction Fuzzy Hash: E031C67490121DABCB21DF64DD8979CBBB8BF18310F5055EAE81CA6260E7349F858F44
                    Function 005D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 005D51DA
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005D5238
                    • SetErrorMode.KERNEL32(00000000), ref: 005D52A1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: 9de5a9aa805cdb648d28ce3e813fabf14d19b151b828d07b7896c21b7e7220f0
                    • Instruction ID: 34f113f256e078fa86bc59647cf9577c4f9c0a1d08a55ff3315802ed1511e238
                    • Opcode Fuzzy Hash: 9de5a9aa805cdb648d28ce3e813fabf14d19b151b828d07b7896c21b7e7220f0
                    • Instruction Fuzzy Hash: 52315075A00519DFDB00DF94D888EADBFB4FF48314F048099E8459B352DB35E859CB90
                    Function 005C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0057FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00580668
                      • Part of subcall function 0057FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00580685
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005C170D
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005C173A
                    • GetLastError.KERNEL32 ref: 005C174A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                    • String ID:
                    • API String ID: 577356006-0
                    • Opcode ID: fd37485fb069f484fa840f20d71f06972c0d990cf2294fb76bf114162a7cb6a3
                    • Instruction ID: bb9387e43b47e420dbf3fb7250391243144a28cef11879da69b60701329106cd
                    • Opcode Fuzzy Hash: fd37485fb069f484fa840f20d71f06972c0d990cf2294fb76bf114162a7cb6a3
                    • Instruction Fuzzy Hash: 6E11B2B1400209BFD718DF54EC8AE6ABBFDFB44754B20852EE05696241EB70BC41CB24
                    Function 005CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005CD608
                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005CD645
                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005CD650
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle
                    • String ID:
                    • API String ID: 33631002-0
                    • Opcode ID: db8a46d766f96e028a9897f6033b792ef277405e5456f7a08401df3cb3fd469b
                    • Instruction ID: dcf9bba62f0e631e921d54490c6a627201bba7ed8f9856e59a23851f8d46a37d
                    • Opcode Fuzzy Hash: db8a46d766f96e028a9897f6033b792ef277405e5456f7a08401df3cb3fd469b
                    • Instruction Fuzzy Hash: C9117C75E01228BFDB108F989C44FAFBFBCEB45B50F108126F904E7290C2704A05DBA1
                    Function 005C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005C168C
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005C16A1
                    • FreeSid.ADVAPI32(?), ref: 005C16B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 6f98e986a48d19e48a2e0a8e4695390022c87f5f924ed9816e1bfbc0a2197889
                    • Instruction ID: 00ebc2491613621201d0cd45af534599975c896f4acc2183e46aa683ebbbee41
                    • Opcode Fuzzy Hash: 6f98e986a48d19e48a2e0a8e4695390022c87f5f924ed9816e1bfbc0a2197889
                    • Instruction Fuzzy Hash: 9EF0F47195030DFBDB00DFE49D89EAEBBBCFB08604F504965E501E2181E774AA48AA54
                    Function 00584CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(005928E9,?,00584CBE,005928E9,006288B8,0000000C,00584E15,005928E9,00000002,00000000,?,005928E9), ref: 00584D09
                    • TerminateProcess.KERNEL32(00000000,?,00584CBE,005928E9,006288B8,0000000C,00584E15,005928E9,00000002,00000000,?,005928E9), ref: 00584D10
                    • ExitProcess.KERNEL32 ref: 00584D22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 740485a4d4d9ae1760906f2cee842862ea46a429a3bd84ec3b802a145f5c4c63
                    • Instruction ID: 8b85fe3951a71e54d288c6b393b7d883b5c9bbcb7d270c3d601ecdfd36b59ab8
                    • Opcode Fuzzy Hash: 740485a4d4d9ae1760906f2cee842862ea46a429a3bd84ec3b802a145f5c4c63
                    • Instruction Fuzzy Hash: 67E0B631001149ABCF12BF54DE09E687F6AFB91781B104424FC05DA162CB39ED56EF80
                    Function 005BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 005BD28C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID: X64
                    • API String ID: 2645101109-893830106
                    • Opcode ID: cdeff756374b01dc674327ead1c4036eeceeb1afc31a590e7a2e5625035a182c
                    • Instruction ID: 28e05eb710402fdd78c7d23ca453cf8f4100b8cd549a738c1e126c2ff39924cd
                    • Opcode Fuzzy Hash: cdeff756374b01dc674327ead1c4036eeceeb1afc31a590e7a2e5625035a182c
                    • Instruction Fuzzy Hash: 46D0C9B880111DEACB94CB90EC8CDDDBB7CBF14305F104955F506E2000EB3495499F20
                    Function 0058CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                    • Instruction ID: 47c32353fd823e7d910e9f37d6584708a9ad1ec7d647cf74ab01d597e004a4a7
                    • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                    • Instruction Fuzzy Hash: 59020A71E012199BDF14DFA9C8806ADBFB5FF88314F25816AD919BB280D731AE418B94
                    Function 0056CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: Variable is not of type 'Object'.$p#c
                    • API String ID: 0-2238220239
                    • Opcode ID: 59a61b33a6ecb785cd58a0ec7ccce83af418a10d941125c72c6e667f4b75f9cf
                    • Instruction ID: cfbbacc07a64fb662f902c2070f298c9d8bec35272f18ea7af2191c170adaeed
                    • Opcode Fuzzy Hash: 59a61b33a6ecb785cd58a0ec7ccce83af418a10d941125c72c6e667f4b75f9cf
                    • Instruction Fuzzy Hash: 89329C70900219DFDF14DF90C889AFEBFB9BF45304F148469E846AB292DB75AE45CB60
                    Function 005D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 005D6918
                    • FindClose.KERNEL32(00000000), ref: 005D6961
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 41d248ad4181da6f0b4aa43bc67c1062fd2e61caee324ea69ac13425996ef280
                    • Instruction ID: 017ababff6a936b008088b4b4a6a4dbd5d1ad807fd27b7a792303da22089576a
                    • Opcode Fuzzy Hash: 41d248ad4181da6f0b4aa43bc67c1062fd2e61caee324ea69ac13425996ef280
                    • Instruction Fuzzy Hash: F21196355042019FC710DF69D488A25BFE5FF85328F14C59AE4698F3A2C734EC05CB91
                    Function 005D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005E4891,?,?,00000035,?), ref: 005D37E4
                    • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005E4891,?,?,00000035,?), ref: 005D37F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: aa3270b992224cd90ab7c0e3a49cf634fe29314bce80885dc8e04675c9512c49
                    • Instruction ID: ddfa9e1f3889981e0bc750e80ff5f486e376c646ad76621511a113aaaca2f694
                    • Opcode Fuzzy Hash: aa3270b992224cd90ab7c0e3a49cf634fe29314bce80885dc8e04675c9512c49
                    • Instruction Fuzzy Hash: 50F0E5B460522A2AE720576A8C4DFEB3FAEFFC5761F000176F509E22C1D9609E08C6B1
                    Function 005CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005CB25D
                    • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 005CB270
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: InputSendkeybd_event
                    • String ID:
                    • API String ID: 3536248340-0
                    • Opcode ID: 132d083e0b416f4076487dc6cdcc170aa991e9d8f4cd6287f75c211616de462a
                    • Instruction ID: e9f7627659633a6297560d6fce61f07fcb315038d8ed433db309a2bb7fb465e0
                    • Opcode Fuzzy Hash: 132d083e0b416f4076487dc6cdcc170aa991e9d8f4cd6287f75c211616de462a
                    • Instruction Fuzzy Hash: E2F01D7580424DAFEB059FA0C806BBE7FB4FF04305F008419F955A5191C3799615DF94
                    Function 005C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005C11FC), ref: 005C10D4
                    • CloseHandle.KERNEL32(?,?,005C11FC), ref: 005C10E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: de92cabc974d20c2179bfaa82b46f257948827725dee5a3e98e74ce690a7e0e4
                    • Instruction ID: 1ee7e06b630260e41be95c9663a7d983582d4d0877b59dcef23a1bdca0ff134f
                    • Opcode Fuzzy Hash: de92cabc974d20c2179bfaa82b46f257948827725dee5a3e98e74ce690a7e0e4
                    • Instruction Fuzzy Hash: 29E04F32018601AFE7256B51FC09E777FADFF04310B10C82DF4A5804B1DB626C90EB14
                    Function 0059676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00596766,?,?,00000008,?,?,0059FEFE,00000000), ref: 00596998
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: b75a8566b995cc26962c5d33435c36413f2bc17ac65a7d7d9f7686fd844bcfd5
                    • Instruction ID: f290c1621d5b1878234d15546ea3b1ea6f5fa6b237029adcda1becdfe6b25c76
                    • Opcode Fuzzy Hash: b75a8566b995cc26962c5d33435c36413f2bc17ac65a7d7d9f7686fd844bcfd5
                    • Instruction Fuzzy Hash: CFB13C31610609DFDB19CF28C48AB657FE0FF45364F298658E899CF2A2C735E999CB40
                    Function 0057B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: 293a61c3bfa38a9e7c3475b0f3ff76dbe5cf1b73173d76bce3a3c084f82bf6d4
                    • Instruction ID: f200f0d11f9f4b6ac37e3ccec334eeeb0ef1ed15595bd5706feb5bc125674101
                    • Opcode Fuzzy Hash: 293a61c3bfa38a9e7c3475b0f3ff76dbe5cf1b73173d76bce3a3c084f82bf6d4
                    • Instruction Fuzzy Hash: 14125E759002299BDF24CF58D880BFEBBF5FF48310F14859AE849EB251DB349A81DB90
                    Function 005DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 005DEABD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: d83414557d4b48e496c99bf68e5ee33787ea3455850334672cebd41a5bbe805f
                    • Instruction ID: 1aa5ceb6879c270f70a7f780698c131ea0a3f2e4d846cf70f2e9dfac8dcf6e67
                    • Opcode Fuzzy Hash: d83414557d4b48e496c99bf68e5ee33787ea3455850334672cebd41a5bbe805f
                    • Instruction Fuzzy Hash: 7DE012312002059FD710EF5DD409D9AFFD9BF98760F008417FC45CB351DA70A8448B90
                    Function 005809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005803EE), ref: 005809DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 92bec30c29c4bdc9a9d5a64b179cf9297f6403cfcd329947352a0f74ae3bd743
                    • Instruction ID: e85502bc04bd27619ad472ad130d5528617815a920a38cd9b7dddf2cac70b683
                    • Opcode Fuzzy Hash: 92bec30c29c4bdc9a9d5a64b179cf9297f6403cfcd329947352a0f74ae3bd743
                    • Instruction Fuzzy Hash:
                    Function 0058781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                    • Instruction ID: f6cf0209becef70c617aad0dfb93ca33fa4737355dcca03d10b85fdd0ddf0eaa
                    • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                    • Instruction Fuzzy Hash: 6751897160C60E5BDB38B528889E7BE2F89FB5E340F380909DC86F7282D611DE01DB56
                    Function 005D2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0&c
                    • API String ID: 0-3427766084
                    • Opcode ID: 4a3dfd4a03f5614619b681d6ef2288fc8dda2728f8c4017a5decff9dacb86b70
                    • Instruction ID: b69f1144cdb8f5944b4037b1cdcb5a5e3544cc79385261d99ee9dbafda71bc6c
                    • Opcode Fuzzy Hash: 4a3dfd4a03f5614619b681d6ef2288fc8dda2728f8c4017a5decff9dacb86b70
                    • Instruction Fuzzy Hash: 7C21A5326606118BDB28CE79C82767A77E5BB64320F15862EE4A7C37D0DE35A904CB80
                    Function 00596DD9 Relevance: .6, Instructions: 637COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dbae2519736f17fce8278f58f4e3e8370cd46926af4da7785abe43f7c7d234ba
                    • Instruction ID: 14bf392a21a4d8ff89feb1c5c2d70a5e8da26cb469b811a0355bb0685afb3765
                    • Opcode Fuzzy Hash: dbae2519736f17fce8278f58f4e3e8370cd46926af4da7785abe43f7c7d234ba
                    • Instruction Fuzzy Hash: 02321421D79F054DDB239634CC363366A89BFBB3C5F15D727E81AB59A6EB29C4834100
                    Function 0057CC39 Relevance: .6, Instructions: 635COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f5977d8081f626e64b3cc539c606531d613d3e717af7ea56e946114860708a6
                    • Instruction ID: 99882bc663c74bb954ee7867d0fdf08e5296476e0fbd8e3ebc6ada10812c8326
                    • Opcode Fuzzy Hash: 7f5977d8081f626e64b3cc539c606531d613d3e717af7ea56e946114860708a6
                    • Instruction Fuzzy Hash: 45320331A001558BDF39CF28D4A46FD7FA5FB45300F28856AD8AACB691D734ED81EB48
                    Function 00567920 Relevance: .6, Instructions: 563COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: daab8efd5af6a7ac5c47774ab8d6d16751c720a28a03e1e8e00d7c10033936cd
                    • Instruction ID: faa04e0677495072e372c249a38dc3c124b3ecc9d3ce08f93faf5bfe24001e4a
                    • Opcode Fuzzy Hash: daab8efd5af6a7ac5c47774ab8d6d16751c720a28a03e1e8e00d7c10033936cd
                    • Instruction Fuzzy Hash: 9A22E470A0060ADFDF14CFA4D845AAEBBF6FF49304F204529E816A7291FB359D15CB50
                    Function 005691C0 Relevance: .5, Instructions: 475COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f34e3ac6b1f9021061019278ff14e4c1fcc073d62a294313b1ee5713a9c8cab5
                    • Instruction ID: c3a64ba2d55e62c0a5816d011cddc38db92f85c3e7fc22f2795daea1d73ebc4a
                    • Opcode Fuzzy Hash: f34e3ac6b1f9021061019278ff14e4c1fcc073d62a294313b1ee5713a9c8cab5
                    • Instruction Fuzzy Hash: 9C02C8B0A0010AEFDB14DF54D895AAEBFB5FF45300F108569E806DB391E7319E11DB91
                    Function 00581C77 Relevance: .3, Instructions: 254COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                    • Instruction ID: 1c56c4f06a01e28f755ad8b205fe37842f009a23249811806e4f777226717231
                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                    • Instruction Fuzzy Hash: CE91B8722094A34ADB29563E853413EFFE97A923A131A079DDCF3EA1C1FE10C955D724
                    Function 005819B0 Relevance: .2, Instructions: 240COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                    • Instruction ID: 7deaf158b9242fd92ec0eafe47c11f57683b6c262a988b06576594136b727b84
                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                    • Instruction Fuzzy Hash: 8491D6722098E34ADB2D527A847403DFFE96A923A231A079ED8F3EA1C1FD14C556D724
                    Function 00587A4A Relevance: .2, Instructions: 237COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 071f4141b6bb03ac14a966e41379fcc4b539d71006698894dd1c5f60a1614e1c
                    • Instruction ID: d84b351c9a9c81ea86db24edc2d861544ad86d31d842f82ec0b1b6cfea0b49d4
                    • Opcode Fuzzy Hash: 071f4141b6bb03ac14a966e41379fcc4b539d71006698894dd1c5f60a1614e1c
                    • Instruction Fuzzy Hash: 4D61497130870E56DA38B9288899BBE6F96FF9D701F740D19EC42FB281EA11DE428355
                    Function 00587CA7 Relevance: .2, Instructions: 237COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b68abce483c82a999aa2766e38b862b86b224ec0b1659dee56a539a2b82458c8
                    • Instruction ID: 7d39b6106f5a87f0b898ddc135110b5a8f52a3b1de356ffa7249e0fb5710b532
                    • Opcode Fuzzy Hash: b68abce483c82a999aa2766e38b862b86b224ec0b1659dee56a539a2b82458c8
                    • Instruction Fuzzy Hash: 2D617B3120870E96DA3879384855BBE2F88FF9E744F741959EC43FB281EA12ED418355
                    Function 00581706 Relevance: .2, Instructions: 232COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                    • Instruction ID: b49397647a1f3364338b6ac55aa9984c4bbeca859afc824a0f70f4b8aa110673
                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                    • Instruction Fuzzy Hash: 8881A6336084A30DDB2D523A853547EFFE5BA923A131A079DD8F2DB1C1EE24C556EB24
                    Function 005E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 005E2B30
                    • DeleteObject.GDI32(00000000), ref: 005E2B43
                    • DestroyWindow.USER32 ref: 005E2B52
                    • GetDesktopWindow.USER32 ref: 005E2B6D
                    • GetWindowRect.USER32(00000000), ref: 005E2B74
                    • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 005E2CA3
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 005E2CB1
                    • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2CF8
                    • GetClientRect.USER32(00000000,?), ref: 005E2D04
                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005E2D40
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2D62
                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2D75
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2D80
                    • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2D89
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2D98
                    • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2DA1
                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2DA8
                    • GlobalFree.KERNEL32(00000000), ref: 005E2DB3
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2DC5
                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,005FFC38,00000000), ref: 005E2DDB
                    • GlobalFree.KERNEL32(00000000), ref: 005E2DEB
                    • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 005E2E11
                    • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 005E2E30
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E2E52
                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005E303F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                    • String ID: $AutoIt v3$DISPLAY$static
                    • API String ID: 2211948467-2373415609
                    • Opcode ID: c15eecdde1dc21554be2988f0c4dd9d074781f637056fbebca31ec44b6ca970d
                    • Instruction ID: 57b5a9fd63eb8347bff8c64b23fc1d886de6269de3b4f4c187c3d150e5656ccd
                    • Opcode Fuzzy Hash: c15eecdde1dc21554be2988f0c4dd9d074781f637056fbebca31ec44b6ca970d
                    • Instruction Fuzzy Hash: E3028A71900209AFDB18DFA4CD89EAE7FB9FB49310F008158F915EB2A1DB74AD45CB60
                    Function 005F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 005F712F
                    • GetSysColorBrush.USER32(0000000F), ref: 005F7160
                    • GetSysColor.USER32(0000000F), ref: 005F716C
                    • SetBkColor.GDI32(?,000000FF), ref: 005F7186
                    • SelectObject.GDI32(?,?), ref: 005F7195
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 005F71C0
                    • GetSysColor.USER32(00000010), ref: 005F71C8
                    • CreateSolidBrush.GDI32(00000000), ref: 005F71CF
                    • FrameRect.USER32(?,?,00000000), ref: 005F71DE
                    • DeleteObject.GDI32(00000000), ref: 005F71E5
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 005F7230
                    • FillRect.USER32(?,?,?), ref: 005F7262
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F7284
                      • Part of subcall function 005F73E8: GetSysColor.USER32(00000012), ref: 005F7421
                      • Part of subcall function 005F73E8: SetTextColor.GDI32(?,?), ref: 005F7425
                      • Part of subcall function 005F73E8: GetSysColorBrush.USER32(0000000F), ref: 005F743B
                      • Part of subcall function 005F73E8: GetSysColor.USER32(0000000F), ref: 005F7446
                      • Part of subcall function 005F73E8: GetSysColor.USER32(00000011), ref: 005F7463
                      • Part of subcall function 005F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005F7471
                      • Part of subcall function 005F73E8: SelectObject.GDI32(?,00000000), ref: 005F7482
                      • Part of subcall function 005F73E8: SetBkColor.GDI32(?,00000000), ref: 005F748B
                      • Part of subcall function 005F73E8: SelectObject.GDI32(?,?), ref: 005F7498
                      • Part of subcall function 005F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005F74B7
                      • Part of subcall function 005F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005F74CE
                      • Part of subcall function 005F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005F74DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                    • String ID:
                    • API String ID: 4124339563-0
                    • Opcode ID: 1a5a8932aa1828fbeeb2eb29a8247809081b46245a709ab14fb5d682e3588724
                    • Instruction ID: 5469a52511452a152527ea4eb49fbf0a12db6a7dfd69bf69384a4956e735dcf7
                    • Opcode Fuzzy Hash: 1a5a8932aa1828fbeeb2eb29a8247809081b46245a709ab14fb5d682e3588724
                    • Instruction Fuzzy Hash: B7A19172008309AFD7009F64DD48E7B7FA9FB59320F100A29FA62D61E1D779E948DB51
                    Function 00578D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?), ref: 00578E14
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 005B6AC5
                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005B6AFE
                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 005B6F43
                      • Part of subcall function 00578F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00578BE8,?,00000000,?,?,?,?,00578BBA,00000000,?), ref: 00578FC5
                    • SendMessageW.USER32(?,00001053), ref: 005B6F7F
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005B6F96
                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 005B6FAC
                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 005B6FB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                    • String ID: 0
                    • API String ID: 2760611726-4108050209
                    • Opcode ID: ca8e4a5a5e7ae2c484e243f3b42bd78b294af881af713d85f35db259b9a3914b
                    • Instruction ID: 6b60a4e5d0a0f04641c8458a65ad415fb52055ee9a9f9d2594ed061ddb8afb44
                    • Opcode Fuzzy Hash: ca8e4a5a5e7ae2c484e243f3b42bd78b294af881af713d85f35db259b9a3914b
                    • Instruction Fuzzy Hash: 6912AC30604201DFDB25CF24D958BBABFAAFB45300F148469E489CB261CB39FC56EB91
                    Function 005E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 005E273E
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005E286A
                    • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005E28A9
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005E28B9
                    • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 005E2900
                    • GetClientRect.USER32(00000000,?), ref: 005E290C
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005E2955
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005E2964
                    • GetStockObject.GDI32(00000011), ref: 005E2974
                    • SelectObject.GDI32(00000000,00000000), ref: 005E2978
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005E2988
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005E2991
                    • DeleteDC.GDI32(00000000), ref: 005E299A
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005E29C6
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 005E29DD
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 005E2A1D
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005E2A31
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 005E2A42
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005E2A77
                    • GetStockObject.GDI32(00000011), ref: 005E2A82
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005E2A8D
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005E2A97
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: 4f4d2c17d2b2af3825992e812014fc18365f95bc8969d8990688c61fa6a6a255
                    • Instruction ID: 89a2b303318fc5609b1ad00b145725dda3fbcb38ef2a419f0b84d8c673815301
                    • Opcode Fuzzy Hash: 4f4d2c17d2b2af3825992e812014fc18365f95bc8969d8990688c61fa6a6a255
                    • Instruction Fuzzy Hash: 2AB16D71A00219AFEB14DFA8CD49FAE7BA9FB49710F004155F915EB2A0D774ED40CBA0
                    Function 005D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 005D4AED
                    • GetDriveTypeW.KERNEL32(?,005FCB68,?,\\.\,005FCC08), ref: 005D4BCA
                    • SetErrorMode.KERNEL32(00000000,005FCB68,?,\\.\,005FCC08), ref: 005D4D36
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: 0ab9c4a2f56334096cfc847f9f7fc4f6d292a9d9c7acd64b718eee3f086fc302
                    • Instruction ID: 3bd146b491014b880a3fd5c84b8d2b0818d9306653c21b099972e9e6bdfc1881
                    • Opcode Fuzzy Hash: 0ab9c4a2f56334096cfc847f9f7fc4f6d292a9d9c7acd64b718eee3f086fc302
                    • Instruction Fuzzy Hash: E261903071650A9BCB24EF28DA859797FB2BF44304B248827F806AB7A1DB35ED41DF51
                    Function 005F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 005F7421
                    • SetTextColor.GDI32(?,?), ref: 005F7425
                    • GetSysColorBrush.USER32(0000000F), ref: 005F743B
                    • GetSysColor.USER32(0000000F), ref: 005F7446
                    • CreateSolidBrush.GDI32(?), ref: 005F744B
                    • GetSysColor.USER32(00000011), ref: 005F7463
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 005F7471
                    • SelectObject.GDI32(?,00000000), ref: 005F7482
                    • SetBkColor.GDI32(?,00000000), ref: 005F748B
                    • SelectObject.GDI32(?,?), ref: 005F7498
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 005F74B7
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005F74CE
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 005F74DB
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005F752A
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005F7554
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 005F7572
                    • DrawFocusRect.USER32(?,?), ref: 005F757D
                    • GetSysColor.USER32(00000011), ref: 005F758E
                    • SetTextColor.GDI32(?,00000000), ref: 005F7596
                    • DrawTextW.USER32(?,005F70F5,000000FF,?,00000000), ref: 005F75A8
                    • SelectObject.GDI32(?,?), ref: 005F75BF
                    • DeleteObject.GDI32(?), ref: 005F75CA
                    • SelectObject.GDI32(?,?), ref: 005F75D0
                    • DeleteObject.GDI32(?), ref: 005F75D5
                    • SetTextColor.GDI32(?,?), ref: 005F75DB
                    • SetBkColor.GDI32(?,?), ref: 005F75E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: 5e862612c9e7d7560c8e48f9fd9dea57074412bd2dc7224d61ddbf044a4018ad
                    • Instruction ID: 9aaed6180e32280b326dc7d0d7fa891a6065f650bd3a92a90d26a08bccef617a
                    • Opcode Fuzzy Hash: 5e862612c9e7d7560c8e48f9fd9dea57074412bd2dc7224d61ddbf044a4018ad
                    • Instruction Fuzzy Hash: 9F61597290421CAFDF019FA4DD49EEEBFB9FB08320F104525FA15EB2A1D6789944DB90
                    Function 005F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 005F1128
                    • GetDesktopWindow.USER32 ref: 005F113D
                    • GetWindowRect.USER32(00000000), ref: 005F1144
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F1199
                    • DestroyWindow.USER32(?), ref: 005F11B9
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005F11ED
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005F120B
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005F121D
                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 005F1232
                    • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005F1245
                    • IsWindowVisible.USER32(00000000), ref: 005F12A1
                    • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005F12BC
                    • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005F12D0
                    • GetWindowRect.USER32(00000000,?), ref: 005F12E8
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 005F130E
                    • GetMonitorInfoW.USER32(00000000,?), ref: 005F1328
                    • CopyRect.USER32(?,?), ref: 005F133F
                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 005F13AA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 6efc9b840c8679271aaa735ea00738da8cccdbf9595650effc30118fd6b16ec7
                    • Instruction ID: 1de7a0ba5f9ec2b539f39d8bd840b66fabb80a2e8ebf0fd0dff7170f1a25564a
                    • Opcode Fuzzy Hash: 6efc9b840c8679271aaa735ea00738da8cccdbf9595650effc30118fd6b16ec7
                    • Instruction Fuzzy Hash: 2EB18A71608745EFD700DF64C988A6ABFE4FF84310F008918FA9ADB2A1DB75E844CB95
                    Function 00578891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00578968
                    • GetSystemMetrics.USER32(00000007), ref: 00578970
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0057899B
                    • GetSystemMetrics.USER32(00000008), ref: 005789A3
                    • GetSystemMetrics.USER32(00000004), ref: 005789C8
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005789E5
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005789F5
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00578A28
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00578A3C
                    • GetClientRect.USER32(00000000,000000FF), ref: 00578A5A
                    • GetStockObject.GDI32(00000011), ref: 00578A76
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00578A81
                      • Part of subcall function 0057912D: GetCursorPos.USER32(?), ref: 00579141
                      • Part of subcall function 0057912D: ScreenToClient.USER32(00000000,?), ref: 0057915E
                      • Part of subcall function 0057912D: GetAsyncKeyState.USER32(00000001), ref: 00579183
                      • Part of subcall function 0057912D: GetAsyncKeyState.USER32(00000002), ref: 0057919D
                    • SetTimer.USER32(00000000,00000000,00000028,005790FC), ref: 00578AA8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: fbaaa60597f9e044c0080b2ee6a0c828c85258755d03ba88e3d2d4e4e7623d29
                    • Instruction ID: bc1af5e4106c03b1fa3a2a8af2654f854b7a90dde154aeaafe8a79bd02ae838b
                    • Opcode Fuzzy Hash: fbaaa60597f9e044c0080b2ee6a0c828c85258755d03ba88e3d2d4e4e7623d29
                    • Instruction Fuzzy Hash: 93B15C71A4020A9FDB14DF68DD49BBE7FB5FB48314F108129FA19EB290DB34A840DB51
                    Function 005C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005C1114
                      • Part of subcall function 005C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C1120
                      • Part of subcall function 005C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C112F
                      • Part of subcall function 005C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C1136
                      • Part of subcall function 005C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005C114D
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005C0DF5
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005C0E29
                    • GetLengthSid.ADVAPI32(?), ref: 005C0E40
                    • GetAce.ADVAPI32(?,00000000,?), ref: 005C0E7A
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005C0E96
                    • GetLengthSid.ADVAPI32(?), ref: 005C0EAD
                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 005C0EB5
                    • HeapAlloc.KERNEL32(00000000), ref: 005C0EBC
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005C0EDD
                    • CopySid.ADVAPI32(00000000), ref: 005C0EE4
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005C0F13
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005C0F35
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005C0F47
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C0F6E
                    • HeapFree.KERNEL32(00000000), ref: 005C0F75
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C0F7E
                    • HeapFree.KERNEL32(00000000), ref: 005C0F85
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C0F8E
                    • HeapFree.KERNEL32(00000000), ref: 005C0F95
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 005C0FA1
                    • HeapFree.KERNEL32(00000000), ref: 005C0FA8
                      • Part of subcall function 005C1193: GetProcessHeap.KERNEL32(00000008,005C0BB1,?,00000000,?,005C0BB1,?), ref: 005C11A1
                      • Part of subcall function 005C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005C0BB1,?), ref: 005C11A8
                      • Part of subcall function 005C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005C0BB1,?), ref: 005C11B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                    • String ID:
                    • API String ID: 4175595110-0
                    • Opcode ID: 10de0fbdf671270b801888ab7d7771b27cfa3909d949678ac4b54f1cbf8ecf5a
                    • Instruction ID: 1533c10efadc8a3aeaf3b085d57315b066f8c2574a8ac9e6acafff087b28defa
                    • Opcode Fuzzy Hash: 10de0fbdf671270b801888ab7d7771b27cfa3909d949678ac4b54f1cbf8ecf5a
                    • Instruction Fuzzy Hash: F571597290021AEFDF209FA4DD48FAEBFB8BF15300F044529F919E6191DB359A59CB60
                    Function 005EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005EC4BD
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,005FCC08,00000000,?,00000000,?,?), ref: 005EC544
                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005EC5A4
                    • _wcslen.LIBCMT ref: 005EC5F4
                    • _wcslen.LIBCMT ref: 005EC66F
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 005EC6B2
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005EC7C1
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005EC84D
                    • RegCloseKey.ADVAPI32(?), ref: 005EC881
                    • RegCloseKey.ADVAPI32(00000000), ref: 005EC88E
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005EC960
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 9721498-966354055
                    • Opcode ID: 669aec57e3a36fc77207882f4bbca77d2224c6621e0a708a1bb6089f44bdde12
                    • Instruction ID: 53b9213ce0ebb9912efe7e88b9b9f4c6d37f657a1cf3123d4c5d1501e81736ad
                    • Opcode Fuzzy Hash: 669aec57e3a36fc77207882f4bbca77d2224c6621e0a708a1bb6089f44bdde12
                    • Instruction Fuzzy Hash: A4125D356042419FD718DF15C885A2ABFE5FF88714F14889DF89A9B3A2DB31ED42CB81
                    Function 005F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 005F09C6
                    • _wcslen.LIBCMT ref: 005F0A01
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005F0A54
                    • _wcslen.LIBCMT ref: 005F0A8A
                    • _wcslen.LIBCMT ref: 005F0B06
                    • _wcslen.LIBCMT ref: 005F0B81
                      • Part of subcall function 0057F9F2: _wcslen.LIBCMT ref: 0057F9FD
                      • Part of subcall function 005C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005C2BFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$MessageSend$BuffCharUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 1103490817-4258414348
                    • Opcode ID: 99fbb0c1736c73d84af802fc99a106c670fe7ad35a02678b9fb109cf4adbdfad
                    • Instruction ID: 86da4b2ee3a4cd0b8bdb6020eebfb571253b0fe1d22600434707366f49633546
                    • Opcode Fuzzy Hash: 99fbb0c1736c73d84af802fc99a106c670fe7ad35a02678b9fb109cf4adbdfad
                    • Instruction Fuzzy Hash: 91E189352087169FC714DF24C45093ABBE2BF98318F18895DF99A9B3A2DB34ED45CB81
                    Function 005EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 1256254125-909552448
                    • Opcode ID: 0b574317732dce67eb7798c0be072377c2bde064dcb0f8d8457114684489f98a
                    • Instruction ID: 63bbcf845fdd2bda24ebac2b1380ec6d77a9477eb0407038006283efd66dc887
                    • Opcode Fuzzy Hash: 0b574317732dce67eb7798c0be072377c2bde064dcb0f8d8457114684489f98a
                    • Instruction Fuzzy Hash: E0711B326005AB4BCB28DE7ED9415BE3F95BFA0750B650524FCEAA7284E630CD42C790
                    Function 005F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 005F835A
                    • _wcslen.LIBCMT ref: 005F836E
                    • _wcslen.LIBCMT ref: 005F8391
                    • _wcslen.LIBCMT ref: 005F83B4
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005F83F2
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005F361A,?), ref: 005F844E
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005F8487
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005F84CA
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005F8501
                    • FreeLibrary.KERNEL32(?), ref: 005F850D
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005F851D
                    • DestroyIcon.USER32(?), ref: 005F852C
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005F8549
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005F8555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                    • String ID: .dll$.exe$.icl
                    • API String ID: 799131459-1154884017
                    • Opcode ID: 24679b088b27fea0bd076721f340fc497316663bd7d0b5c912b5bdfa9e7a0382
                    • Instruction ID: 2ce190765e61936b11c69bd383eb56f15f0d8abc5779967bf8a753051d44f3fd
                    • Opcode Fuzzy Hash: 24679b088b27fea0bd076721f340fc497316663bd7d0b5c912b5bdfa9e7a0382
                    • Instruction Fuzzy Hash: BE61F17150021ABBEB14DF64CC49BBE7FA8BB44710F10451AFD15EA1D0EB78A984DBA0
                    Function 00567778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 0-1645009161
                    • Opcode ID: dde2ed9c49045cedb7d859f2916bb3ea4a344db4233185e8ae4662c12be7e1a3
                    • Instruction ID: d94ef84bd99b9036cf3c1fa046dc8711e0fe3e4520ba757b6452fd34db812345
                    • Opcode Fuzzy Hash: dde2ed9c49045cedb7d859f2916bb3ea4a344db4233185e8ae4662c12be7e1a3
                    • Instruction Fuzzy Hash: 2D81C27160460AABDB20AF60DC46FBE3FA9FF99304F144424FD05AB196EB74D901CBA1
                    Function 005C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 005C5A2E
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005C5A40
                    • SetWindowTextW.USER32(?,?), ref: 005C5A57
                    • GetDlgItem.USER32(?,000003EA), ref: 005C5A6C
                    • SetWindowTextW.USER32(00000000,?), ref: 005C5A72
                    • GetDlgItem.USER32(?,000003E9), ref: 005C5A82
                    • SetWindowTextW.USER32(00000000,?), ref: 005C5A88
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005C5AA9
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005C5AC3
                    • GetWindowRect.USER32(?,?), ref: 005C5ACC
                    • _wcslen.LIBCMT ref: 005C5B33
                    • SetWindowTextW.USER32(?,?), ref: 005C5B6F
                    • GetDesktopWindow.USER32 ref: 005C5B75
                    • GetWindowRect.USER32(00000000), ref: 005C5B7C
                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 005C5BD3
                    • GetClientRect.USER32(?,?), ref: 005C5BE0
                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 005C5C05
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005C5C2F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                    • String ID:
                    • API String ID: 895679908-0
                    • Opcode ID: 6067e51a46e96df4f1ad3b6b18cf01c9e4a56dab80c2ff92e33091bfbdbd661a
                    • Instruction ID: 9819de5c2c93577cfbffd07c00b7046aa3cea4550b348010b5600858e59bb1ad
                    • Opcode Fuzzy Hash: 6067e51a46e96df4f1ad3b6b18cf01c9e4a56dab80c2ff92e33091bfbdbd661a
                    • Instruction Fuzzy Hash: FA713831900A09AFDB209FA9CE85FAEBFF5FB48705F10492CE542A65A0E775B944CB50
                    Function 005C30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[b
                    • API String ID: 176396367-1132615434
                    • Opcode ID: b6eefe826effd35399cf9b9fd0881ca423a2c94c6e5ca83a0a6f29ad3175a1b5
                    • Instruction ID: 411b0b2bff58fb359431b1e3533aba3891c3ff43c5a9d0bf0a10a10b84920a89
                    • Opcode Fuzzy Hash: b6eefe826effd35399cf9b9fd0881ca423a2c94c6e5ca83a0a6f29ad3175a1b5
                    • Instruction Fuzzy Hash: 48E1D231A0052AAECF289FE8C495BEDBFA1BF44710F54C51DE856B7240DB30AE85CB90
                    Function 005800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                    Download Yara Rule
                    APIs
                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005800C6
                      • Part of subcall function 005800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0063070C,00000FA0,7CFCAF9B,?,?,?,?,005A23B3,000000FF), ref: 0058011C
                      • Part of subcall function 005800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005A23B3,000000FF), ref: 00580127
                      • Part of subcall function 005800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005A23B3,000000FF), ref: 00580138
                      • Part of subcall function 005800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0058014E
                      • Part of subcall function 005800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0058015C
                      • Part of subcall function 005800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0058016A
                      • Part of subcall function 005800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00580195
                      • Part of subcall function 005800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005801A0
                    • ___scrt_fastfail.LIBCMT ref: 005800E7
                      • Part of subcall function 005800A3: __onexit.LIBCMT ref: 005800A9
                    Strings
                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00580122
                    • kernel32.dll, xrefs: 00580133
                    • InitializeConditionVariable, xrefs: 00580148
                    • SleepConditionVariableCS, xrefs: 00580154
                    • WakeAllConditionVariable, xrefs: 00580162
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                    • API String ID: 66158676-1714406822
                    • Opcode ID: f9c75c112764d5f2ffbaaba85f5bc6b51686530e57f3ac54443ec02c25df552a
                    • Instruction ID: a7b19b8af0a9ecce10ca8eec0f6995ccf0430a093abb039fd10bf7191380fa0a
                    • Opcode Fuzzy Hash: f9c75c112764d5f2ffbaaba85f5bc6b51686530e57f3ac54443ec02c25df552a
                    • Instruction Fuzzy Hash: 6A210432644715ABE7606B64AC0EB3E3FA9FF45B60F000539FD01F66D1DB689808CB90
                    Function 005D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(00000000,00000000,005FCC08), ref: 005D4527
                    • _wcslen.LIBCMT ref: 005D453B
                    • _wcslen.LIBCMT ref: 005D4599
                    • _wcslen.LIBCMT ref: 005D45F4
                    • _wcslen.LIBCMT ref: 005D463F
                    • _wcslen.LIBCMT ref: 005D46A7
                      • Part of subcall function 0057F9F2: _wcslen.LIBCMT ref: 0057F9FD
                    • GetDriveTypeW.KERNEL32(?,00626BF0,00000061), ref: 005D4743
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharDriveLowerType
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2055661098-1000479233
                    • Opcode ID: 87101231a921b073a00e3e2d06642ee4cac563f064c1f5a0b3b70114c4aedee7
                    • Instruction ID: b2b968ab4b208e604d490a6c1f394c55be3b697414b1a9534c64b99d9a2c1b00
                    • Opcode Fuzzy Hash: 87101231a921b073a00e3e2d06642ee4cac563f064c1f5a0b3b70114c4aedee7
                    • Instruction Fuzzy Hash: 67B1AB316083029BC720DF28D894A6ABBE5BFA5764F50492FF49AD7391D730D845CFA2
                    Function 005F911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00579BB2
                    • DragQueryPoint.SHELL32(?,?), ref: 005F9147
                      • Part of subcall function 005F7674: ClientToScreen.USER32(?,?), ref: 005F769A
                      • Part of subcall function 005F7674: GetWindowRect.USER32(?,?), ref: 005F7710
                      • Part of subcall function 005F7674: PtInRect.USER32(?,?,005F8B89), ref: 005F7720
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 005F91B0
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005F91BB
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005F91DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 005F9225
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 005F923E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 005F9255
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 005F9277
                    • DragFinish.SHELL32(?), ref: 005F927E
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005F9371
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#c
                    • API String ID: 221274066-2767330495
                    • Opcode ID: 5f1ed25525b76547392ef3d2f1d8939a78de590ed92d7059e6edd3f9c53c4e16
                    • Instruction ID: 41bec2d25d3cfeb8db3739daf7d032a7bae947d249911d01f00754aaec8e6238
                    • Opcode Fuzzy Hash: 5f1ed25525b76547392ef3d2f1d8939a78de590ed92d7059e6edd3f9c53c4e16
                    • Instruction Fuzzy Hash: 52616671108306AFD701DF64D989EABBFE9FBD9350F00092EF595971A0DB309A49CB92
                    Function 005EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 005EB198
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005EB1B0
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005EB1D4
                    • _wcslen.LIBCMT ref: 005EB200
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005EB214
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005EB236
                    • _wcslen.LIBCMT ref: 005EB332
                      • Part of subcall function 005D05A7: GetStdHandle.KERNEL32(000000F6), ref: 005D05C6
                    • _wcslen.LIBCMT ref: 005EB34B
                    • _wcslen.LIBCMT ref: 005EB366
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005EB3B6
                    • GetLastError.KERNEL32(00000000), ref: 005EB407
                    • CloseHandle.KERNEL32(?), ref: 005EB439
                    • CloseHandle.KERNEL32(00000000), ref: 005EB44A
                    • CloseHandle.KERNEL32(00000000), ref: 005EB45C
                    • CloseHandle.KERNEL32(00000000), ref: 005EB46E
                    • CloseHandle.KERNEL32(?), ref: 005EB4E3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                    • String ID:
                    • API String ID: 2178637699-0
                    • Opcode ID: df3b92cb3915513d2c74dbdb0f80fd7a35b7e44c602f0cd863c329e9e178d7a7
                    • Instruction ID: 1bdc4158b12f0ecc339e2523ca2e98361e9c287fd852d9d8b4d31086484e14d6
                    • Opcode Fuzzy Hash: df3b92cb3915513d2c74dbdb0f80fd7a35b7e44c602f0cd863c329e9e178d7a7
                    • Instruction Fuzzy Hash: 73F19B315042419FDB28EF25C895B2BBFE5BF85314F14885DF89A9B2A2DB31EC44CB52
                    Function 0056326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemCount.USER32(00631990), ref: 005A2F8D
                    • GetMenuItemCount.USER32(00631990), ref: 005A303D
                    • GetCursorPos.USER32(?), ref: 005A3081
                    • SetForegroundWindow.USER32(00000000), ref: 005A308A
                    • TrackPopupMenuEx.USER32(00631990,00000000,?,00000000,00000000,00000000), ref: 005A309D
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005A30A9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                    • String ID: 0
                    • API String ID: 36266755-4108050209
                    • Opcode ID: 6b6396a5c8791728009ab8fa960a6a5a9552db832eab4658c6b7cdaf9d93d198
                    • Instruction ID: e2a4f5ba0a85fa695038b205933ec2c6eb3076f157202d1f2c8b286aca2a04bd
                    • Opcode Fuzzy Hash: 6b6396a5c8791728009ab8fa960a6a5a9552db832eab4658c6b7cdaf9d93d198
                    • Instruction Fuzzy Hash: 96710B70644206BEFB218F68CC4AFAEBF65FF06324F204216F515AA1E0C7B1AD54DB50
                    Function 005F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?), ref: 005F6DEB
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005F6E5F
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005F6E81
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005F6E94
                    • DestroyWindow.USER32(?), ref: 005F6EB5
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00560000,00000000), ref: 005F6EE4
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005F6EFD
                    • GetDesktopWindow.USER32 ref: 005F6F16
                    • GetWindowRect.USER32(00000000), ref: 005F6F1D
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005F6F35
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005F6F4D
                      • Part of subcall function 00579944: GetWindowLongW.USER32(?,000000EB), ref: 00579952
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                    • String ID: 0$tooltips_class32
                    • API String ID: 2429346358-3619404913
                    • Opcode ID: fc2208535f73178e684da421deb4a9f303f44afd263f2a50ab1ae98cb893b863
                    • Instruction ID: a861226e6dc68896bb3bc5dc021006648563e5062274ea8f8b61f97c5a30a34a
                    • Opcode Fuzzy Hash: fc2208535f73178e684da421deb4a9f303f44afd263f2a50ab1ae98cb893b863
                    • Instruction Fuzzy Hash: 25714A75104249AFDB21DF18D884BBABFE9FB89304F04481DFA99CB2A1C774A909DB11
                    Function 005DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005DC4B0
                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005DC4C3
                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005DC4D7
                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005DC4F0
                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005DC533
                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005DC549
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005DC554
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005DC584
                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005DC5DC
                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005DC5F0
                    • InternetCloseHandle.WININET(00000000), ref: 005DC5FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                    • String ID:
                    • API String ID: 3800310941-3916222277
                    • Opcode ID: 8e788fa8b4951c6903eca71151f08669e2c7dac2608acc2c9755985ce621f3d4
                    • Instruction ID: 99d4e224461f55ddb2479df8e241eefc4d2074cc72dc3391a44d3ad0ba38140a
                    • Opcode Fuzzy Hash: 8e788fa8b4951c6903eca71151f08669e2c7dac2608acc2c9755985ce621f3d4
                    • Instruction Fuzzy Hash: 0A513AB150020AAFDB319F68D948ABA7FBCFB58754F00452BF946D6250DB34E948EB60
                    Function 005F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 005F8592
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 005F85A2
                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 005F85AD
                    • CloseHandle.KERNEL32(00000000), ref: 005F85BA
                    • GlobalLock.KERNEL32(00000000), ref: 005F85C8
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005F85D7
                    • GlobalUnlock.KERNEL32(00000000), ref: 005F85E0
                    • CloseHandle.KERNEL32(00000000), ref: 005F85E7
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005F85F8
                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,005FFC38,?), ref: 005F8611
                    • GlobalFree.KERNEL32(00000000), ref: 005F8621
                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 005F8641
                    • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005F8671
                    • DeleteObject.GDI32(00000000), ref: 005F8699
                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005F86AF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                    • String ID:
                    • API String ID: 3840717409-0
                    • Opcode ID: 09506bcd6c5846918c6d99a7312d9f6fe14600c440ebc1d0a2a90d513e839f7e
                    • Instruction ID: 40980210bee10a439930d647e12ccc1a8550930b230e431f66fe02feac9ca86b
                    • Opcode Fuzzy Hash: 09506bcd6c5846918c6d99a7312d9f6fe14600c440ebc1d0a2a90d513e839f7e
                    • Instruction Fuzzy Hash: 2D410875600208AFDB11DFA5CD48EBA7FB8FF99751F104068F905EB260DB389905EB60
                    Function 005D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(00000000), ref: 005D1502
                    • VariantCopy.OLEAUT32(?,?), ref: 005D150B
                    • VariantClear.OLEAUT32(?), ref: 005D1517
                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005D15FB
                    • VarR8FromDec.OLEAUT32(?,?), ref: 005D1657
                    • VariantInit.OLEAUT32(?), ref: 005D1708
                    • SysFreeString.OLEAUT32(?), ref: 005D178C
                    • VariantClear.OLEAUT32(?), ref: 005D17D8
                    • VariantClear.OLEAUT32(?), ref: 005D17E7
                    • VariantInit.OLEAUT32(00000000), ref: 005D1823
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                    • API String ID: 1234038744-3931177956
                    • Opcode ID: 90d5bcf6f3a96555390b643dfaa101d1751cd8fe71a4eb3e16ee355d440bf62d
                    • Instruction ID: 088183b37cbe54fb03b3cfc7cf8d99fbee5d2c277f7b8570ee58778285c7e1c8
                    • Opcode Fuzzy Hash: 90d5bcf6f3a96555390b643dfaa101d1751cd8fe71a4eb3e16ee355d440bf62d
                    • Instruction Fuzzy Hash: ECD1DF71A00916EBDB209F69F889B79BFB5BF85700F108457E406AB290DB38DC44EF65
                    Function 005EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005EB6AE,?,?), ref: 005EC9B5
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005EC9F1
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005ECA68
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005ECA9E
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005EB6F4
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005EB772
                    • RegDeleteValueW.ADVAPI32(?,?), ref: 005EB80A
                    • RegCloseKey.ADVAPI32(?), ref: 005EB87E
                    • RegCloseKey.ADVAPI32(?), ref: 005EB89C
                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 005EB8F2
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005EB904
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 005EB922
                    • FreeLibrary.KERNEL32(00000000), ref: 005EB983
                    • RegCloseKey.ADVAPI32(00000000), ref: 005EB994
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 146587525-4033151799
                    • Opcode ID: d0298b5db654c9d542a231961d935114330dabca28bcb6bf20633dec3902f8a9
                    • Instruction ID: 660d1489f7e995b9f8ecd7e8946efb23adaa7a8db05ceded46c2e0a39f391cb0
                    • Opcode Fuzzy Hash: d0298b5db654c9d542a231961d935114330dabca28bcb6bf20633dec3902f8a9
                    • Instruction Fuzzy Hash: 08C16C30208242AFE714DF15C499F2ABFE5BF84308F14859CE49A8B7A2CB75ED45CB91
                    Function 005E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 005E25D8
                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005E25E8
                    • CreateCompatibleDC.GDI32(?), ref: 005E25F4
                    • SelectObject.GDI32(00000000,?), ref: 005E2601
                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005E266D
                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005E26AC
                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005E26D0
                    • SelectObject.GDI32(?,?), ref: 005E26D8
                    • DeleteObject.GDI32(?), ref: 005E26E1
                    • DeleteDC.GDI32(?), ref: 005E26E8
                    • ReleaseDC.USER32(00000000,?), ref: 005E26F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: 4e38a0e53aff0eb964fadcdf09ee2182bd5736b7bdc267c408833f75acdaad61
                    • Instruction ID: 4f9a146299478b01d4cfd0957155bd76a8f2914ac7325ee7899ac0883397e3b5
                    • Opcode Fuzzy Hash: 4e38a0e53aff0eb964fadcdf09ee2182bd5736b7bdc267c408833f75acdaad61
                    • Instruction Fuzzy Hash: 5661E175D00219EFCF04CFA8D988EAEBBB9FF48310F20852AE956A7250D774A951DF50
                    Function 0059DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 0059DAA1
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D659
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D66B
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D67D
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D68F
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D6A1
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D6B3
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D6C5
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D6D7
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D6E9
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D6FB
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D70D
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D71F
                      • Part of subcall function 0059D63C: _free.LIBCMT ref: 0059D731
                    • _free.LIBCMT ref: 0059DA96
                      • Part of subcall function 005929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000), ref: 005929DE
                      • Part of subcall function 005929C8: GetLastError.KERNEL32(00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000,00000000), ref: 005929F0
                    • _free.LIBCMT ref: 0059DAB8
                    • _free.LIBCMT ref: 0059DACD
                    • _free.LIBCMT ref: 0059DAD8
                    • _free.LIBCMT ref: 0059DAFA
                    • _free.LIBCMT ref: 0059DB0D
                    • _free.LIBCMT ref: 0059DB1B
                    • _free.LIBCMT ref: 0059DB26
                    • _free.LIBCMT ref: 0059DB5E
                    • _free.LIBCMT ref: 0059DB65
                    • _free.LIBCMT ref: 0059DB82
                    • _free.LIBCMT ref: 0059DB9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: 0f3c7e71f15c6f0efd2703291feff8d6319b9069c7346574e018f960ce1ce690
                    • Instruction ID: 07631fe732496987650aa4636d3b442d4ffaa115b0e10daa6c15ca7d872dec74
                    • Opcode Fuzzy Hash: 0f3c7e71f15c6f0efd2703291feff8d6319b9069c7346574e018f960ce1ce690
                    • Instruction Fuzzy Hash: 25312831604606AFEF21AA39E849B5ABFFAFF50320F554429E44DD7191DA35AC908B70
                    Function 005C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 005C369C
                    • _wcslen.LIBCMT ref: 005C36A7
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005C3797
                    • GetClassNameW.USER32(?,?,00000400), ref: 005C380C
                    • GetDlgCtrlID.USER32(?), ref: 005C385D
                    • GetWindowRect.USER32(?,?), ref: 005C3882
                    • GetParent.USER32(?), ref: 005C38A0
                    • ScreenToClient.USER32(00000000), ref: 005C38A7
                    • GetClassNameW.USER32(?,?,00000100), ref: 005C3921
                    • GetWindowTextW.USER32(?,?,00000400), ref: 005C395D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                    • String ID: %s%u
                    • API String ID: 4010501982-679674701
                    • Opcode ID: 47c64d9f76d768a692fc5dee4558cea00770fe777f8c740fabb811f762445732
                    • Instruction ID: c5fbf00067848598b9ac1662300482fc1239c7c82f5b83184bcb746e8e016608
                    • Opcode Fuzzy Hash: 47c64d9f76d768a692fc5dee4558cea00770fe777f8c740fabb811f762445732
                    • Instruction Fuzzy Hash: C591B37120460BAFD719DFA4C885FAAFBA8FF44350F00852DF999D2190DB74EA49CB91
                    Function 005C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000400), ref: 005C4994
                    • GetWindowTextW.USER32(?,?,00000400), ref: 005C49DA
                    • _wcslen.LIBCMT ref: 005C49EB
                    • CharUpperBuffW.USER32(?,00000000), ref: 005C49F7
                    • _wcsstr.LIBVCRUNTIME ref: 005C4A2C
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 005C4A64
                    • GetWindowTextW.USER32(?,?,00000400), ref: 005C4A9D
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 005C4AE6
                    • GetClassNameW.USER32(?,?,00000400), ref: 005C4B20
                    • GetWindowRect.USER32(?,?), ref: 005C4B8B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                    • String ID: ThumbnailClass
                    • API String ID: 1311036022-1241985126
                    • Opcode ID: 45343a05653cd01431edf8a2e8082485e10f30a567324bea021cf0aa48b06659
                    • Instruction ID: 64a58558381441af3689758bb30500cfdd596e54272d8358eaaa2011f7a265a3
                    • Opcode Fuzzy Hash: 45343a05653cd01431edf8a2e8082485e10f30a567324bea021cf0aa48b06659
                    • Instruction Fuzzy Hash: 3C918C7100820A9FDB04DE94C995FAA7FA9FF84314F04846DFD869A096DB34ED49CFA1
                    Function 005ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005ECC64
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 005ECC8D
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005ECD48
                      • Part of subcall function 005ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 005ECCAA
                      • Part of subcall function 005ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 005ECCBD
                      • Part of subcall function 005ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005ECCCF
                      • Part of subcall function 005ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005ECD05
                      • Part of subcall function 005ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005ECD28
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 005ECCF3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2734957052-4033151799
                    • Opcode ID: cc1770b2f875b43e5390d285edb4081e3e94e718950f6f64c22c8b08a2783423
                    • Instruction ID: ab88a4e8c6dbb0a7c3c0a6b7ef8e94e910e1b180fbffe6ccac178482898494e6
                    • Opcode Fuzzy Hash: cc1770b2f875b43e5390d285edb4081e3e94e718950f6f64c22c8b08a2783423
                    • Instruction Fuzzy Hash: 92318971901169BBDB248B56DD88EFFBF7CFF15740F000075E946E6200DA388E4AEAA0
                    Function 005D3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005D3D40
                    • _wcslen.LIBCMT ref: 005D3D6D
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 005D3D9D
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005D3DBE
                    • RemoveDirectoryW.KERNEL32(?), ref: 005D3DCE
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005D3E55
                    • CloseHandle.KERNEL32(00000000), ref: 005D3E60
                    • CloseHandle.KERNEL32(00000000), ref: 005D3E6B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                    • String ID: :$\$\??\%s
                    • API String ID: 1149970189-3457252023
                    • Opcode ID: 36cb7078ee482da27bbeadfae3a8b991188235200e7bd29964b16e1d3302f954
                    • Instruction ID: 5cd652e98e74454ab92121499bd2b699174f40d0f3081031eb9e2144fff30e21
                    • Opcode Fuzzy Hash: 36cb7078ee482da27bbeadfae3a8b991188235200e7bd29964b16e1d3302f954
                    • Instruction Fuzzy Hash: FE31937590020AAADB20ABA4DC49FEF3BBDFF88740F1040B6F509D6160E7749744DB25
                    Function 005CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 005CE6B4
                      • Part of subcall function 0057E551: timeGetTime.WINMM(?,?,005CE6D4), ref: 0057E555
                    • Sleep.KERNEL32(0000000A), ref: 005CE6E1
                    • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 005CE705
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005CE727
                    • SetActiveWindow.USER32 ref: 005CE746
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005CE754
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 005CE773
                    • Sleep.KERNEL32(000000FA), ref: 005CE77E
                    • IsWindow.USER32 ref: 005CE78A
                    • EndDialog.USER32(00000000), ref: 005CE79B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: 93ddc7b4c34d55cc47f7ed100dec321364a4c2a8a27c5df3dfefd26a76264402
                    • Instruction ID: f91718898f40c171a8c6a0cf9f7f40b9b48687c52e9ea03cdde13cf7dc0553db
                    • Opcode Fuzzy Hash: 93ddc7b4c34d55cc47f7ed100dec321364a4c2a8a27c5df3dfefd26a76264402
                    • Instruction Fuzzy Hash: D021A1B120064AAFEB005FA1ED9BF353FAAFB66348B102438F401C51A1DB75AC54EA64
                    Function 005CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005CEA5D
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005CEA73
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005CEA84
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005CEA96
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005CEAA7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: SendString$_wcslen
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2420728520-1007645807
                    • Opcode ID: db150dd302d0525158ed95b9582a34273fb6070919841fcd4d64103f84b1a68b
                    • Instruction ID: ffd4bc5eb2726b356a308d5177a2478d6a9bdc1cd1d804b40177f7420ce35427
                    • Opcode Fuzzy Hash: db150dd302d0525158ed95b9582a34273fb6070919841fcd4d64103f84b1a68b
                    • Instruction Fuzzy Hash: F311EF31A9026A7DD720A7A5ED4EEFB6E7DFBD2B40F4104297811A20D1EEB05945CAB0
                    Function 005C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 005C5CE2
                    • GetWindowRect.USER32(00000000,?), ref: 005C5CFB
                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005C5D59
                    • GetDlgItem.USER32(?,00000002), ref: 005C5D69
                    • GetWindowRect.USER32(00000000,?), ref: 005C5D7B
                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 005C5DCF
                    • GetDlgItem.USER32(?,000003E9), ref: 005C5DDD
                    • GetWindowRect.USER32(00000000,?), ref: 005C5DEF
                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005C5E31
                    • GetDlgItem.USER32(?,000003EA), ref: 005C5E44
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005C5E5A
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 005C5E67
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: b2e4edfe2f7284970490545619bbab3e463b4366059e32f6fac1f146fc77d72a
                    • Instruction ID: a48ad17d8c8b62d33587ab3c4a83e92e698efac261e854565044016cef2542bf
                    • Opcode Fuzzy Hash: b2e4edfe2f7284970490545619bbab3e463b4366059e32f6fac1f146fc77d72a
                    • Instruction Fuzzy Hash: A951FE71A00609AFDF18DFA8DD89AAE7BB9FB58300F148129F516E7290D774AE44CB50
                    Function 00578BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00578F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00578BE8,?,00000000,?,?,?,?,00578BBA,00000000,?), ref: 00578FC5
                    • DestroyWindow.USER32(?), ref: 00578C81
                    • KillTimer.USER32(00000000,?,?,?,?,00578BBA,00000000,?), ref: 00578D1B
                    • DestroyAcceleratorTable.USER32(00000000), ref: 005B6973
                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00578BBA,00000000,?), ref: 005B69A1
                    • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00578BBA,00000000,?), ref: 005B69B8
                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00578BBA,00000000), ref: 005B69D4
                    • DeleteObject.GDI32(00000000), ref: 005B69E6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: 3cfc3835c0463a453f80c22ff55bfd50d152c9a72acdf9a226b82b19cdf0406d
                    • Instruction ID: 11d0293346244af18d1441dfeec272c25f10b5cf1fcfd1432ed20f2f222d948d
                    • Opcode Fuzzy Hash: 3cfc3835c0463a453f80c22ff55bfd50d152c9a72acdf9a226b82b19cdf0406d
                    • Instruction Fuzzy Hash: 0F618E30142605DFCB229F15EA4CB757FF6FB51312F149929E0469A5A0CB39BC85EF90
                    Function 00579838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579944: GetWindowLongW.USER32(?,000000EB), ref: 00579952
                    • GetSysColor.USER32(0000000F), ref: 00579862
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: 1b377468b540dd56a5c6bc52623ef7f689d0b0072cd48ea610f746fb77516a3a
                    • Instruction ID: 4dd347117d366c1a8cf6cf32b004cf48c4cbf1330f85e3a8773b3016e5840666
                    • Opcode Fuzzy Hash: 1b377468b540dd56a5c6bc52623ef7f689d0b0072cd48ea610f746fb77516a3a
                    • Instruction Fuzzy Hash: 7B41E4311046089FDB209F38AC88BB93F65FB57330F148655F9A68B2E1C7349C42EB61
                    Function 005C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,005AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 005C9717
                    • LoadStringW.USER32(00000000,?,005AF7F8,00000001), ref: 005C9720
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,005AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 005C9742
                    • LoadStringW.USER32(00000000,?,005AF7F8,00000001), ref: 005C9745
                    • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 005C9866
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wcslen
                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                    • API String ID: 747408836-2268648507
                    • Opcode ID: 305d181b8666a7b97e62e40e389c1cef16f032ecfa25bc75080f37227997f299
                    • Instruction ID: 4e7f188b89a135d50f41f32d4468aa83995f33aff3a05f2e886c757546115411
                    • Opcode Fuzzy Hash: 305d181b8666a7b97e62e40e389c1cef16f032ecfa25bc75080f37227997f299
                    • Instruction Fuzzy Hash: FF414E7290021AAADB04FBE0DE4AEEE7B79BF95340F200425F50573092EB356F48CB61
                    Function 005C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005C07A2
                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005C07BE
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005C07DA
                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005C0804
                    • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005C082C
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005C0837
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005C083C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                    • API String ID: 323675364-22481851
                    • Opcode ID: af883f2c30b2860edd37425e06719a731f14b5c8ccc744edd12402e7671bca71
                    • Instruction ID: 0950854c618ff3eca77d87cae840e70bc89010dbfb0b26a9d481860a0f3af30d
                    • Opcode Fuzzy Hash: af883f2c30b2860edd37425e06719a731f14b5c8ccc744edd12402e7671bca71
                    • Instruction Fuzzy Hash: 78410772C10229AADB15EBA4DC89DEDBB78BF54350B144129E901A31A1EB309E44CFA0
                    Function 005E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 005E3C5C
                    • CoInitialize.OLE32(00000000), ref: 005E3C8A
                    • CoUninitialize.OLE32 ref: 005E3C94
                    • _wcslen.LIBCMT ref: 005E3D2D
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 005E3DB1
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 005E3ED5
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 005E3F0E
                    • CoGetObject.OLE32(?,00000000,005FFB98,?), ref: 005E3F2D
                    • SetErrorMode.KERNEL32(00000000), ref: 005E3F40
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005E3FC4
                    • VariantClear.OLEAUT32(?), ref: 005E3FD8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                    • String ID:
                    • API String ID: 429561992-0
                    • Opcode ID: 2d6953a3060e2274ba03b72f4fc4f8797596c7ee4b7f11caefd0e3b921a57167
                    • Instruction ID: 40d5555053ad427064d75bd6070159b52ce8b72f1482b37110b624136e3ffe4b
                    • Opcode Fuzzy Hash: 2d6953a3060e2274ba03b72f4fc4f8797596c7ee4b7f11caefd0e3b921a57167
                    • Instruction Fuzzy Hash: 65C143716082459FC704DF69C98892BBBE9FF89744F00496DF98A9B220D730EE05CB52
                    Function 005D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 005D7AF3
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005D7B8F
                    • SHGetDesktopFolder.SHELL32(?), ref: 005D7BA3
                    • CoCreateInstance.OLE32(005FFD08,00000000,00000001,00626E6C,?), ref: 005D7BEF
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005D7C74
                    • CoTaskMemFree.OLE32(?,?), ref: 005D7CCC
                    • SHBrowseForFolderW.SHELL32(?), ref: 005D7D57
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005D7D7A
                    • CoTaskMemFree.OLE32(00000000), ref: 005D7D81
                    • CoTaskMemFree.OLE32(00000000), ref: 005D7DD6
                    • CoUninitialize.OLE32 ref: 005D7DDC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                    • String ID:
                    • API String ID: 2762341140-0
                    • Opcode ID: 6126c0ba6781796cdf1ac850bc257056319cb9f6595f1b4763e23f3e15535df1
                    • Instruction ID: 829d11dcbcd7dfe9ef0dbd18c9872b862e0ea0154f5c69788b86b216bdcd0a50
                    • Opcode Fuzzy Hash: 6126c0ba6781796cdf1ac850bc257056319cb9f6595f1b4763e23f3e15535df1
                    • Instruction Fuzzy Hash: EFC1FB75A04109AFDB14DF68C888DAEBFB9FF48304B1484AAE816DB361D731ED45CB90
                    Function 005F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005F5504
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005F5515
                    • CharNextW.USER32(00000158), ref: 005F5544
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005F5585
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005F559B
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005F55AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$CharNext
                    • String ID:
                    • API String ID: 1350042424-0
                    • Opcode ID: e5f41fa39d76c758fe976594473b1a934273a74ae8a05f2e0c50e8024c432cbb
                    • Instruction ID: 083333298a394db9dd8e16df8b88a0624baf75c6dcb45f31f2869b880315c3e1
                    • Opcode Fuzzy Hash: e5f41fa39d76c758fe976594473b1a934273a74ae8a05f2e0c50e8024c432cbb
                    • Instruction Fuzzy Hash: 8A619F3090460DAFDF109F54CD889FE7F79FB09721F108555FB25AA290E7788A85DB60
                    Function 005BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005BFAAF
                    • SafeArrayAllocData.OLEAUT32(?), ref: 005BFB08
                    • VariantInit.OLEAUT32(?), ref: 005BFB1A
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 005BFB3A
                    • VariantCopy.OLEAUT32(?,?), ref: 005BFB8D
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 005BFBA1
                    • VariantClear.OLEAUT32(?), ref: 005BFBB6
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 005BFBC3
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005BFBCC
                    • VariantClear.OLEAUT32(?), ref: 005BFBDE
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005BFBE9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: d9a6c4122d8d86cb230ee5a3d2d5299b10820704120ed766dd80bb809f6c7688
                    • Instruction ID: 588fbbe173e6666c12a59dc31b9bb608d51228bb46358f515f354b3b777467e2
                    • Opcode Fuzzy Hash: d9a6c4122d8d86cb230ee5a3d2d5299b10820704120ed766dd80bb809f6c7688
                    • Instruction Fuzzy Hash: 7F415D35A00219AFCF04DF68CC589EEBFB9FF58345F008469E845E7261CB74A945DBA0
                    Function 005C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 005C9CA1
                    • GetAsyncKeyState.USER32(000000A0), ref: 005C9D22
                    • GetKeyState.USER32(000000A0), ref: 005C9D3D
                    • GetAsyncKeyState.USER32(000000A1), ref: 005C9D57
                    • GetKeyState.USER32(000000A1), ref: 005C9D6C
                    • GetAsyncKeyState.USER32(00000011), ref: 005C9D84
                    • GetKeyState.USER32(00000011), ref: 005C9D96
                    • GetAsyncKeyState.USER32(00000012), ref: 005C9DAE
                    • GetKeyState.USER32(00000012), ref: 005C9DC0
                    • GetAsyncKeyState.USER32(0000005B), ref: 005C9DD8
                    • GetKeyState.USER32(0000005B), ref: 005C9DEA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 7850232be9e8f915f24b58a64f3a5b207ce2d46ce3c8217463ccc2a0964376a5
                    • Instruction ID: 70530feeecd89896974ab7a7d971ffa78660ed28293b6847fb3f8ba0ca4e5bd8
                    • Opcode Fuzzy Hash: 7850232be9e8f915f24b58a64f3a5b207ce2d46ce3c8217463ccc2a0964376a5
                    • Instruction Fuzzy Hash: FC41D6745047C96DFF3086E4980CBB5BEA07B21344F08805EDAC7665C2DBA89EC8C7A2
                    Function 005E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 005E05BC
                    • inet_addr.WSOCK32(?), ref: 005E061C
                    • gethostbyname.WSOCK32(?), ref: 005E0628
                    • IcmpCreateFile.IPHLPAPI ref: 005E0636
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005E06C6
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005E06E5
                    • IcmpCloseHandle.IPHLPAPI(?), ref: 005E07B9
                    • WSACleanup.WSOCK32 ref: 005E07BF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: f957f512ba5e37236fc848792d64a493cbedcb27bd23e929271f8b2fe4a1ecd9
                    • Instruction ID: 13e5501851599b7f6589ee565f70c7d3062242c7c9e739a76e7137360f9b1aa4
                    • Opcode Fuzzy Hash: f957f512ba5e37236fc848792d64a493cbedcb27bd23e929271f8b2fe4a1ecd9
                    • Instruction Fuzzy Hash: 35919D356042419FD724DF16C588F1ABFE1FF84318F1499A9E4A98B6A2C7B0EC85CF91
                    Function 005E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharLower
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 707087890-567219261
                    • Opcode ID: 4d67338db42ba7eb5a40d7acf57fce0f9502a5c1b43641b4b73a42b36034e281
                    • Instruction ID: dd49fd72a265bf135f95bb7e244e6a0edd08f077bd9c69f64934cd5a12c62712
                    • Opcode Fuzzy Hash: 4d67338db42ba7eb5a40d7acf57fce0f9502a5c1b43641b4b73a42b36034e281
                    • Instruction Fuzzy Hash: 6951B771A005579BCF18DF6DC9409BE7BAABF64310B204669E8AAE72C4DF31DD40C790
                    Function 005E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32 ref: 005E3774
                    • CoUninitialize.OLE32 ref: 005E377F
                    • CoCreateInstance.OLE32(?,00000000,00000017,005FFB78,?), ref: 005E37D9
                    • IIDFromString.OLE32(?,?), ref: 005E384C
                    • VariantInit.OLEAUT32(?), ref: 005E38E4
                    • VariantClear.OLEAUT32(?), ref: 005E3936
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 636576611-1287834457
                    • Opcode ID: 35db8ebf0c70ebb82dadea57a1550c2471b8c21f5a876ffad290726e4b4ca60f
                    • Instruction ID: a12c524672623f7da5a39769d6717d3942eee4cb65149cf84cfd4309d1b4e461
                    • Opcode Fuzzy Hash: 35db8ebf0c70ebb82dadea57a1550c2471b8c21f5a876ffad290726e4b4ca60f
                    • Instruction Fuzzy Hash: 8A618AB1608252AFD314DF55D88DB6ABFE8FF88714F000859F9859B291D770EE48CB92
                    Function 005D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005D33CF
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005D33F0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LoadString$_wcslen
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                    • API String ID: 4099089115-3080491070
                    • Opcode ID: 0b7677d0ba6eec19389646a05a632b0e131549ecee7c97afbd53cef53976f24a
                    • Instruction ID: b55073f07dd2b67314b1cad30960074421a502a6fe0827f6349004a859c5071f
                    • Opcode Fuzzy Hash: 0b7677d0ba6eec19389646a05a632b0e131549ecee7c97afbd53cef53976f24a
                    • Instruction Fuzzy Hash: F8518E3190020AAADF14EBA0DE4AEEEBB79BF54340F204466F505731A1EB352F58DF61
                    Function 005CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharUpper
                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                    • API String ID: 1256254125-769500911
                    • Opcode ID: d15c8c216144fe52006c316c436f9075f56ce8cfb43f91dbbb576c139fee93b2
                    • Instruction ID: 3da6cdd28876bd6d3a10322d51c3f9e7a7c11bdd94c3732ec52e3e6dc054976a
                    • Opcode Fuzzy Hash: d15c8c216144fe52006c316c436f9075f56ce8cfb43f91dbbb576c139fee93b2
                    • Instruction Fuzzy Hash: EF41B932A000279EDB205FBDC992ABE7FA5BBA0754F24412DE865D7284E735CDC1C790
                    Function 005D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 005D53A0
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005D5416
                    • GetLastError.KERNEL32 ref: 005D5420
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 005D54A7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 9506dedacedb26fb9a8114510d25a30ce01802e1ba9677616e938c2a0eec6b92
                    • Instruction ID: b6e59111dd1e507db9ef71671c568369f675bdfcdb09c46891b948edd08fd69c
                    • Opcode Fuzzy Hash: 9506dedacedb26fb9a8114510d25a30ce01802e1ba9677616e938c2a0eec6b92
                    • Instruction Fuzzy Hash: 81316D35A006099FDB20DF68C488AAA7FA4FB55305F54846BE405CB392E670DD86CB92
                    Function 005F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMenu.USER32 ref: 005F3C79
                    • SetMenu.USER32(?,00000000), ref: 005F3C88
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005F3D10
                    • IsMenu.USER32(?), ref: 005F3D24
                    • CreatePopupMenu.USER32 ref: 005F3D2E
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005F3D5B
                    • DrawMenuBar.USER32 ref: 005F3D63
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                    • String ID: 0$F
                    • API String ID: 161812096-3044882817
                    • Opcode ID: c10ff7b85b90f0e17c96dc890505e4e362cfbada99cbdd5a7ddd2197a9bae68c
                    • Instruction ID: 51ecedaac468c2f7277e17deb6ebb2300e905d6c88afebf98da5c126302e503f
                    • Opcode Fuzzy Hash: c10ff7b85b90f0e17c96dc890505e4e362cfbada99cbdd5a7ddd2197a9bae68c
                    • Instruction Fuzzy Hash: D8416779A01209EFEB14DF64D884AAA7FB5FF49350F140428FA46E7360D738AA14DF90
                    Function 005F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005F3A9D
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005F3AA0
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F3AC7
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005F3AEA
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005F3B62
                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005F3BAC
                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005F3BC7
                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005F3BE2
                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005F3BF6
                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005F3C13
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow
                    • String ID:
                    • API String ID: 312131281-0
                    • Opcode ID: 7793a5c16871aeb3e75404cbc34db41402e082c3b08d0b576cc20d7ac09ea6bd
                    • Instruction ID: c79d9318914747917e64a974eced10483b07f21e08bc88874a4931281861bd1f
                    • Opcode Fuzzy Hash: 7793a5c16871aeb3e75404cbc34db41402e082c3b08d0b576cc20d7ac09ea6bd
                    • Instruction Fuzzy Hash: 9B615775900248AFEB10DFA8CC81EFE7BB9BF49700F104199FA15AB2A1C774AE45DB50
                    Function 005CB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 005CB151
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,005CA1E1,?,00000001), ref: 005CB165
                    • GetWindowThreadProcessId.USER32(00000000), ref: 005CB16C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005CA1E1,?,00000001), ref: 005CB17B
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 005CB18D
                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005CA1E1,?,00000001), ref: 005CB1A6
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005CA1E1,?,00000001), ref: 005CB1B8
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005CA1E1,?,00000001), ref: 005CB1FD
                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005CA1E1,?,00000001), ref: 005CB212
                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005CA1E1,?,00000001), ref: 005CB21D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: 758837428ff7f45109e954e9b8815869d21f8d321b6b661696c7263aa25936b4
                    • Instruction ID: d58519d81e0f89defd8eba2a94d1c4f3e853a938da58c7af3854381c1a162ff3
                    • Opcode Fuzzy Hash: 758837428ff7f45109e954e9b8815869d21f8d321b6b661696c7263aa25936b4
                    • Instruction Fuzzy Hash: 3A318D75500218BFEB249FA4DD4AF7E7FAABB61311F144419FA01D6290D7B89E44CFA0
                    Function 00592C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00592C94
                      • Part of subcall function 005929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000), ref: 005929DE
                      • Part of subcall function 005929C8: GetLastError.KERNEL32(00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000,00000000), ref: 005929F0
                    • _free.LIBCMT ref: 00592CA0
                    • _free.LIBCMT ref: 00592CAB
                    • _free.LIBCMT ref: 00592CB6
                    • _free.LIBCMT ref: 00592CC1
                    • _free.LIBCMT ref: 00592CCC
                    • _free.LIBCMT ref: 00592CD7
                    • _free.LIBCMT ref: 00592CE2
                    • _free.LIBCMT ref: 00592CED
                    • _free.LIBCMT ref: 00592CFB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 68c215d2120538b8c1408ddca7b90b63d92c7a48c07e274769d41b7fe59fb413
                    • Instruction ID: ca14636d3ec53822a084f3adecd1ef16311b205ddcae05797692c4b8382e7c3a
                    • Opcode Fuzzy Hash: 68c215d2120538b8c1408ddca7b90b63d92c7a48c07e274769d41b7fe59fb413
                    • Instruction Fuzzy Hash: 3E116F76500109BFCF02EF94D986CDD3FA9BF45350F9145A5FA4C9B222DA31EA909B90
                    Function 00561410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00561459
                    • OleUninitialize.OLE32(?,00000000), ref: 005614F8
                    • UnregisterHotKey.USER32(?), ref: 005616DD
                    • DestroyWindow.USER32(?), ref: 005A24B9
                    • FreeLibrary.KERNEL32(?), ref: 005A251E
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 005A254B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                    • String ID: close all
                    • API String ID: 469580280-3243417748
                    • Opcode ID: 8c7ec15d925755c1d86ee084217ba7484b7f83030d09a1b90affa381f9df1ab3
                    • Instruction ID: 7907282c1f9f086b4ae83021e5dc5f5acc41daba4a2028682ddd5973aa5f318d
                    • Opcode Fuzzy Hash: 8c7ec15d925755c1d86ee084217ba7484b7f83030d09a1b90affa381f9df1ab3
                    • Instruction Fuzzy Hash: BCD17E31702612CFCB29EF19C599A39FFA4BF59700F1881ADE44AAB251DB30AD12CF55
                    Function 005D7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005D7FAD
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D7FC1
                    • GetFileAttributesW.KERNEL32(?), ref: 005D7FEB
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 005D8005
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D8017
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005D8060
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005D80B0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CurrentDirectory$AttributesFile
                    • String ID: *.*
                    • API String ID: 769691225-438819550
                    • Opcode ID: 5a6156bb160c06668ed2e0a2a3f4bbc2c8eb4cda57ac8a5d7a93a8477c754754
                    • Instruction ID: 3bca0cb23b2f1d1ebeeac0c4a621dbae983402cb0a52eb99f5d229e5cb8431ad
                    • Opcode Fuzzy Hash: 5a6156bb160c06668ed2e0a2a3f4bbc2c8eb4cda57ac8a5d7a93a8477c754754
                    • Instruction Fuzzy Hash: 0D817F715082499BCB30EF68C8489BABBE8FB88314F144C5BF885D7351EB34DD498B52
                    Function 00565BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00565C7A
                      • Part of subcall function 00565D0A: GetClientRect.USER32(?,?), ref: 00565D30
                      • Part of subcall function 00565D0A: GetWindowRect.USER32(?,?), ref: 00565D71
                      • Part of subcall function 00565D0A: ScreenToClient.USER32(?,?), ref: 00565D99
                    • GetDC.USER32 ref: 005A46F5
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005A4708
                    • SelectObject.GDI32(00000000,00000000), ref: 005A4716
                    • SelectObject.GDI32(00000000,00000000), ref: 005A472B
                    • ReleaseDC.USER32(?,00000000), ref: 005A4733
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005A47C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 095b9a8ce83fc72066c065c9f67069469bf07ba188b130451f552c7ba4fa5de2
                    • Instruction ID: 35d7e3637d3feb219762a31a0ed13a5e2ac3457880fb7907f041e128461c44fa
                    • Opcode Fuzzy Hash: 095b9a8ce83fc72066c065c9f67069469bf07ba188b130451f552c7ba4fa5de2
                    • Instruction Fuzzy Hash: DA71AC31400249DFCF218FA4C984ABE7FB6FF8A360F144269E9559B2A6D7718C42DF50
                    Function 005D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005D35E4
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • LoadStringW.USER32(00632390,?,00000FFF,?), ref: 005D360A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LoadString$_wcslen
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 4099089115-2391861430
                    • Opcode ID: 9d7b6e934164cbdc53796d1f75e84e5b76056ee29d81bfdda090003352864b75
                    • Instruction ID: d345b905ef7a77050ffbb2268e95379710035c1a089a706cf0174d2e6d58b198
                    • Opcode Fuzzy Hash: 9d7b6e934164cbdc53796d1f75e84e5b76056ee29d81bfdda090003352864b75
                    • Instruction Fuzzy Hash: C0514B7290060AAADB14EBA0DD4AEEEBF79BF54300F144126F105731A1EB305B98DFA1
                    Function 005DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005DC272
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005DC29A
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005DC2CA
                    • GetLastError.KERNEL32 ref: 005DC322
                    • SetEvent.KERNEL32(?), ref: 005DC336
                    • InternetCloseHandle.WININET(00000000), ref: 005DC341
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                    • String ID:
                    • API String ID: 3113390036-3916222277
                    • Opcode ID: 59268ee55f324c07718539929c177692aa77e499da66495af45ff3b77d405d6f
                    • Instruction ID: a0f3013affd5964adf464f5b239721b436e39097e76003db12fee460d4127877
                    • Opcode Fuzzy Hash: 59268ee55f324c07718539929c177692aa77e499da66495af45ff3b77d405d6f
                    • Instruction Fuzzy Hash: 4431507150120AAFD7319F698988A7B7FFCFB55744B10892FB486D2300D734D944DB61
                    Function 005C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005A3AAF,?,?,Bad directive syntax error,005FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005C98BC
                    • LoadStringW.USER32(00000000,?,005A3AAF,?), ref: 005C98C3
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005C9987
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: HandleLoadMessageModuleString_wcslen
                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                    • API String ID: 858772685-4153970271
                    • Opcode ID: 482acfdc583122bac89fcf4bde08944ab6131924df6929b635fa7069053b5786
                    • Instruction ID: dcc3b62a64d279125219a79f13db9ce7817cb82e178cd7fd630d1953ab6e363c
                    • Opcode Fuzzy Hash: 482acfdc583122bac89fcf4bde08944ab6131924df6929b635fa7069053b5786
                    • Instruction Fuzzy Hash: 93215E3190021EABCF15EF90DC0AEFE7B79BF58700F044469F519660A2EB759A18DB51
                    Function 005C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 005C20AB
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 005C20C0
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005C214D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1290815626-3381328864
                    • Opcode ID: c89c935601b14a2e349e22fb6868e91ac545bc378b4d43a359e5430f6e6104af
                    • Instruction ID: d8771760ed985fade0bc65ed724d5fb98d7a99f4ada845c9a7e606f1b9077903
                    • Opcode Fuzzy Hash: c89c935601b14a2e349e22fb6868e91ac545bc378b4d43a359e5430f6e6104af
                    • Instruction Fuzzy Hash: 7F11277A688717BEF6156260EC0AEA63F9DEB14325F20002EFF05F80D1EA7158419E14
                    Function 0059CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                    • String ID:
                    • API String ID: 1282221369-0
                    • Opcode ID: 8ed624907fe09b353f6a299bf0554ede2bb87eddb21dc50137237f4872272fc5
                    • Instruction ID: 42d8bb958711c95399c5ebcd114a0598c413b1dba95c1fc0341f0a2492529787
                    • Opcode Fuzzy Hash: 8ed624907fe09b353f6a299bf0554ede2bb87eddb21dc50137237f4872272fc5
                    • Instruction Fuzzy Hash: C5614671904302AFDF21AFB49899A7A7FE6FF45360F04416DF945A7282E7319D01CBA0
                    Function 005F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005F5186
                    • ShowWindow.USER32(?,00000000), ref: 005F51C7
                    • ShowWindow.USER32(?,00000005,?,00000000), ref: 005F51CD
                    • SetFocus.USER32(?,?,00000005,?,00000000), ref: 005F51D1
                      • Part of subcall function 005F6FBA: DeleteObject.GDI32(00000000), ref: 005F6FE6
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F520D
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005F521A
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005F524D
                    • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005F5287
                    • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005F5296
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                    • String ID:
                    • API String ID: 3210457359-0
                    • Opcode ID: 77d7860993e7098374d526d818548064c00b7b4f701124656b48c4fcc0554ab1
                    • Instruction ID: 92ccab77292fbfac566659586c328a77ab2eada71b32c56f8923bfe8e2c55bb2
                    • Opcode Fuzzy Hash: 77d7860993e7098374d526d818548064c00b7b4f701124656b48c4fcc0554ab1
                    • Instruction Fuzzy Hash: 32517D34A40A0DBEEF249F24CC49FB93F65FB45321F148211F7559A2E0E779A984EB40
                    Function 00578B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 005B6890
                    • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005B68A9
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005B68B9
                    • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005B68D1
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005B68F2
                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00578874,00000000,00000000,00000000,000000FF,00000000), ref: 005B6901
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005B691E
                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00578874,00000000,00000000,00000000,000000FF,00000000), ref: 005B692D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                    • String ID:
                    • API String ID: 1268354404-0
                    • Opcode ID: 32605ef78a3ee931000e4e1c8c00e9bda1c2f5619cc907a63d0598fb5eb5ddab
                    • Instruction ID: b5562fe7c3781828d8dc2e80da3a327120576d9b910055320bea173a3ecf3521
                    • Opcode Fuzzy Hash: 32605ef78a3ee931000e4e1c8c00e9bda1c2f5619cc907a63d0598fb5eb5ddab
                    • Instruction Fuzzy Hash: 89515970600209EFDB20CF25DC59BBA7FB6FB58750F108528F95ADA2A0DB74A950EB50
                    Function 005DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005DC182
                    • GetLastError.KERNEL32 ref: 005DC195
                    • SetEvent.KERNEL32(?), ref: 005DC1A9
                      • Part of subcall function 005DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005DC272
                      • Part of subcall function 005DC253: GetLastError.KERNEL32 ref: 005DC322
                      • Part of subcall function 005DC253: SetEvent.KERNEL32(?), ref: 005DC336
                      • Part of subcall function 005DC253: InternetCloseHandle.WININET(00000000), ref: 005DC341
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 337547030-0
                    • Opcode ID: d7724f8384ba4818c2ab461ac581bc7c3aaf6197491c66dd702bd86c19830e7a
                    • Instruction ID: 3a47985029b1b7e480a6883b707de3ba8035984867fd4180530b0dfd008b5996
                    • Opcode Fuzzy Hash: d7724f8384ba4818c2ab461ac581bc7c3aaf6197491c66dd702bd86c19830e7a
                    • Instruction Fuzzy Hash: 46316B75201606AFDB319FA99D44A76BFE9FF68300B10482FF996C2710D735E814EB60
                    Function 005C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005C3A57
                      • Part of subcall function 005C3A3D: GetCurrentThreadId.KERNEL32 ref: 005C3A5E
                      • Part of subcall function 005C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005C25B3), ref: 005C3A65
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 005C25BD
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005C25DB
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005C25DF
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 005C25E9
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005C2601
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 005C2605
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 005C260F
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005C2623
                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 005C2627
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: ac1cf334c54c6a2497c0a2dd4c98e20da2f6cd37191f578da0a1d535664db0db
                    • Instruction ID: 6833ec50d30076b16156f87360647b8f080ae94cd0d5085cad500ec2c5677d6a
                    • Opcode Fuzzy Hash: ac1cf334c54c6a2497c0a2dd4c98e20da2f6cd37191f578da0a1d535664db0db
                    • Instruction Fuzzy Hash: 0B01D430394218BBFB1067A99C8EF693F59EF9EB12F100415F318EE0D1C9F26458DA69
                    Function 005C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,005C1449,?,?,00000000), ref: 005C180C
                    • HeapAlloc.KERNEL32(00000000,?,005C1449,?,?,00000000), ref: 005C1813
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005C1449,?,?,00000000), ref: 005C1828
                    • GetCurrentProcess.KERNEL32(?,00000000,?,005C1449,?,?,00000000), ref: 005C1830
                    • DuplicateHandle.KERNEL32(00000000,?,005C1449,?,?,00000000), ref: 005C1833
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005C1449,?,?,00000000), ref: 005C1843
                    • GetCurrentProcess.KERNEL32(005C1449,00000000,?,005C1449,?,?,00000000), ref: 005C184B
                    • DuplicateHandle.KERNEL32(00000000,?,005C1449,?,?,00000000), ref: 005C184E
                    • CreateThread.KERNEL32(00000000,00000000,005C1874,00000000,00000000,00000000), ref: 005C1868
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: afb417a7b6954cc93a1080408ef60fd72168cbe02247c219d5d0d3f248a16d26
                    • Instruction ID: 89689582ce9ae3c34e49cfa8662e1f0442834f5465c03171963fe74345c4cbcf
                    • Opcode Fuzzy Hash: afb417a7b6954cc93a1080408ef60fd72168cbe02247c219d5d0d3f248a16d26
                    • Instruction Fuzzy Hash: 0E01BBB5240308BFE710ABA5DD4DF6B3FACEB99B11F004421FA05DB1A2CA749814EB60
                    Function 005EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 005CD501
                      • Part of subcall function 005CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 005CD50F
                      • Part of subcall function 005CD4DC: CloseHandle.KERNEL32(00000000), ref: 005CD5DC
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005EA16D
                    • GetLastError.KERNEL32 ref: 005EA180
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005EA1B3
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 005EA268
                    • GetLastError.KERNEL32(00000000), ref: 005EA273
                    • CloseHandle.KERNEL32(00000000), ref: 005EA2C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: e774e00060a09d8faa0820462c0983235bde8bc1b18d6eeee024d662ee17d4eb
                    • Instruction ID: 9fad3e8f3eb2a7baa9d5718ade3f0e225a0c1852f8d9a83d369f866f089308fe
                    • Opcode Fuzzy Hash: e774e00060a09d8faa0820462c0983235bde8bc1b18d6eeee024d662ee17d4eb
                    • Instruction Fuzzy Hash: 56618C342042829FD718DF25C498F25BFA1BF94318F14849CE5968B7A3C776EC49CB92
                    Function 005F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005F3925
                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005F393A
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005F3954
                    • _wcslen.LIBCMT ref: 005F3999
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 005F39C6
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005F39F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcslen
                    • String ID: SysListView32
                    • API String ID: 2147712094-78025650
                    • Opcode ID: 8874fa5ca0a07617676fafdc30fa0b2e14fd0c628b5e0a2c111d1617abc087ff
                    • Instruction ID: f6ff9e4ed182b662d4699c555d18de4550f6410bbf9c3ea4116c83f0214a460a
                    • Opcode Fuzzy Hash: 8874fa5ca0a07617676fafdc30fa0b2e14fd0c628b5e0a2c111d1617abc087ff
                    • Instruction Fuzzy Hash: 8441857190021DABEB219F64CC49FFA7FA9FF48350F100526FA54E7291D7B99984CB90
                    Function 005CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005CBCFD
                    • IsMenu.USER32(00000000), ref: 005CBD1D
                    • CreatePopupMenu.USER32 ref: 005CBD53
                    • GetMenuItemCount.USER32(01215608), ref: 005CBDA4
                    • InsertMenuItemW.USER32(01215608,?,00000001,00000030), ref: 005CBDCC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                    • String ID: 0$2
                    • API String ID: 93392585-3793063076
                    • Opcode ID: cb489663798243483f3a2e1c470e6d9a859bbf22965b4710439470ec9e9cbfa2
                    • Instruction ID: eae3608e439d67b5e7b8a602a682cdc0073c88acce2ced77903f6ccb3f1b3e0c
                    • Opcode Fuzzy Hash: cb489663798243483f3a2e1c470e6d9a859bbf22965b4710439470ec9e9cbfa2
                    • Instruction Fuzzy Hash: 8D517A70A0020A9FEB10DFE8D98AFAEBFF8BF95314F14456DE402A7290D7719945CB61
                    Function 00582D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                    Download Yara Rule
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 00582D4B
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00582D53
                    • _ValidateLocalCookies.LIBCMT ref: 00582DE1
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00582E0C
                    • _ValidateLocalCookies.LIBCMT ref: 00582E61
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: &HX$csm
                    • API String ID: 1170836740-4108283372
                    • Opcode ID: e47a7300e9c795090b4a64a6902976b100cf60f5b3218fa055505c2154bd2b55
                    • Instruction ID: aefa99d99700fb7bb7a7114cf33b87dc98029eb3aad61172682a55b89f96bede
                    • Opcode Fuzzy Hash: e47a7300e9c795090b4a64a6902976b100cf60f5b3218fa055505c2154bd2b55
                    • Instruction Fuzzy Hash: 25418334A01209ABCF10EF68C849AAEBFB5BF85324F148155EC15BB392D7759A06CF90
                    Function 005CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 005CC913
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: a8315b3d791f425899e11d8a5380b518577a41536edfea12c8831ba9f9d75734
                    • Instruction ID: e55070751b08b827dbc4b57c5a9a07a1653e0e1727dedf806e5a8dabe2de5214
                    • Opcode Fuzzy Hash: a8315b3d791f425899e11d8a5380b518577a41536edfea12c8831ba9f9d75734
                    • Instruction Fuzzy Hash: 4F112B31689717BEA704AB94EC82EAB2FACFF15754B10002EF908A6182D7B0AD405765
                    Function 005CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$LocalTime
                    • String ID:
                    • API String ID: 952045576-0
                    • Opcode ID: fa8200e2f5102f1302869f229465a9ca9351425342fa71c72e654a5874a8c200
                    • Instruction ID: f2ed4364da38b7fdb09eee5c78125eccd87ebbe03aadf4bfe6fc428ca8a849c8
                    • Opcode Fuzzy Hash: fa8200e2f5102f1302869f229465a9ca9351425342fa71c72e654a5874a8c200
                    • Instruction Fuzzy Hash: 11419365C1011A66CB21FBF4888FADF7BACBF85310F504466E919F3162EB34D245C7A5
                    Function 0057F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005B682C,00000004,00000000,00000000), ref: 0057F953
                    • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,005B682C,00000004,00000000,00000000), ref: 005BF3D1
                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005B682C,00000004,00000000,00000000), ref: 005BF454
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: d7fbe4ec5fdca143c09df8aeb0bd3aa979fee6870aabc5326a49cb2335b94fe0
                    • Instruction ID: bffd1e02cb99ac20e8718ea6627e7cc792107ddc71b4624a32b5024aa37b7053
                    • Opcode Fuzzy Hash: d7fbe4ec5fdca143c09df8aeb0bd3aa979fee6870aabc5326a49cb2335b94fe0
                    • Instruction Fuzzy Hash: F7412B31608640BAC735DF2DED887BA7F92BB96314F14C83CE24F96560D635A884FB11
                    Function 005F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 005F2D1B
                    • GetDC.USER32(00000000), ref: 005F2D23
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005F2D2E
                    • ReleaseDC.USER32(00000000,00000000), ref: 005F2D3A
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005F2D76
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005F2D87
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005F2DC2
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005F2DE1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 6feb8fdca534ec953fd31dcf0b8b749f5ae2dae7ab5ce6d8e9d5af5ef07ae6f1
                    • Instruction ID: d612d8ee303a5c12206dd189ff2e7b07ffddaae483b9e43d8983508f3c7de590
                    • Opcode Fuzzy Hash: 6feb8fdca534ec953fd31dcf0b8b749f5ae2dae7ab5ce6d8e9d5af5ef07ae6f1
                    • Instruction Fuzzy Hash: F0317872241618ABEB218F54CC8AFBB3FADFB19711F044065FE08DA291C6799855CBA0
                    Function 005C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: a0b3783390cd0e2bbaf40e97df9aa5a3340a02d8a519b8168968cd4966ac7d10
                    • Instruction ID: aa20ea36706c9ee7b01e6d59761faf1e2b3561429a0aade1b5b9f377c9437534
                    • Opcode Fuzzy Hash: a0b3783390cd0e2bbaf40e97df9aa5a3340a02d8a519b8168968cd4966ac7d10
                    • Instruction Fuzzy Hash: 7821C861644D1A7F961465D08D86FBA3F5CFE51384B440428FE066A941FB24FDD183A9
                    Function 005E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: NULL Pointer assignment$Not an Object type
                    • API String ID: 0-572801152
                    • Opcode ID: 82787ae81f068c87375986371ec225cf0c8f6649b9ad80312eb99227cca1e771
                    • Instruction ID: bf8153b19f29b89c28a7904cb077a80e032b6bfcc648847a2991a2c88b90de95
                    • Opcode Fuzzy Hash: 82787ae81f068c87375986371ec225cf0c8f6649b9ad80312eb99227cca1e771
                    • Instruction Fuzzy Hash: E7D1E375A0064A9FDF18CFA9C884FAEBBB5BF48308F148469E955AB281E370DD45CB50
                    Function 005A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(?,?), ref: 005A15CE
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005A1651
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005A16E4
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005A16FB
                      • Part of subcall function 00593820: RtlAllocateHeap.NTDLL(00000000,?,00631444,?,0057FDF5,?,?,0056A976,00000010,00631440,005613FC,?,005613C6,?,00561129), ref: 00593852
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005A1777
                    • __freea.LIBCMT ref: 005A17A2
                    • __freea.LIBCMT ref: 005A17AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                    • String ID:
                    • API String ID: 2829977744-0
                    • Opcode ID: c7b6f72ae4121885a765ac765971fdac010d5310e2d08b872dfe34a2fafe8029
                    • Instruction ID: 0335b5f4391c94fb30cddc7622f3693a80d2d609abe1fe1d9381a59d9f6d79d3
                    • Opcode Fuzzy Hash: c7b6f72ae4121885a765ac765971fdac010d5310e2d08b872dfe34a2fafe8029
                    • Instruction Fuzzy Hash: 8A91C471E00A169ADF248E74C985EEE7FB5FF8A310F184669E902E7181DB35DC44CB68
                    Function 005E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$ClearInit
                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2610073882-625585964
                    • Opcode ID: 0f9f446ee36b9990eaba2a647bea08767a09808ab29d49d503b3f115faa0ca8e
                    • Instruction ID: 552461128cb0af8ade3e5f4270bbb3546108416a479989d7625a283a03b2315a
                    • Opcode Fuzzy Hash: 0f9f446ee36b9990eaba2a647bea08767a09808ab29d49d503b3f115faa0ca8e
                    • Instruction Fuzzy Hash: B891B470A00259ABDF24CFA6D848FAEBFB9FF86710F108559F545AB280D7709945CFA0
                    Function 005D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 005D125C
                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 005D1284
                    • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005D12A8
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005D12D8
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005D135F
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005D13C4
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005D1430
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ArraySafe$Data$Access$UnaccessVartype
                    • String ID:
                    • API String ID: 2550207440-0
                    • Opcode ID: 8c1c0006c9c86e3009c85c079aca0ba71c523dd9e17b79ac61f194c91b6b955f
                    • Instruction ID: 6e1660ed399e81ed6bd20fda010a8f6cbecf51cd851e73202a5867d8c8880452
                    • Opcode Fuzzy Hash: 8c1c0006c9c86e3009c85c079aca0ba71c523dd9e17b79ac61f194c91b6b955f
                    • Instruction Fuzzy Hash: 0891F275A00619AFDB20DF99C888BBEBBB5FF84315F10442BE900EB391D775A941CB94
                    Function 0057948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 0908c83cbc40fa2520586dc1a9e2f607f117960f4d79905a1ff43b38aa6e7158
                    • Instruction ID: 57e32da801368af47016ae23b38aabc523877b1c7cb0f2e4062495f88c3480c0
                    • Opcode Fuzzy Hash: 0908c83cbc40fa2520586dc1a9e2f607f117960f4d79905a1ff43b38aa6e7158
                    • Instruction Fuzzy Hash: AE912671D0021AEFCB10CFA9D888AEEBFB8FF89320F148555E515B7251D778A942DB60
                    Function 005E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 005E396B
                    • CharUpperBuffW.USER32(?,?), ref: 005E3A7A
                    • _wcslen.LIBCMT ref: 005E3A8A
                    • VariantClear.OLEAUT32(?), ref: 005E3C1F
                      • Part of subcall function 005D0CDF: VariantInit.OLEAUT32(00000000), ref: 005D0D1F
                      • Part of subcall function 005D0CDF: VariantCopy.OLEAUT32(?,?), ref: 005D0D28
                      • Part of subcall function 005D0CDF: VariantClear.OLEAUT32(?), ref: 005D0D34
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4137639002-1221869570
                    • Opcode ID: 88d5f413f2d46cc1522bf3acbc6e89745b49dba6f4b5f74718dedef5db949ab1
                    • Instruction ID: 84773aae8646a143a790cbb90863142e3fdfeaa377f3234929983db00af4f231
                    • Opcode Fuzzy Hash: 88d5f413f2d46cc1522bf3acbc6e89745b49dba6f4b5f74718dedef5db949ab1
                    • Instruction Fuzzy Hash: 529147746083469FC704DF25C48996ABBE9FF88314F14886EF88A97351DB31EE45CB92
                    Function 005E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?,?,?,005C035E), ref: 005C002B
                      • Part of subcall function 005C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?,?), ref: 005C0046
                      • Part of subcall function 005C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?,?), ref: 005C0054
                      • Part of subcall function 005C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?), ref: 005C0064
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005E4C51
                    • _wcslen.LIBCMT ref: 005E4D59
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 005E4DCF
                    • CoTaskMemFree.OLE32(?), ref: 005E4DDA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 614568839-2785691316
                    • Opcode ID: 79f5ff98c769ca90377ec5fbef4a5a023eabd602a73e92b55d0e2f57d6f13381
                    • Instruction ID: ac69e7ef515faa39fb78c7ba2c440b7ae63e78e98916fd8187b0e99431724622
                    • Opcode Fuzzy Hash: 79f5ff98c769ca90377ec5fbef4a5a023eabd602a73e92b55d0e2f57d6f13381
                    • Instruction Fuzzy Hash: D9913771D0025DAFDF14DFA5C885AEEBBB8BF48300F108569E955B7291DB349A44CF60
                    Function 005F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 005F2183
                    • GetMenuItemCount.USER32(00000000), ref: 005F21B5
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005F21DD
                    • _wcslen.LIBCMT ref: 005F2213
                    • GetMenuItemID.USER32(?,?), ref: 005F224D
                    • GetSubMenu.USER32(?,?), ref: 005F225B
                      • Part of subcall function 005C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005C3A57
                      • Part of subcall function 005C3A3D: GetCurrentThreadId.KERNEL32 ref: 005C3A5E
                      • Part of subcall function 005C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005C25B3), ref: 005C3A65
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005F22E3
                      • Part of subcall function 005CE97B: Sleep.KERNEL32 ref: 005CE9F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                    • String ID:
                    • API String ID: 4196846111-0
                    • Opcode ID: 7ea598ed660eb9b21339a38f0b26d130d3f0295ef16cb80a7d56625eb31def16
                    • Instruction ID: 753e6eb1c520076c1b43653c08524085a48c4f1a6085c2eee4d4f3e7b61b4c70
                    • Opcode Fuzzy Hash: 7ea598ed660eb9b21339a38f0b26d130d3f0295ef16cb80a7d56625eb31def16
                    • Instruction Fuzzy Hash: 21713F75A00209AFCB14DFA4C845ABEBFB5BF88310F148459E956EB351DB38AD41CB90
                    Function 005CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 005CAEF9
                    • GetKeyboardState.USER32(?), ref: 005CAF0E
                    • SetKeyboardState.USER32(?), ref: 005CAF6F
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 005CAF9D
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 005CAFBC
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 005CAFFD
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005CB020
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: b64452f04d56740da0771c2f8e77e3751ce80326cd4890461b4158f65d355658
                    • Instruction ID: a65193e66771129db7e2e414482e28759300a1e82e2523a3cebf7b7db0742e4c
                    • Opcode Fuzzy Hash: b64452f04d56740da0771c2f8e77e3751ce80326cd4890461b4158f65d355658
                    • Instruction Fuzzy Hash: CA5184A06047D93DFB3652B48C4AFBA7EA96B06308F08858DE1D5954C3D3E9ACC8D752
                    Function 005CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 005CAD19
                    • GetKeyboardState.USER32(?), ref: 005CAD2E
                    • SetKeyboardState.USER32(?), ref: 005CAD8F
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005CADBB
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005CADD8
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005CAE17
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005CAE38
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 6194e1fc575d3e47a0d2849bf5355dcb58b5f9407d8994368598aa5ba1c03b4e
                    • Instruction ID: 8b444c9de8d3f7cabe68c861ee0681c39c8110f540472eb08e8d6b8c43c2b438
                    • Opcode Fuzzy Hash: 6194e1fc575d3e47a0d2849bf5355dcb58b5f9407d8994368598aa5ba1c03b4e
                    • Instruction Fuzzy Hash: A251E7A15047D93DFB3783B48C55F7A7EA97B45308F08848CE1D6868C3D294EC88E792
                    Function 0059542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(005A3CD6,?,?,?,?,?,?,?,?,00595BA3,?,?,005A3CD6,?,?), ref: 00595470
                    • __fassign.LIBCMT ref: 005954EB
                    • __fassign.LIBCMT ref: 00595506
                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,005A3CD6,00000005,00000000,00000000), ref: 0059552C
                    • WriteFile.KERNEL32(?,005A3CD6,00000000,00595BA3,00000000,?,?,?,?,?,?,?,?,?,00595BA3,?), ref: 0059554B
                    • WriteFile.KERNEL32(?,?,00000001,00595BA3,00000000,?,?,?,?,?,?,?,?,?,00595BA3,?), ref: 00595584
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: b14683ebb0c3d7258849e248cc3cd84f58a45d2f16ebbf1f9e49c5312d19d77f
                    • Instruction ID: 095e79fc5927a88bc4836c528bddf10041e2658d43ea3294002f3d2a4476305d
                    • Opcode Fuzzy Hash: b14683ebb0c3d7258849e248cc3cd84f58a45d2f16ebbf1f9e49c5312d19d77f
                    • Instruction Fuzzy Hash: 2151BF70A006099FDF11CFA8D845AEEBFF9FF09300F15451AE955E7292E630AA51CBA0
                    Function 005E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005E307A
                      • Part of subcall function 005E304E: _wcslen.LIBCMT ref: 005E309B
                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005E1112
                    • WSAGetLastError.WSOCK32 ref: 005E1121
                    • WSAGetLastError.WSOCK32 ref: 005E11C9
                    • closesocket.WSOCK32(00000000), ref: 005E11F9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 2675159561-0
                    • Opcode ID: ca11217800c86aafa9fa9a4b68ed01092ab2d8c76ad431cd487adfed22151d51
                    • Instruction ID: 9321066c38229fa60df9b7b3195c239c1a0884b390d5f53d95395da2ad8499bc
                    • Opcode Fuzzy Hash: ca11217800c86aafa9fa9a4b68ed01092ab2d8c76ad431cd487adfed22151d51
                    • Instruction Fuzzy Hash: DE412431200648AFDB189F15C888BA9BFE9FF85364F148069F986DB291C774AD45CBA4
                    Function 005CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005CCF22,?), ref: 005CDDFD
                      • Part of subcall function 005CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005CCF22,?), ref: 005CDE16
                    • lstrcmpiW.KERNEL32(?,?), ref: 005CCF45
                    • MoveFileW.KERNEL32(?,?), ref: 005CCF7F
                    • _wcslen.LIBCMT ref: 005CD005
                    • _wcslen.LIBCMT ref: 005CD01B
                    • SHFileOperationW.SHELL32(?), ref: 005CD061
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                    • String ID: \*.*
                    • API String ID: 3164238972-1173974218
                    • Opcode ID: 39853de9a9e24efd1da694fb38a99a5e98417b6abac730a00bc0840a4d98bb20
                    • Instruction ID: 9e11eab9ae84abd5efaccce0c945e8d8ef31a5584c18e7689cef7d7ee0a45c40
                    • Opcode Fuzzy Hash: 39853de9a9e24efd1da694fb38a99a5e98417b6abac730a00bc0840a4d98bb20
                    • Instruction Fuzzy Hash: 224144719052195EDF12EBE4C985FDDBFB9BF48380F0000EAE509EB141EA34A688CB50
                    Function 005F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005F2E1C
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 005F2E4F
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 005F2E84
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005F2EB6
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005F2EE0
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 005F2EF1
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005F2F0B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: c000e174d9ed0a559f377e1f52dd32e9f36ad1fbcdc79c423eecdf92662f76ff
                    • Instruction ID: cd7456a2abd01f8f4f19f3fd754e37ebf821873e685258aa919554186a2a85af
                    • Opcode Fuzzy Hash: c000e174d9ed0a559f377e1f52dd32e9f36ad1fbcdc79c423eecdf92662f76ff
                    • Instruction Fuzzy Hash: B1311270644248AFEB208F18DD84F753BEAFB9A710F250164FA04CF2B1CB79A844EB40
                    Function 005C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C7769
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C778F
                    • SysAllocString.OLEAUT32(00000000), ref: 005C7792
                    • SysAllocString.OLEAUT32(?), ref: 005C77B0
                    • SysFreeString.OLEAUT32(?), ref: 005C77B9
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 005C77DE
                    • SysAllocString.OLEAUT32(?), ref: 005C77EC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: 53a1a0573847ba84474b8f7b9801e6fe80d8d22d49ddb515344ff7aa7e242f61
                    • Instruction ID: ba973f58fd2c07f6625b1025dc6370fb566dacc59e2a95dc47c12f7b09817811
                    • Opcode Fuzzy Hash: 53a1a0573847ba84474b8f7b9801e6fe80d8d22d49ddb515344ff7aa7e242f61
                    • Instruction Fuzzy Hash: 92219C7A60821DAFDF10DFA8DC88EBB7BECFB093647008429BA14DB190D6749C45DB64
                    Function 005C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C7842
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C7868
                    • SysAllocString.OLEAUT32(00000000), ref: 005C786B
                    • SysAllocString.OLEAUT32 ref: 005C788C
                    • SysFreeString.OLEAUT32 ref: 005C7895
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 005C78AF
                    • SysAllocString.OLEAUT32(?), ref: 005C78BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: 0faa1413d7effe48606564a7b982a3610b355d8393ecd30791b6e086ecaef099
                    • Instruction ID: 4a82250dd383b6091c2c0723ff1461e016f0255821e2e197fd6e021946023378
                    • Opcode Fuzzy Hash: 0faa1413d7effe48606564a7b982a3610b355d8393ecd30791b6e086ecaef099
                    • Instruction Fuzzy Hash: FE215E31608208AF9F109BE8DC8DEBA7BACFB0D7607108129BA15CB2A1D674DC45DB64
                    Function 005D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 005D04F2
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005D052E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateHandlePipe
                    • String ID: nul
                    • API String ID: 1424370930-2873401336
                    • Opcode ID: f936237cf42bab4e1db6e47a55d2cb8671c8ab6fa2f2d0af9a5921fd3a8359c8
                    • Instruction ID: 36f0a51ec7b3ab1f9742c4146ff33efb3ffc4dd922ee80ee27f0c35345fa4a6f
                    • Opcode Fuzzy Hash: f936237cf42bab4e1db6e47a55d2cb8671c8ab6fa2f2d0af9a5921fd3a8359c8
                    • Instruction Fuzzy Hash: 07212A75900205EBDF309F29E845BAA7BA4BF94724F204A2BECA1D62E0D7709954DF20
                    Function 005D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 005D05C6
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005D0601
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateHandlePipe
                    • String ID: nul
                    • API String ID: 1424370930-2873401336
                    • Opcode ID: ae525ae49ecf6f4d2e35c351aecab0b5d35efaf3dcc9886d2b875427ee31cf3d
                    • Instruction ID: 165666cbfc2c2ac4e470a10b621006538aadb5d79b8af6f6a30d778c288653e3
                    • Opcode Fuzzy Hash: ae525ae49ecf6f4d2e35c351aecab0b5d35efaf3dcc9886d2b875427ee31cf3d
                    • Instruction Fuzzy Hash: CE213B755002059BDB309F6D9804BAA7BA8BF95720F201A1BE8A1E73E0D7B0D964DB20
                    Function 005F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0056600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0056604C
                      • Part of subcall function 0056600E: GetStockObject.GDI32(00000011), ref: 00566060
                      • Part of subcall function 0056600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0056606A
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005F4112
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005F411F
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005F412A
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005F4139
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005F4145
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: a08e0c29b0025c0d05da3f57a9bee1fa69dce72900f0e6c381887ead6f0ba37c
                    • Instruction ID: bb98c4ec16b073820d0ba9d55c9e08062d6e1011891260a4b4db69c17190aff9
                    • Opcode Fuzzy Hash: a08e0c29b0025c0d05da3f57a9bee1fa69dce72900f0e6c381887ead6f0ba37c
                    • Instruction Fuzzy Hash: 92118EB214021EBEEB118E64CC85EF77F6DFF087A8F014110BB18A6050CA769C21DBA4
                    Function 0059D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0059D7A3: _free.LIBCMT ref: 0059D7CC
                    • _free.LIBCMT ref: 0059D82D
                      • Part of subcall function 005929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000), ref: 005929DE
                      • Part of subcall function 005929C8: GetLastError.KERNEL32(00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000,00000000), ref: 005929F0
                    • _free.LIBCMT ref: 0059D838
                    • _free.LIBCMT ref: 0059D843
                    • _free.LIBCMT ref: 0059D897
                    • _free.LIBCMT ref: 0059D8A2
                    • _free.LIBCMT ref: 0059D8AD
                    • _free.LIBCMT ref: 0059D8B8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                    • Instruction ID: 4283eaeda1d341cb139cc0301b7d0466f59015d99e55431e6e464c2e274bca8c
                    • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                    • Instruction Fuzzy Hash: 7E11F671940B05BADE21BFF0CC4AFCB7FACBF84700F404825B29DA6492DA69A54586B0
                    Function 005CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005CDA74
                    • LoadStringW.USER32(00000000), ref: 005CDA7B
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005CDA91
                    • LoadStringW.USER32(00000000), ref: 005CDA98
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 005CDADC
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 005CDAB9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 4072794657-3128320259
                    • Opcode ID: 1a0e69359a5d5e15225909b5d0efc6ea21d4a3b0553f54ea77ee2000c8a8ae57
                    • Instruction ID: 44ff59917e4260d279b7c436addb7c129d1e2f2458c89da24d57f83188ecde1f
                    • Opcode Fuzzy Hash: 1a0e69359a5d5e15225909b5d0efc6ea21d4a3b0553f54ea77ee2000c8a8ae57
                    • Instruction Fuzzy Hash: A40162F250420C7FEB10ABE49E89EFB7A6CE708701F4044A5B746E2041E6789E888F74
                    Function 005D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(0120E488,0120E488), ref: 005D097B
                    • EnterCriticalSection.KERNEL32(0120E468,00000000), ref: 005D098D
                    • TerminateThread.KERNEL32(00000000,000001F6), ref: 005D099B
                    • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 005D09A9
                    • CloseHandle.KERNEL32(00000000), ref: 005D09B8
                    • InterlockedExchange.KERNEL32(0120E488,000001F6), ref: 005D09C8
                    • LeaveCriticalSection.KERNEL32(0120E468), ref: 005D09CF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: 19b4fafd0c5838f794884ed6413ed24f7e2c8b81c41c3b4060ee1724e2bdb602
                    • Instruction ID: 97b746b02e9c6c4dd1bf2be9d89d1d6cdcabe8900c8780d64edcb9e62f747979
                    • Opcode Fuzzy Hash: 19b4fafd0c5838f794884ed6413ed24f7e2c8b81c41c3b4060ee1724e2bdb602
                    • Instruction Fuzzy Hash: 03F01D31442506ABD7515B94EF88BE67E25FF11702F402426F101D18A0C7789469EF90
                    Function 00565D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 00565D30
                    • GetWindowRect.USER32(?,?), ref: 00565D71
                    • ScreenToClient.USER32(?,?), ref: 00565D99
                    • GetClientRect.USER32(?,?), ref: 00565ED7
                    • GetWindowRect.USER32(?,?), ref: 00565EF8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Rect$Client$Window$Screen
                    • String ID:
                    • API String ID: 1296646539-0
                    • Opcode ID: 5a1ee20e647a97833ed277211cbfdce697fefce87c2c567e1babecfa1ffce4fe
                    • Instruction ID: a13c74e5cf7be544bfd5441a8ea8d78408ce81d569f74dd707a396d4b4bd7705
                    • Opcode Fuzzy Hash: 5a1ee20e647a97833ed277211cbfdce697fefce87c2c567e1babecfa1ffce4fe
                    • Instruction Fuzzy Hash: 47B16934A0064ADBDF10CFA8C4807EEBBF5FF58310F14881AE8A9D7250EB34AA51DB50
                    Function 005901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                    Download Yara Rule
                    APIs
                    • __allrem.LIBCMT ref: 005900BA
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005900D6
                    • __allrem.LIBCMT ref: 005900ED
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0059010B
                    • __allrem.LIBCMT ref: 00590122
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00590140
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                    • Instruction ID: 9ac78968dd107dce0e9c893970a82c956538480845545445922a09fa18990b44
                    • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                    • Instruction Fuzzy Hash: 36811776A00B069FEB24AF68CC49B6B7BE8BF85724F24493AF511E72C1E770D9008750
                    Function 005E1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005E3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,005E101C,00000000,?,?,00000000), ref: 005E3195
                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005E1DC0
                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005E1DE1
                    • WSAGetLastError.WSOCK32 ref: 005E1DF2
                    • inet_ntoa.WSOCK32(?), ref: 005E1E8C
                    • htons.WSOCK32(?,?,?,?,?), ref: 005E1EDB
                    • _strlen.LIBCMT ref: 005E1F35
                      • Part of subcall function 005C39E8: _strlen.LIBCMT ref: 005C39F2
                      • Part of subcall function 00566D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0057CF58,?,?,?), ref: 00566DBA
                      • Part of subcall function 00566D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0057CF58,?,?,?), ref: 00566DED
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                    • String ID:
                    • API String ID: 1923757996-0
                    • Opcode ID: 4d3bedb32ed0040950a0513271ba56cb4a164c5bffe9a92bde63c5ad8f98adfb
                    • Instruction ID: c2d68898662d02c108f35b0ff3a068fea7adf19ad70f48586c6ecbc4357aebae
                    • Opcode Fuzzy Hash: 4d3bedb32ed0040950a0513271ba56cb4a164c5bffe9a92bde63c5ad8f98adfb
                    • Instruction Fuzzy Hash: 20A1D070104781AFC328DF21C889E2A7FA5BFD4318F54894CF4969B2A2DB31ED85CB91
                    Function 005961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005882D9,005882D9,?,?,?,0059644F,00000001,00000001,8BE85006), ref: 00596258
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0059644F,00000001,00000001,8BE85006,?,?,?), ref: 005962DE
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005963D8
                    • __freea.LIBCMT ref: 005963E5
                      • Part of subcall function 00593820: RtlAllocateHeap.NTDLL(00000000,?,00631444,?,0057FDF5,?,?,0056A976,00000010,00631440,005613FC,?,005613C6,?,00561129), ref: 00593852
                    • __freea.LIBCMT ref: 005963EE
                    • __freea.LIBCMT ref: 00596413
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                    • String ID:
                    • API String ID: 1414292761-0
                    • Opcode ID: 681b9638c984ed1a76ea3f161eaa0fa928528ea9fc9562d2be1767765c45e121
                    • Instruction ID: 2f5ad382b0bbb3b17748733250d78e364d85be081bea9c1343717dd5684afff2
                    • Opcode Fuzzy Hash: 681b9638c984ed1a76ea3f161eaa0fa928528ea9fc9562d2be1767765c45e121
                    • Instruction Fuzzy Hash: DE51D072600216ABEF268F64DC85EAF7FA9FB84750F154A29FC05D7180EB34DC58D660
                    Function 005EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005EB6AE,?,?), ref: 005EC9B5
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005EC9F1
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005ECA68
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005ECA9E
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005EBCCA
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005EBD25
                    • RegCloseKey.ADVAPI32(00000000), ref: 005EBD6A
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005EBD99
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005EBDF3
                    • RegCloseKey.ADVAPI32(?), ref: 005EBDFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                    • String ID:
                    • API String ID: 1120388591-0
                    • Opcode ID: d93272941c28f391491244afc05ee45945d20d9fcf2898c69734fa119ce90f45
                    • Instruction ID: 3d6099a6c170ede39f28094953ddde5ab1769ada31693352f08c30bf456c1340
                    • Opcode Fuzzy Hash: d93272941c28f391491244afc05ee45945d20d9fcf2898c69734fa119ce90f45
                    • Instruction Fuzzy Hash: 93816F30108241AFD714DF24C995E6ABFE9FF84308F14896CF5998B2A2DB31ED45CB92
                    Function 005BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(00000035), ref: 005BF7B9
                    • SysAllocString.OLEAUT32(00000001), ref: 005BF860
                    • VariantCopy.OLEAUT32(005BFA64,00000000), ref: 005BF889
                    • VariantClear.OLEAUT32(005BFA64), ref: 005BF8AD
                    • VariantCopy.OLEAUT32(005BFA64,00000000), ref: 005BF8B1
                    • VariantClear.OLEAUT32(?), ref: 005BF8BB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$ClearCopy$AllocInitString
                    • String ID:
                    • API String ID: 3859894641-0
                    • Opcode ID: 700e30c0debead6265a472aa86c8e74632d32631dcc737fa6d76c57ceed63d5d
                    • Instruction ID: 93fb0a88ed585935eaa2c1e76ff39ca1edac4ca5308ebe5314f56d289a3a6125
                    • Opcode Fuzzy Hash: 700e30c0debead6265a472aa86c8e74632d32631dcc737fa6d76c57ceed63d5d
                    • Instruction Fuzzy Hash: 0451D531600311BACF20AB65DC99BA9BBA8FF95710F209877F905DF291DB70AC40D766
                    Function 005D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00567620: _wcslen.LIBCMT ref: 00567625
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                    • GetOpenFileNameW.COMDLG32(00000058), ref: 005D94E5
                    • _wcslen.LIBCMT ref: 005D9506
                    • _wcslen.LIBCMT ref: 005D952D
                    • GetSaveFileNameW.COMDLG32(00000058), ref: 005D9585
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$FileName$OpenSave
                    • String ID: X
                    • API String ID: 83654149-3081909835
                    • Opcode ID: 98aeec0f2385b815a4bbef051740efb621132b840efee65bcec21d4eb04487d9
                    • Instruction ID: 1d12643e55bcda1e78b9c5c9c33a17b72c4a66e8e8ec9b56f9f7424bc6dd651f
                    • Opcode Fuzzy Hash: 98aeec0f2385b815a4bbef051740efb621132b840efee65bcec21d4eb04487d9
                    • Instruction Fuzzy Hash: 26E184316043419FD724DF28C485A6ABBE4BFC5314F14896EF8899B3A2EB31DD45CB92
                    Function 0057920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00579BB2
                    • BeginPaint.USER32(?,?,?), ref: 00579241
                    • GetWindowRect.USER32(?,?), ref: 005792A5
                    • ScreenToClient.USER32(?,?), ref: 005792C2
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005792D3
                    • EndPaint.USER32(?,?,?,?,?), ref: 00579321
                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005B71EA
                      • Part of subcall function 00579339: BeginPath.GDI32(00000000), ref: 00579357
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                    • String ID:
                    • API String ID: 3050599898-0
                    • Opcode ID: 7e5dac0af633540fa402ff3bd545758478b3719c87f0c0bd6cc3ca79c62d9dd0
                    • Instruction ID: 1ca3cfc51087c9ce95ecbc531eb40363e2844be729207f4425530393051dfd22
                    • Opcode Fuzzy Hash: 7e5dac0af633540fa402ff3bd545758478b3719c87f0c0bd6cc3ca79c62d9dd0
                    • Instruction Fuzzy Hash: 0D41A070108205AFD710DF28D884FBA7FA9FB9A320F144669F959CB2E1C7319845EBB1
                    Function 005D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 005D080C
                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005D0847
                    • EnterCriticalSection.KERNEL32(?), ref: 005D0863
                    • LeaveCriticalSection.KERNEL32(?), ref: 005D08DC
                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005D08F3
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 005D0921
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                    • String ID:
                    • API String ID: 3368777196-0
                    • Opcode ID: 88a43840e6c989540a314d61bdfc17011f18c9a7d61423a304f7ef9810b43ebf
                    • Instruction ID: 0cc6d781c5c90b6fb7237638f5afab481ce47bdefae5191ac20a260964933525
                    • Opcode Fuzzy Hash: 88a43840e6c989540a314d61bdfc17011f18c9a7d61423a304f7ef9810b43ebf
                    • Instruction Fuzzy Hash: 74415971900205ABDF14EF58DC89A6A7B79FF44310F1480A6ED04EA297D734DE65EBA0
                    Function 005F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,005BF3AB,00000000,?,?,00000000,?,005B682C,00000004,00000000,00000000), ref: 005F824C
                    • EnableWindow.USER32(00000000,00000000), ref: 005F8272
                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 005F82D1
                    • ShowWindow.USER32(00000000,00000004), ref: 005F82E5
                    • EnableWindow.USER32(00000000,00000001), ref: 005F830B
                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005F832F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: 23860e0c979abc8715235547f8166bdf76ebb6cbb53aa593c41497c014be6d5a
                    • Instruction ID: 12029007898df74d3a54f4e95bfbfccf1e58c16c192b2a1f963113b26ca150df
                    • Opcode Fuzzy Hash: 23860e0c979abc8715235547f8166bdf76ebb6cbb53aa593c41497c014be6d5a
                    • Instruction Fuzzy Hash: 3C417134601A48EFDB11CF15CD99BF87FE1BB4A714F185569E6088F2B2CB35A845CB50
                    Function 005C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 005C4C95
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005C4CB2
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005C4CEA
                    • _wcslen.LIBCMT ref: 005C4D08
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005C4D10
                    • _wcsstr.LIBVCRUNTIME ref: 005C4D1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                    • String ID:
                    • API String ID: 72514467-0
                    • Opcode ID: 1e7d37ae3cd1484e89811c7c13570c52e6122f3cce7280592aa96f64c6f71ad9
                    • Instruction ID: 2cd87ebf8afb208648b5577006050b5841f8cb61dc080f69533a75a4854cdb80
                    • Opcode Fuzzy Hash: 1e7d37ae3cd1484e89811c7c13570c52e6122f3cce7280592aa96f64c6f71ad9
                    • Instruction Fuzzy Hash: F121B6316041057FEB15AB69AD59F7B7F9CEF45750F10803DF809DE1A1EA659C00DB60
                    Function 005D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00563AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00563A97,?,?,00562E7F,?,?,?,00000000), ref: 00563AC2
                    • _wcslen.LIBCMT ref: 005D587B
                    • CoInitialize.OLE32(00000000), ref: 005D5995
                    • CoCreateInstance.OLE32(005FFCF8,00000000,00000001,005FFB68,?), ref: 005D59AE
                    • CoUninitialize.OLE32 ref: 005D59CC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                    • String ID: .lnk
                    • API String ID: 3172280962-24824748
                    • Opcode ID: 4db1b2497d9bb2e8fd9eb3ac2735d40b92bd2e2018d3c7076f3d2d39ad35c099
                    • Instruction ID: 08da4494df058f7170fa56926c453076f800a8f391b8bd7678b3d07d428b41bc
                    • Opcode Fuzzy Hash: 4db1b2497d9bb2e8fd9eb3ac2735d40b92bd2e2018d3c7076f3d2d39ad35c099
                    • Instruction Fuzzy Hash: 5CD155716087059FC724DF28C49492ABBE5FF89714F14485EF88A9B361EB31EC45CB92
                    Function 005C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005C0FCA
                      • Part of subcall function 005C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005C0FD6
                      • Part of subcall function 005C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005C0FE5
                      • Part of subcall function 005C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005C0FEC
                      • Part of subcall function 005C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005C1002
                    • GetLengthSid.ADVAPI32(?,00000000,005C1335), ref: 005C17AE
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005C17BA
                    • HeapAlloc.KERNEL32(00000000), ref: 005C17C1
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 005C17DA
                    • GetProcessHeap.KERNEL32(00000000,00000000,005C1335), ref: 005C17EE
                    • HeapFree.KERNEL32(00000000), ref: 005C17F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 3008561057-0
                    • Opcode ID: ac6fcc05869aa2ab342a6106236e28a8a01db7921eeca810db7ca5e5b3abbd68
                    • Instruction ID: 00f221a67e4d161e4b2ce8795cc7bcc93ec9dce0926d13065176cca2f535d25b
                    • Opcode Fuzzy Hash: ac6fcc05869aa2ab342a6106236e28a8a01db7921eeca810db7ca5e5b3abbd68
                    • Instruction Fuzzy Hash: D1118931500609EFDB149BA4CD49FAE7FE9FF42355F10442CE481D7212C739A959DB68
                    Function 005C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005C14FF
                    • OpenProcessToken.ADVAPI32(00000000), ref: 005C1506
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005C1515
                    • CloseHandle.KERNEL32(00000004), ref: 005C1520
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005C154F
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 005C1563
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: ba49a26f52a42f9ca4f9441bf86b08021e9cc67c64ff90976807e3ee60317cfe
                    • Instruction ID: 07dde692ae4a36b43fa5fd9bbaed4add2955c223be7eab89680e90253e647329
                    • Opcode Fuzzy Hash: ba49a26f52a42f9ca4f9441bf86b08021e9cc67c64ff90976807e3ee60317cfe
                    • Instruction Fuzzy Hash: E011247250120DAFDF118F98DE49FAA7FA9FF49744F044068FA05A2160C3758E69EB64
                    Function 00583382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,00583379,00582FE5), ref: 00583390
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0058339E
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005833B7
                    • SetLastError.KERNEL32(00000000,?,00583379,00582FE5), ref: 00583409
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: c895582696e2f834c8b33eee9ca453dd84f55adcdd4ac42bcb20885fdca1254d
                    • Instruction ID: 880d70a6233715866dc9970f608bdb5d88a588ffa45b375ddebe9f1cdf8d2b32
                    • Opcode Fuzzy Hash: c895582696e2f834c8b33eee9ca453dd84f55adcdd4ac42bcb20885fdca1254d
                    • Instruction Fuzzy Hash: DA012832208712BEEB2437797C9992B2E94FB55B757200629FC10A01F0EF124D069784
                    Function 00592D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,00595686,005A3CD6,?,00000000,?,00595B6A,?,?,?,?,?,0058E6D1,?,00628A48), ref: 00592D78
                    • _free.LIBCMT ref: 00592DAB
                    • _free.LIBCMT ref: 00592DD3
                    • SetLastError.KERNEL32(00000000,?,?,?,?,0058E6D1,?,00628A48,00000010,00564F4A,?,?,00000000,005A3CD6), ref: 00592DE0
                    • SetLastError.KERNEL32(00000000,?,?,?,?,0058E6D1,?,00628A48,00000010,00564F4A,?,?,00000000,005A3CD6), ref: 00592DEC
                    • _abort.LIBCMT ref: 00592DF2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: 8e415d3056760e31350491b14027f584d66f8336d7dc75e7c0702c3ffb976f22
                    • Instruction ID: e0c636096d6380daf236a54650a56dc7560d6caf80d5718fb7a4571ade110887
                    • Opcode Fuzzy Hash: 8e415d3056760e31350491b14027f584d66f8336d7dc75e7c0702c3ffb976f22
                    • Instruction Fuzzy Hash: F8F0A436545B0277CF226738AC0EE2F2D5ABFD17A1F250829F829D21D2EE24880751A0
                    Function 005F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00579693
                      • Part of subcall function 00579639: SelectObject.GDI32(?,00000000), ref: 005796A2
                      • Part of subcall function 00579639: BeginPath.GDI32(?), ref: 005796B9
                      • Part of subcall function 00579639: SelectObject.GDI32(?,00000000), ref: 005796E2
                    • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005F8A4E
                    • LineTo.GDI32(?,00000003,00000000), ref: 005F8A62
                    • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005F8A70
                    • LineTo.GDI32(?,00000000,00000003), ref: 005F8A80
                    • EndPath.GDI32(?), ref: 005F8A90
                    • StrokePath.GDI32(?), ref: 005F8AA0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: 0c9461bb6348ccbfadfc51f9382e73749283a79b64b29d352aa09c87c6178d54
                    • Instruction ID: 2f7eb55cf70541f7beada5cad6c0fc5fcee60269915f0d66329236ceb0455a87
                    • Opcode Fuzzy Hash: 0c9461bb6348ccbfadfc51f9382e73749283a79b64b29d352aa09c87c6178d54
                    • Instruction Fuzzy Hash: 3C111B7600010DFFDF129F90DC88FAA7F6DEB09364F008062BA199A1A1CB759D55EFA0
                    Function 005C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 005C5218
                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 005C5229
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005C5230
                    • ReleaseDC.USER32(00000000,00000000), ref: 005C5238
                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 005C524F
                    • MulDiv.KERNEL32(000009EC,00000001,?), ref: 005C5261
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CapsDevice$Release
                    • String ID:
                    • API String ID: 1035833867-0
                    • Opcode ID: d15534bef92d4d7dcdbdc26261e0fe9bd450effff7571d7e3bc22e5346262248
                    • Instruction ID: b9a35ec18c24229b6d634b109bd2d326044a56d4f6a827dad70e784e992c17e3
                    • Opcode Fuzzy Hash: d15534bef92d4d7dcdbdc26261e0fe9bd450effff7571d7e3bc22e5346262248
                    • Instruction Fuzzy Hash: 5B018F75A40708BBEB109BE59D49F5EBFB8FB58351F044065FA04E7380DA709808DBA0
                    Function 00561BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00561BF4
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00561BFC
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00561C07
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00561C12
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00561C1A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00561C22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: c8b823cc951e05db1910d1d648860dd4c7177ea3b205abd97b8900e77faa9a51
                    • Instruction ID: d2978add2c5cfa1977392ab3673b5259adda80062e3c70c986b9d16039215494
                    • Opcode Fuzzy Hash: c8b823cc951e05db1910d1d648860dd4c7177ea3b205abd97b8900e77faa9a51
                    • Instruction Fuzzy Hash: 9D016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C8B941C7F5A868CBE5
                    Function 005CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005CEB30
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005CEB46
                    • GetWindowThreadProcessId.USER32(?,?), ref: 005CEB55
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005CEB64
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005CEB6E
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005CEB75
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: d925877aa33410dd7f7504cbae8379055ba5b5cdfc93574dd0ae4b10cd97dfdd
                    • Instruction ID: e23e9447844fbc8787936d85e82be57cdd5fd922b2bcd4570b1150e4e6a65a8b
                    • Opcode Fuzzy Hash: d925877aa33410dd7f7504cbae8379055ba5b5cdfc93574dd0ae4b10cd97dfdd
                    • Instruction Fuzzy Hash: EAF09A7220011CBBE7205BA29D0EEFF3E7CEFDAB11F000168F601D5090DBA81A05E6B4
                    Function 005B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?), ref: 005B7452
                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 005B7469
                    • GetWindowDC.USER32(?), ref: 005B7475
                    • GetPixel.GDI32(00000000,?,?), ref: 005B7484
                    • ReleaseDC.USER32(?,00000000), ref: 005B7496
                    • GetSysColor.USER32(00000005), ref: 005B74B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClientColorMessagePixelRectReleaseSendWindow
                    • String ID:
                    • API String ID: 272304278-0
                    • Opcode ID: fc374acd50e6cc56de9cca601ea3eedd923d466e63bbe7cf1e0e5482b2180189
                    • Instruction ID: 6d9612b830e779f20ba97b9ef09ba762a39ac4030e7c9f92e742c6cfc757dd79
                    • Opcode Fuzzy Hash: fc374acd50e6cc56de9cca601ea3eedd923d466e63bbe7cf1e0e5482b2180189
                    • Instruction Fuzzy Hash: 2D018B31404209EFEB105F64DD08BFA7FB6FB18312F2000A0F916E61A0CB352E55EB50
                    Function 005C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 005C187F
                    • UnloadUserProfile.USERENV(?,?), ref: 005C188B
                    • CloseHandle.KERNEL32(?), ref: 005C1894
                    • CloseHandle.KERNEL32(?), ref: 005C189C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 005C18A5
                    • HeapFree.KERNEL32(00000000), ref: 005C18AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: ef964fd67aeac926d2abd82f2d5b4fc88063861001e81f0620b44b02534e3601
                    • Instruction ID: e7992392e0ff39e31f420da513bc5b2a68039941853b6ff049e149b434cf250a
                    • Opcode Fuzzy Hash: ef964fd67aeac926d2abd82f2d5b4fc88063861001e81f0620b44b02534e3601
                    • Instruction Fuzzy Hash: 8EE0C236004109BBDA016BA1EE0CD1ABF29FF69B22B108A34F225C10B0CB369438FB50
                    Function 0056BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 0056BEB3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Init_thread_footer
                    • String ID: D%c$D%c$D%c$D%cD%c
                    • API String ID: 1385522511-1154464111
                    • Opcode ID: 42a09815b0095898d18672c69af274cb166c08299e6d0748f981b8e2d3282020
                    • Instruction ID: 27dbd73f216ad393d30ec67c13482b24a031c3d19e5f3d2ed23ee1cca4b12534
                    • Opcode Fuzzy Hash: 42a09815b0095898d18672c69af274cb166c08299e6d0748f981b8e2d3282020
                    • Instruction Fuzzy Hash: 2F911975A0020ADFEB58CF58C0916AABBF2FF58314F248569D945EB351E731AE81CB90
                    Function 005E7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00580242: EnterCriticalSection.KERNEL32(0063070C,00631884,?,?,0057198B,00632518,?,?,?,005612F9,00000000), ref: 0058024D
                      • Part of subcall function 00580242: LeaveCriticalSection.KERNEL32(0063070C,?,0057198B,00632518,?,?,?,005612F9,00000000), ref: 0058028A
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005800A3: __onexit.LIBCMT ref: 005800A9
                    • __Init_thread_footer.LIBCMT ref: 005E7BFB
                      • Part of subcall function 005801F8: EnterCriticalSection.KERNEL32(0063070C,?,?,00578747,00632514), ref: 00580202
                      • Part of subcall function 005801F8: LeaveCriticalSection.KERNEL32(0063070C,?,00578747,00632514), ref: 00580235
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                    • String ID: +T[$5$G$Variable must be of type 'Object'.
                    • API String ID: 535116098-240099754
                    • Opcode ID: 1fcadbae053dc61b7e0dfb8d58ea1cb65d7988c647fc511832b3b6a238a95558
                    • Instruction ID: 101a23a131ff920054283e71afb645af72a1abaaf8eab9cd08471402c8dde32e
                    • Opcode Fuzzy Hash: 1fcadbae053dc61b7e0dfb8d58ea1cb65d7988c647fc511832b3b6a238a95558
                    • Instruction Fuzzy Hash: 5991AF70A0424AEFCB08EF55D9949BDBFB6FF88304F108059F886AB291DB719E41CB51
                    Function 005CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00567620: _wcslen.LIBCMT ref: 00567625
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005CC6EE
                    • _wcslen.LIBCMT ref: 005CC735
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005CC79C
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005CC7CA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ItemMenu$Info_wcslen$Default
                    • String ID: 0
                    • API String ID: 1227352736-4108050209
                    • Opcode ID: 27c381d98018e3dd02efa3079b7ca66ee77ae47cd35068aee8dc0743766cb654
                    • Instruction ID: d69d131301516461a3250db7411d4272c2f2b913338a57893c6c8ee7c93b09d0
                    • Opcode Fuzzy Hash: 27c381d98018e3dd02efa3079b7ca66ee77ae47cd35068aee8dc0743766cb654
                    • Instruction Fuzzy Hash: EA51AC716143019FD710DEA8C989F6ABFE8FB89310F040A2DF999E71A0DB64D844DB92
                    Function 005EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteExW.SHELL32(0000003C), ref: 005EAEA3
                      • Part of subcall function 00567620: _wcslen.LIBCMT ref: 00567625
                    • GetProcessId.KERNEL32(00000000), ref: 005EAF38
                    • CloseHandle.KERNEL32(00000000), ref: 005EAF67
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseExecuteHandleProcessShell_wcslen
                    • String ID: <$@
                    • API String ID: 146682121-1426351568
                    • Opcode ID: 9af85794babe1c8c44af3fdfbfa68cc1b1569e876045aec01c57c206bd12abaf
                    • Instruction ID: c3d052c47608a0014d57ad6f35c716db8c59c439ec301dc334699bfa12cff5d7
                    • Opcode Fuzzy Hash: 9af85794babe1c8c44af3fdfbfa68cc1b1569e876045aec01c57c206bd12abaf
                    • Instruction Fuzzy Hash: D0717874A0025ADFCB14DF65C488A9EBFF4BF48304F048499E856AB3A2DB74ED45CB91
                    Function 005C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005C7206
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005C723C
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005C724D
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005C72CF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: DllGetClassObject
                    • API String ID: 753597075-1075368562
                    • Opcode ID: 4110b70bb59720509b7717da8a3f14372e9972d9b477db782b1dea505be7cb1f
                    • Instruction ID: 173b4485a8942b63799525c23d5016ee944070cbe773f2b97cfa0a597e5b0c0e
                    • Opcode Fuzzy Hash: 4110b70bb59720509b7717da8a3f14372e9972d9b477db782b1dea505be7cb1f
                    • Instruction Fuzzy Hash: A1414C75604208AFDB15CF94C884FAA7FA9FF58310B2484ADBD059F60AD7B4DA44DFA0
                    Function 005F3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005F3E35
                    • IsMenu.USER32(?), ref: 005F3E4A
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005F3E92
                    • DrawMenuBar.USER32 ref: 005F3EA5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert
                    • String ID: 0
                    • API String ID: 3076010158-4108050209
                    • Opcode ID: 638412e3920a4b77152931ba76eb09baa495b540f054a7bff40ce23d8df50b2d
                    • Instruction ID: f1e4cdec929f567bb00cea1a5f229a79e784bd022aed6b0c3445cc2ea913d68c
                    • Opcode Fuzzy Hash: 638412e3920a4b77152931ba76eb09baa495b540f054a7bff40ce23d8df50b2d
                    • Instruction Fuzzy Hash: E0412775A0120DEFEF10DF50D884AEABBB9FF49354F044129EA15AB250D738AE45DF90
                    Function 005EC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen
                    • String ID: HKEY_LOCAL_MACHINE$HKLM
                    • API String ID: 176396367-4004644295
                    • Opcode ID: 32a0d5ec84068950b1d4b985ea76b0b280e80dd9e7c3399157fde640850f6226
                    • Instruction ID: f5c6837e9531e74e31b67bd85da3beeed39c4d9572ab1033b52bb0aa22feee7c
                    • Opcode Fuzzy Hash: 32a0d5ec84068950b1d4b985ea76b0b280e80dd9e7c3399157fde640850f6226
                    • Instruction Fuzzy Hash: BE312B736005EA4BCB28EF2ED9404BE3F927BA1750B154039ECD56B244E670CD82D7A0
                    Function 005F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005F2F8D
                    • LoadLibraryW.KERNEL32(?), ref: 005F2F94
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005F2FA9
                    • DestroyWindow.USER32(?), ref: 005F2FB1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$DestroyLibraryLoadWindow
                    • String ID: SysAnimate32
                    • API String ID: 3529120543-1011021900
                    • Opcode ID: a0025ead0ab5581b4e97c042a45c61f92bf2701be7d46fa6be8370e151acb82c
                    • Instruction ID: 568577ccc958feb8cb758661845f3af948407d20f10483ec23aa3fd3300d8410
                    • Opcode Fuzzy Hash: a0025ead0ab5581b4e97c042a45c61f92bf2701be7d46fa6be8370e151acb82c
                    • Instruction Fuzzy Hash: 1221F0B122420EABEB104F64DC86EBB3BBDFB59324F100628FA50D60A0D339DC41DB60
                    Function 00584D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00584D1E,005928E9,?,00584CBE,005928E9,006288B8,0000000C,00584E15,005928E9,00000002), ref: 00584D8D
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00584DA0
                    • FreeLibrary.KERNEL32(00000000,?,?,?,00584D1E,005928E9,?,00584CBE,005928E9,006288B8,0000000C,00584E15,005928E9,00000002,00000000), ref: 00584DC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: f9771debc6bc29ba201bcbbeac8d1e2c1c62b6467995899c7120c5cf513d7871
                    • Instruction ID: de2dea4be0885dba5a104fff32bca6f0082100f6f5ee432d9af34b46c0985aa9
                    • Opcode Fuzzy Hash: f9771debc6bc29ba201bcbbeac8d1e2c1c62b6467995899c7120c5cf513d7871
                    • Instruction Fuzzy Hash: 3BF0AF30A4020DBBEB14AF90DC09BAEBFBAEF44751F0000A4FC05E62A0CB345944DF90
                    Function 00564E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00564EDD,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564E9C
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00564EAE
                    • FreeLibrary.KERNEL32(00000000,?,?,00564EDD,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564EC0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 145871493-3689287502
                    • Opcode ID: 982ad42df110126e3d5d052c13d86898099c6ab7d5760cc99ab24ccb28755463
                    • Instruction ID: f72c35d9195a9aa7e2091c338b1343d240dc97dca74d8e9b72e087a60ffdf81e
                    • Opcode Fuzzy Hash: 982ad42df110126e3d5d052c13d86898099c6ab7d5760cc99ab24ccb28755463
                    • Instruction Fuzzy Hash: 43E08635A016365BD22117256D18E7B6D59BF91B627050125FD04E7200DB68CD09D8A1
                    Function 00564E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,005A3CDE,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564E62
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00564E74
                    • FreeLibrary.KERNEL32(00000000,?,?,005A3CDE,?,00631418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00564E87
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 145871493-1355242751
                    • Opcode ID: f054fa08ff729caa02f68f7c2ff2dc011c70d733d1e0ecf503c8ad0ec31713b5
                    • Instruction ID: be6713ccd2a8a4f01b9fec3580be4fe878b50b28c8623621ba2dc9817184e15d
                    • Opcode Fuzzy Hash: f054fa08ff729caa02f68f7c2ff2dc011c70d733d1e0ecf503c8ad0ec31713b5
                    • Instruction Fuzzy Hash: 18D02B39502A365B86321B247C0CDEF2E1DBF81F113050131F904E7210CF29CD15D9D1
                    Function 005EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcessId.KERNEL32 ref: 005EA427
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005EA435
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 005EA468
                    • CloseHandle.KERNEL32(?), ref: 005EA63D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$CloseCountersCurrentHandleOpen
                    • String ID:
                    • API String ID: 3488606520-0
                    • Opcode ID: 432834cd2a8f7b65546b7cd2173a28c008d377fca63ef7f1a292ad5f7a975fbc
                    • Instruction ID: 482650063fff0c95cc84695ac5c91379110d56b3385c6d240b3302382b11abef
                    • Opcode Fuzzy Hash: 432834cd2a8f7b65546b7cd2173a28c008d377fca63ef7f1a292ad5f7a975fbc
                    • Instruction Fuzzy Hash: 78A19E716043019FD724DF24D88AB2ABBE1BF84714F14885DF59A9B3D2DBB0EC418B92
                    Function 005CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005CCF22,?), ref: 005CDDFD
                      • Part of subcall function 005CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005CCF22,?), ref: 005CDE16
                      • Part of subcall function 005CE199: GetFileAttributesW.KERNEL32(?,005CCF95), ref: 005CE19A
                    • lstrcmpiW.KERNEL32(?,?), ref: 005CE473
                    • MoveFileW.KERNEL32(?,?), ref: 005CE4AC
                    • _wcslen.LIBCMT ref: 005CE5EB
                    • _wcslen.LIBCMT ref: 005CE603
                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 005CE650
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                    • String ID:
                    • API String ID: 3183298772-0
                    • Opcode ID: 52c926b9a996a28be65ba77ed7730117edb79aaf32f8ea466f741513b99f98ed
                    • Instruction ID: 0abff8aa6b12760b4d0b75562f596e15175684263951fd3e9869214dd80bb118
                    • Opcode Fuzzy Hash: 52c926b9a996a28be65ba77ed7730117edb79aaf32f8ea466f741513b99f98ed
                    • Instruction Fuzzy Hash: C4515FB24087459FC724EB90D885EDB7BECBFD4340F00492EE689D3191EE75A5888766
                    Function 005EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005EB6AE,?,?), ref: 005EC9B5
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005EC9F1
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005ECA68
                      • Part of subcall function 005EC998: _wcslen.LIBCMT ref: 005ECA9E
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005EBAA5
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005EBB00
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005EBB63
                    • RegCloseKey.ADVAPI32(?,?), ref: 005EBBA6
                    • RegCloseKey.ADVAPI32(00000000), ref: 005EBBB3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                    • String ID:
                    • API String ID: 826366716-0
                    • Opcode ID: 3c9a22792537bcdcdcf7eda90fade66d77bb91cd68af30e50a357bae15a7b12b
                    • Instruction ID: 74dc1b121d1b764f5a36e9648e00c652ca832f93b3ff987e2b920b4695708fcd
                    • Opcode Fuzzy Hash: 3c9a22792537bcdcdcf7eda90fade66d77bb91cd68af30e50a357bae15a7b12b
                    • Instruction Fuzzy Hash: 68615E31108245AFE718DF15C494E6BBBE9FF84308F54896CF4998B2A2DB31ED45CB92
                    Function 005C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 005C8BCD
                    • VariantClear.OLEAUT32 ref: 005C8C3E
                    • VariantClear.OLEAUT32 ref: 005C8C9D
                    • VariantClear.OLEAUT32(?), ref: 005C8D10
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005C8D3B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType
                    • String ID:
                    • API String ID: 4136290138-0
                    • Opcode ID: fef1f384b384a3f5d1b2883c9849fbcebc4e389b17f9253ae326690f058dea78
                    • Instruction ID: 35fb4b05f031ac042212c86eae6f10b41da437f63750d248843963fea0d12d22
                    • Opcode Fuzzy Hash: fef1f384b384a3f5d1b2883c9849fbcebc4e389b17f9253ae326690f058dea78
                    • Instruction Fuzzy Hash: D2515BB5A00219EFCB14CF58D894EAABBF8FF89310B158569E906DB350E734E911CB90
                    Function 005D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005D8BAE
                    • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 005D8BDA
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005D8C32
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005D8C57
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005D8C5F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String
                    • String ID:
                    • API String ID: 2832842796-0
                    • Opcode ID: 4ff7ea48ec278541bc783f4431d5f39d99d3c95ea908f8f32b5dc401e682e3b8
                    • Instruction ID: 6c745372e3db4dfa5c535b21b5f53eeb43a9f38e67b91091552969e1867c7a3b
                    • Opcode Fuzzy Hash: 4ff7ea48ec278541bc783f4431d5f39d99d3c95ea908f8f32b5dc401e682e3b8
                    • Instruction Fuzzy Hash: A3515B35A00219DFCB14DF64C884A69BFF5FF48314F08849AE84AAB362DB35ED51DB90
                    Function 005E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(?,00000000,?), ref: 005E8F40
                    • GetProcAddress.KERNEL32(00000000,?), ref: 005E8FD0
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 005E8FEC
                    • GetProcAddress.KERNEL32(00000000,?), ref: 005E9032
                    • FreeLibrary.KERNEL32(00000000), ref: 005E9052
                      • Part of subcall function 0057F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005D1043,?,753CE610), ref: 0057F6E6
                      • Part of subcall function 0057F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,005BFA64,00000000,00000000,?,?,005D1043,?,753CE610,?,005BFA64), ref: 0057F70D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                    • String ID:
                    • API String ID: 666041331-0
                    • Opcode ID: 8b913b93e43441335fed3f107e832ed89206d98b9483e8cf322845787bf2b372
                    • Instruction ID: 2df6a833234de5ce8228d20bebb78443d942fff0e61980623d7c758c788d86b3
                    • Opcode Fuzzy Hash: 8b913b93e43441335fed3f107e832ed89206d98b9483e8cf322845787bf2b372
                    • Instruction Fuzzy Hash: CD512835600246DFC715DF59C4988ADBFF1FF99314B0480A9E85AAB362DB31ED85CB90
                    Function 005F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(00000002,000000F0,?), ref: 005F6C33
                    • SetWindowLongW.USER32(?,000000EC,?), ref: 005F6C4A
                    • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005F6C73
                    • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,005DAB79,00000000,00000000), ref: 005F6C98
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005F6CC7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Long$MessageSendShow
                    • String ID:
                    • API String ID: 3688381893-0
                    • Opcode ID: 8c326dea3290f4140a48227355b638bbf39c9bea6ba8d12e4c69adeb539120d4
                    • Instruction ID: 5d10ec28236ac0ac8dc68b7499f39fc1ed8821c6b27ba23befd8978dba6beb8d
                    • Opcode Fuzzy Hash: 8c326dea3290f4140a48227355b638bbf39c9bea6ba8d12e4c69adeb539120d4
                    • Instruction Fuzzy Hash: C341A13560410CAFD724DF28CD58FB97FA5FB0A350F150628EA95EB2E1C379AD41DA40
                    Function 00592051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 211082d5ea4ee1b1de9d4cef8fd5024214b187977914a477273fd67c14e90465
                    • Instruction ID: 81b04efb224bd0447e1acbce34d635b871bcf33bb0f772ed2d18c54305dac746
                    • Opcode Fuzzy Hash: 211082d5ea4ee1b1de9d4cef8fd5024214b187977914a477273fd67c14e90465
                    • Instruction Fuzzy Hash: 2741B232A00200AFCF24DF78C885A5DBBA5FF89314F158569E919EB352D631AD01DB81
                    Function 0057912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00579141
                    • ScreenToClient.USER32(00000000,?), ref: 0057915E
                    • GetAsyncKeyState.USER32(00000001), ref: 00579183
                    • GetAsyncKeyState.USER32(00000002), ref: 0057919D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: 410e7ebd14c0571a3af6792175f0acebce873ea7ae911dd12ea0d060ebf07f2b
                    • Instruction ID: 0a0515ec0187e7674d1fb35cda9fae88bc43f3a37652c8d7e358a733ff26b3b5
                    • Opcode Fuzzy Hash: 410e7ebd14c0571a3af6792175f0acebce873ea7ae911dd12ea0d060ebf07f2b
                    • Instruction Fuzzy Hash: 2041707190851BBBDF059F68D848BFEBF75FB49320F208229E429A7290C7346D54DBA1
                    Function 005D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetInputState.USER32 ref: 005D38CB
                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 005D3922
                    • TranslateMessage.USER32(?), ref: 005D394B
                    • DispatchMessageW.USER32(?), ref: 005D3955
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005D3966
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                    • String ID:
                    • API String ID: 2256411358-0
                    • Opcode ID: dd7d09a2b5bfe75633eca8a368541dc7587923c859753c3ee6bde1714830c168
                    • Instruction ID: 2a28a26eac4516cde58186598a3b685f0a1161a9f534bfd7c034316b23461974
                    • Opcode Fuzzy Hash: dd7d09a2b5bfe75633eca8a368541dc7587923c859753c3ee6bde1714830c168
                    • Instruction Fuzzy Hash: 4F31B7705043469EEB35CF389868BB63FA8FB16304F04056FE462C62A0E3F49684DB53
                    Function 005DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 005DCF38
                    • InternetReadFile.WININET(?,00000000,?,?), ref: 005DCF6F
                    • GetLastError.KERNEL32(?,00000000,?,?,?,005DC21E,00000000), ref: 005DCFB4
                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,005DC21E,00000000), ref: 005DCFC8
                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,005DC21E,00000000), ref: 005DCFF2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                    • String ID:
                    • API String ID: 3191363074-0
                    • Opcode ID: 85558ce55405b737d35fbc0685875da8f3ff83bd6cf6f4186ba0f273231c0ed3
                    • Instruction ID: 2a2b06c4aa40fdb26a67049338fe182966f355e8c953494e91fc8afe7cff6fb8
                    • Opcode Fuzzy Hash: 85558ce55405b737d35fbc0685875da8f3ff83bd6cf6f4186ba0f273231c0ed3
                    • Instruction Fuzzy Hash: B6314B7150420BAFDB30DFA9D984AAABFF9FB54355B10442FF506D2241DB34AE44DB60
                    Function 005C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 005C1915
                    • PostMessageW.USER32(00000001,00000201,00000001), ref: 005C19C1
                    • Sleep.KERNEL32(00000000,?,?,?), ref: 005C19C9
                    • PostMessageW.USER32(00000001,00000202,00000000), ref: 005C19DA
                    • Sleep.KERNEL32(00000000,?,?,?,?), ref: 005C19E2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: 53506142456f12c2c6a915af177d867e669031823c92cac2eb62983247903881
                    • Instruction ID: 8835279425eba7877b7eba6dde4d130b3af7ad9ba68a0d22576fb1e3a1e697b2
                    • Opcode Fuzzy Hash: 53506142456f12c2c6a915af177d867e669031823c92cac2eb62983247903881
                    • Instruction Fuzzy Hash: F831AD71900219EFCB00CFA8C998BAE3FB5FB05314F104229F921EB2D1C7709954DB90
                    Function 005F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 005F5745
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 005F579D
                    • _wcslen.LIBCMT ref: 005F57AF
                    • _wcslen.LIBCMT ref: 005F57BA
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 005F5816
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$_wcslen
                    • String ID:
                    • API String ID: 763830540-0
                    • Opcode ID: a7d4204a978d50276ee08217b0cc79d4d7d1728adb15f69b131500c8b346506e
                    • Instruction ID: a9f0a00e7c3eb62c09242a264679fd01eeb4d60a36910eec574866bd432b9b3e
                    • Opcode Fuzzy Hash: a7d4204a978d50276ee08217b0cc79d4d7d1728adb15f69b131500c8b346506e
                    • Instruction Fuzzy Hash: AE21A53190461C9ADF209F64CC88AFD7FB9FF54320F108616EB19EA180E7788985CF50
                    Function 005E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(00000000), ref: 005E0951
                    • GetForegroundWindow.USER32 ref: 005E0968
                    • GetDC.USER32(00000000), ref: 005E09A4
                    • GetPixel.GDI32(00000000,?,00000003), ref: 005E09B0
                    • ReleaseDC.USER32(00000000,00000003), ref: 005E09E8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$ForegroundPixelRelease
                    • String ID:
                    • API String ID: 4156661090-0
                    • Opcode ID: 92a97f7679a1bf04ca055c5a31841e0519ea73a1dd8f47c6081251723183cd23
                    • Instruction ID: a28f9828c6b51c38274d02fa109149abccd1154cea7407151e4232098c171489
                    • Opcode Fuzzy Hash: 92a97f7679a1bf04ca055c5a31841e0519ea73a1dd8f47c6081251723183cd23
                    • Instruction Fuzzy Hash: 05216F35600204AFD714EF69D989AAEBFE9FF94700F048479E84AD7362DB74AC44DB50
                    Function 0059CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 0059CDC6
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0059CDE9
                      • Part of subcall function 00593820: RtlAllocateHeap.NTDLL(00000000,?,00631444,?,0057FDF5,?,?,0056A976,00000010,00631440,005613FC,?,005613C6,?,00561129), ref: 00593852
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0059CE0F
                    • _free.LIBCMT ref: 0059CE22
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0059CE31
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: 36e8cb0fde9a505403f13816496541a3e6d88c07df1c3eba52f2856b3de275f1
                    • Instruction ID: 5cc9fa09606fdda1cd40ff1e3c633fa95bdb7f1342b2a0d1afb499ce4a711182
                    • Opcode Fuzzy Hash: 36e8cb0fde9a505403f13816496541a3e6d88c07df1c3eba52f2856b3de275f1
                    • Instruction Fuzzy Hash: 3001A7726022157F2B2256B66D8CD7B7D6DFEC6BA13150129FD07C7241EA658D01D2F0
                    Function 00579639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00579693
                    • SelectObject.GDI32(?,00000000), ref: 005796A2
                    • BeginPath.GDI32(?), ref: 005796B9
                    • SelectObject.GDI32(?,00000000), ref: 005796E2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: fdca7bc723b8376b7bebdedf149f6a1a0861edb6ceb1c0a476dbf12cebc5a003
                    • Instruction ID: 69e2f76c23a87ac6ccb6394fac1f2d4d6a29d30ba1c5a1c63ad5e96c1b10c5b6
                    • Opcode Fuzzy Hash: fdca7bc723b8376b7bebdedf149f6a1a0861edb6ceb1c0a476dbf12cebc5a003
                    • Instruction Fuzzy Hash: 07218330801309EBDB119F64ED08BB93FAABB52725F104316F4149A1F0D3749855EBE4
                    Function 005C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: a00cbf89aa5d17c4c716db69be5527d2b35a057f5d1418ae7c9895dd569dd9f6
                    • Instruction ID: 6b8899259dd2d856b687645e5f573952ddd9fcbf1f0e0991646aab4b9743bf6a
                    • Opcode Fuzzy Hash: a00cbf89aa5d17c4c716db69be5527d2b35a057f5d1418ae7c9895dd569dd9f6
                    • Instruction Fuzzy Hash: 7201D661241A09BFD20862909D42FBA7F9DFF613D4B000428FE05AA641FA20FD9183E8
                    Function 00592DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,0058F2DE,00593863,00631444,?,0057FDF5,?,?,0056A976,00000010,00631440,005613FC,?,005613C6), ref: 00592DFD
                    • _free.LIBCMT ref: 00592E32
                    • _free.LIBCMT ref: 00592E59
                    • SetLastError.KERNEL32(00000000,00561129), ref: 00592E66
                    • SetLastError.KERNEL32(00000000,00561129), ref: 00592E6F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: d18f8674181877d5312272667fbe73e51fea05d9b92b4ebc1d89d6e9e733fff4
                    • Instruction ID: ba5f232f70c4eeb257484b69c0c9f522f9d8c6991c1eeb8632bfcba5de62a475
                    • Opcode Fuzzy Hash: d18f8674181877d5312272667fbe73e51fea05d9b92b4ebc1d89d6e9e733fff4
                    • Instruction Fuzzy Hash: 3601F436645A017BCF1267386CCED3B2E9EBFE13B5F254828F425E21D2EB648C055160
                    Function 005C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?,?,?,005C035E), ref: 005C002B
                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?,?), ref: 005C0046
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?,?), ref: 005C0054
                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?), ref: 005C0064
                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005BFF41,80070057,?,?), ref: 005C0070
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: a382bf23e2759332042ac8a8e71b0b8a291590639443415f69c7fcdf96b8c05c
                    • Instruction ID: ffbd4bfd1ae0326a286ea5b55ca4abc658091987b66cccdb764a4d6331ec134c
                    • Opcode Fuzzy Hash: a382bf23e2759332042ac8a8e71b0b8a291590639443415f69c7fcdf96b8c05c
                    • Instruction Fuzzy Hash: 2D017872600208EFDB104FA9DD08FBA7EBDFB44792F155128F905E2250E779DD44ABA0
                    Function 005CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?), ref: 005CE997
                    • QueryPerformanceFrequency.KERNEL32(?), ref: 005CE9A5
                    • Sleep.KERNEL32(00000000), ref: 005CE9AD
                    • QueryPerformanceCounter.KERNEL32(?), ref: 005CE9B7
                    • Sleep.KERNEL32 ref: 005CE9F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: c59ae01d2a4a504095d2537ed87606e50947ad9d9fabae03ac734d10a37b02c8
                    • Instruction ID: ec012c03ddf563aef069b7a47dad358cfb0cb62fd7098af206d601457f25db56
                    • Opcode Fuzzy Hash: c59ae01d2a4a504095d2537ed87606e50947ad9d9fabae03ac734d10a37b02c8
                    • Instruction Fuzzy Hash: 5F011735C0162DDBCF00ABE5D95AAEDBF78FF19701F00455AE502B2241CB349655DBA2
                    Function 005C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005C1114
                    • GetLastError.KERNEL32(?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C1120
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C112F
                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005C0B9B,?,?,?), ref: 005C1136
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005C114D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: 317206bb9cb43731163c47afcaeadaf21dd6deb4b2e28e82e55e75d0d3548d9b
                    • Instruction ID: 62e8f0af650ee24e9dc0c5a6b5cc209166abfcf303572ae1facf059812bed08f
                    • Opcode Fuzzy Hash: 317206bb9cb43731163c47afcaeadaf21dd6deb4b2e28e82e55e75d0d3548d9b
                    • Instruction Fuzzy Hash: 2E018C75200609BFDB115FA4DD49E6A3F6EFF8A3A0B240428FA41C3360DB35DC10EA60
                    Function 005C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005C0FCA
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005C0FD6
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005C0FE5
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005C0FEC
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005C1002
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: a11d78d281b3df78b4a811d70ba54a2cc28beeaba7f5bfe3a1847abe1982e0f0
                    • Instruction ID: 7efc44468b06600826aa862486a7d6f3ff44fdd2885ca0fd206a465bf51a6270
                    • Opcode Fuzzy Hash: a11d78d281b3df78b4a811d70ba54a2cc28beeaba7f5bfe3a1847abe1982e0f0
                    • Instruction Fuzzy Hash: 4AF0A935200309AFDB210FA59D4EF6A3FADFF9A762F100829FA05D6291DA34DC50DA60
                    Function 005C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005C102A
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005C1036
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005C1045
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005C104C
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005C1062
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: d0a647cbd7a0b246289c5a7b953f28d60645ade2d4af8df6292ed9241fcf4287
                    • Instruction ID: 042481285f7fcfb220507f5a5aa438f909cde3ef75403a21abd4243a9e89a17e
                    • Opcode Fuzzy Hash: d0a647cbd7a0b246289c5a7b953f28d60645ade2d4af8df6292ed9241fcf4287
                    • Instruction Fuzzy Hash: 9BF0A935240309AFDB211FA6ED4DF6A3FADFF9A761F100828FA05D6291CA34D850DA60
                    Function 005D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNEL32(?,?,?,?,005D017D,?,005D32FC,?,00000001,005A2592,?), ref: 005D0324
                    • CloseHandle.KERNEL32(?,?,?,?,005D017D,?,005D32FC,?,00000001,005A2592,?), ref: 005D0331
                    • CloseHandle.KERNEL32(?,?,?,?,005D017D,?,005D32FC,?,00000001,005A2592,?), ref: 005D033E
                    • CloseHandle.KERNEL32(?,?,?,?,005D017D,?,005D32FC,?,00000001,005A2592,?), ref: 005D034B
                    • CloseHandle.KERNEL32(?,?,?,?,005D017D,?,005D32FC,?,00000001,005A2592,?), ref: 005D0358
                    • CloseHandle.KERNEL32(?,?,?,?,005D017D,?,005D32FC,?,00000001,005A2592,?), ref: 005D0365
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 8a2bc6634678ed87a81d942026115fc674446acbf7877e0428e1ac1193fda76f
                    • Instruction ID: e529d63ff6e97a297cf66f4671bd209006bc2d5a5a7c499738736f2cadb5adef
                    • Opcode Fuzzy Hash: 8a2bc6634678ed87a81d942026115fc674446acbf7877e0428e1ac1193fda76f
                    • Instruction Fuzzy Hash: 8201AE72800B559FCB30AF6AD880916FBF9BF603153159E3FD19652A71C3B1A958DF80
                    Function 0059D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0059D752
                      • Part of subcall function 005929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000), ref: 005929DE
                      • Part of subcall function 005929C8: GetLastError.KERNEL32(00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000,00000000), ref: 005929F0
                    • _free.LIBCMT ref: 0059D764
                    • _free.LIBCMT ref: 0059D776
                    • _free.LIBCMT ref: 0059D788
                    • _free.LIBCMT ref: 0059D79A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 8fbb526e14dbaac25403e1e3889acb459baffda9a615f4dda2ef5e8d587f42f5
                    • Instruction ID: f591707c233e17dfff378a7ac55885f4b8bd576c69cff00e53381c0dda5809ff
                    • Opcode Fuzzy Hash: 8fbb526e14dbaac25403e1e3889acb459baffda9a615f4dda2ef5e8d587f42f5
                    • Instruction Fuzzy Hash: 89F0FF32544605ABCA21EBA4F9C5D1A7FEEFB44720BA41805F44CE7501C724FCC086B4
                    Function 005C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 005C5C58
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 005C5C6F
                    • MessageBeep.USER32(00000000), ref: 005C5C87
                    • KillTimer.USER32(?,0000040A), ref: 005C5CA3
                    • EndDialog.USER32(?,00000001), ref: 005C5CBD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 75ae50dc2a3d5d4af124ca8807c728b4d916dacda1d01d701ec990d0cf5a80cd
                    • Instruction ID: a539d6acf8bf040b388e3b3317c0aafcfe28d5d723b35935d69988b031ec5839
                    • Opcode Fuzzy Hash: 75ae50dc2a3d5d4af124ca8807c728b4d916dacda1d01d701ec990d0cf5a80cd
                    • Instruction Fuzzy Hash: 7D0167305007049FEB205B94DE4EFA57FB8BB10B05F00056DA553E10E1EBF47D88DA50
                    Function 005922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 005922BE
                      • Part of subcall function 005929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000), ref: 005929DE
                      • Part of subcall function 005929C8: GetLastError.KERNEL32(00000000,?,0059D7D1,00000000,00000000,00000000,00000000,?,0059D7F8,00000000,00000007,00000000,?,0059DBF5,00000000,00000000), ref: 005929F0
                    • _free.LIBCMT ref: 005922D0
                    • _free.LIBCMT ref: 005922E3
                    • _free.LIBCMT ref: 005922F4
                    • _free.LIBCMT ref: 00592305
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 401377ad06a5286d294272d1df4ef9cea0852fff6ac0f4c377ce2ac6642e66bc
                    • Instruction ID: 406f5623c54d9ff21c34fc3be214f7b423b95789e77b72a0ccb8e9c733d82065
                    • Opcode Fuzzy Hash: 401377ad06a5286d294272d1df4ef9cea0852fff6ac0f4c377ce2ac6642e66bc
                    • Instruction Fuzzy Hash: F8F03A74800921ABCF22EF64BC0580D3FA7B719760B00350AF818D72B1C7340A92EFE4
                    Function 005795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 005795D4
                    • StrokeAndFillPath.GDI32(?,?,005B71F7,00000000,?,?,?), ref: 005795F0
                    • SelectObject.GDI32(?,00000000), ref: 00579603
                    • DeleteObject.GDI32 ref: 00579616
                    • StrokePath.GDI32(?), ref: 00579631
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: 7f8cf4d2b0074f9868c5efb2f6d904e77cf08d718c1331a6d91d29ac26a0f373
                    • Instruction ID: bd12a6d7c7f2899a0c56aaf233a570b53b84b3fe7ee4bd5e9e97cd069422789c
                    • Opcode Fuzzy Hash: 7f8cf4d2b0074f9868c5efb2f6d904e77cf08d718c1331a6d91d29ac26a0f373
                    • Instruction Fuzzy Hash: 11F0CD3500560CDBD7165F55ED1CB683F66BB12332F049324F459990F0CB348555EFA0
                    Function 00590F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: __freea$_free
                    • String ID: a/p$am/pm
                    • API String ID: 3432400110-3206640213
                    • Opcode ID: 547e34e6723fdd4bc043a54eab00da18e5ad8099b79d705d058ea83654d9edcb
                    • Instruction ID: 218d4d3e57215d0d1308f47ce0d09df7b75e1335e483930374b417bfad7d0fb6
                    • Opcode Fuzzy Hash: 547e34e6723fdd4bc043a54eab00da18e5ad8099b79d705d058ea83654d9edcb
                    • Instruction Fuzzy Hash: 74D1E235A00A27DBDF299F68C8497BEBFB5FF05300F280959E9059B650D3359D80CB99
                    Function 005E61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00580242: EnterCriticalSection.KERNEL32(0063070C,00631884,?,?,0057198B,00632518,?,?,?,005612F9,00000000), ref: 0058024D
                      • Part of subcall function 00580242: LeaveCriticalSection.KERNEL32(0063070C,?,0057198B,00632518,?,?,?,005612F9,00000000), ref: 0058028A
                      • Part of subcall function 005800A3: __onexit.LIBCMT ref: 005800A9
                    • __Init_thread_footer.LIBCMT ref: 005E6238
                      • Part of subcall function 005801F8: EnterCriticalSection.KERNEL32(0063070C,?,?,00578747,00632514), ref: 00580202
                      • Part of subcall function 005801F8: LeaveCriticalSection.KERNEL32(0063070C,?,00578747,00632514), ref: 00580235
                      • Part of subcall function 005D359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005D35E4
                      • Part of subcall function 005D359C: LoadStringW.USER32(00632390,?,00000FFF,?), ref: 005D360A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                    • String ID: x#c$x#c$x#c
                    • API String ID: 1072379062-206817551
                    • Opcode ID: edd4119f9bbbc8b6b27e63ab8eb071e40dd3ec41771eb778e9310b0bfa9188cd
                    • Instruction ID: ef3945cfeac4d65f8c7fcb7ad67555f27bef7b3aa0e93f7ea2a08a8af3397c38
                    • Opcode Fuzzy Hash: edd4119f9bbbc8b6b27e63ab8eb071e40dd3ec41771eb778e9310b0bfa9188cd
                    • Instruction Fuzzy Hash: 65C1D571A002469FCB18DF59C895DBEBBB9FF58380F10845AF945A7291D770ED44CB90
                    Function 00598A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00598B6E
                    • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00598B7A
                    • __dosmaperr.LIBCMT ref: 00598B81
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharErrorLastMultiWide__dosmaperr
                    • String ID: .X
                    • API String ID: 2434981716-3424028424
                    • Opcode ID: 2e6589dfd39f489bb088e3b4e10970407e902bc718e36585358756b16244343f
                    • Instruction ID: cc2e2f28f87f937c5ce1b9564029a8803684ab0844e3d05b06bfe8e5f0708482
                    • Opcode Fuzzy Hash: 2e6589dfd39f489bb088e3b4e10970407e902bc718e36585358756b16244343f
                    • Instruction Fuzzy Hash: 014146B0604045AFDF249F28CC94A7D7FA7FB87314F2C85A9E88587642DE318C02D790
                    Function 005C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005C21D0,?,?,00000034,00000800,?,00000034), ref: 005CB42D
                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005C2760
                      • Part of subcall function 005CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 005CB3F8
                      • Part of subcall function 005CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 005CB355
                      • Part of subcall function 005CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005C2194,00000034,?,?,00001004,00000000,00000000), ref: 005CB365
                      • Part of subcall function 005CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005C2194,00000034,?,?,00001004,00000000,00000000), ref: 005CB37B
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005C27CD
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005C281A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                    • String ID: @
                    • API String ID: 4150878124-2766056989
                    • Opcode ID: 70b0c169ed459d6a7903e63cb45c2ceff1aa387547232fe9992a45750ed6c222
                    • Instruction ID: c2ce993df6cbbd68b4c1b5302649596d8830cde9114bc73867d370d5af64d679
                    • Opcode Fuzzy Hash: 70b0c169ed459d6a7903e63cb45c2ceff1aa387547232fe9992a45750ed6c222
                    • Instruction Fuzzy Hash: 9D412976900219AEDB10DBA4C986FEEBBB8FB49700F104099EA55B7181DA706E45CBA1
                    Function 0059172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3TpW2Sn68z.exe,00000104), ref: 00591769
                    • _free.LIBCMT ref: 00591834
                    • _free.LIBCMT ref: 0059183E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Users\user\Desktop\3TpW2Sn68z.exe
                    • API String ID: 2506810119-3494399403
                    • Opcode ID: b587cfd327e76acc756f2415b3b6a7b7e651df02868ff67be0fba06d79b664d1
                    • Instruction ID: b2659c93493767457da072f6f60245ae28d0f2316b9d75d36e466ab1673a2f6d
                    • Opcode Fuzzy Hash: b587cfd327e76acc756f2415b3b6a7b7e651df02868ff67be0fba06d79b664d1
                    • Instruction Fuzzy Hash: F9316F75A0062AABDF21DB999885DAEBFFCFB85350F144166F80497211D6708A80DBA4
                    Function 005CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005CC306
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 005CC34C
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00631990,01215608), ref: 005CC395
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem
                    • String ID: 0
                    • API String ID: 135850232-4108050209
                    • Opcode ID: 3a4e16f874887a7ed8d6f2ba4e61e645e51069313540705fc4396c33ca66846e
                    • Instruction ID: d0e217ae763cd18ed67a9790799f9e76099fa6e0dbaf67384a71fc39e300f348
                    • Opcode Fuzzy Hash: 3a4e16f874887a7ed8d6f2ba4e61e645e51069313540705fc4396c33ca66846e
                    • Instruction Fuzzy Hash: 75419F712043429FD720DF64E845F2ABFE8BBC5710F108A1DF9A9D7291D730A904CB52
                    Function 005F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005FCC08,00000000,?,?,?,?), ref: 005F44AA
                    • GetWindowLongW.USER32 ref: 005F44C7
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005F44D7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: 0a9f2a9b29a33c6988dceb53e898587059de29d7edc609006dfcde398889a40e
                    • Instruction ID: 0b4aa78bf68b4e301b361e4769beb6b5709147fc55092b662a3cf6ad21c545e5
                    • Opcode Fuzzy Hash: 0a9f2a9b29a33c6988dceb53e898587059de29d7edc609006dfcde398889a40e
                    • Instruction Fuzzy Hash: CC316D3111460AABDF109E38DC49BEB7BA9FB48324F204725FA75A31D0D778AC549B50
                    Function 005C6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysReAllocString.OLEAUT32(?,?), ref: 005C6EED
                    • VariantCopyInd.OLEAUT32(?,?), ref: 005C6F08
                    • VariantClear.OLEAUT32(?), ref: 005C6F12
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyString
                    • String ID: *j\
                    • API String ID: 2173805711-928285910
                    • Opcode ID: c8af48d934e93f6e6f6c69d143c1cd3a45824d85d9deffa3ccbb4b0dbe5a3cda
                    • Instruction ID: b802b581a4de0dd54ba8929621624d4a39e63a8ebaf54f2e015af710db5d25a8
                    • Opcode Fuzzy Hash: c8af48d934e93f6e6f6c69d143c1cd3a45824d85d9deffa3ccbb4b0dbe5a3cda
                    • Instruction Fuzzy Hash: 9B31B371604206DFCB05AFA4E854EBD7F75FF8A300B1008ACFA028B2A1D7749A95DB90
                    Function 005E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,005E3077,?,?), ref: 005E3378
                    • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005E307A
                    • _wcslen.LIBCMT ref: 005E309B
                    • htons.WSOCK32(00000000,?,?,00000000), ref: 005E3106
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 946324512-2422070025
                    • Opcode ID: 9adae16bdbdb3d9373b82d9c1515aeb58aa96863110ae5e3b5e80438d835196e
                    • Instruction ID: 369b2fb629abfbdd3542ae7dc21bd1dd20821da58f6a785594b234c323d5e79b
                    • Opcode Fuzzy Hash: 9adae16bdbdb3d9373b82d9c1515aeb58aa96863110ae5e3b5e80438d835196e
                    • Instruction Fuzzy Hash: C531E4352002859FCB28CF2AC58DEA97FE0FF54314F248059E8558B3A2C732DE45C760
                    Function 005F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005F4705
                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005F4713
                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005F471A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$DestroyWindow
                    • String ID: msctls_updown32
                    • API String ID: 4014797782-2298589950
                    • Opcode ID: 468a8a9d26ed55c3cfde77668fb2e273becbd32cb9f9648cb3f5ba3a4fc34eae
                    • Instruction ID: bdd32fe4179700c5c8158b7b78596f278e9951f167c29bbe7790f329bef3702f
                    • Opcode Fuzzy Hash: 468a8a9d26ed55c3cfde77668fb2e273becbd32cb9f9648cb3f5ba3a4fc34eae
                    • Instruction Fuzzy Hash: 912151B5601209AFDB10DF68DC85DB73BADFB9A354B040059FA01DB291C734EC12CE60
                    Function 005C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 176396367-2734436370
                    • Opcode ID: b8d7100e38570cad71a9f59547048de86bafcaaced9251179fbba9948cd1659a
                    • Instruction ID: 352d159de1244519af758680e4b14d015f13119738c5504b028a3697ac78fe5c
                    • Opcode Fuzzy Hash: b8d7100e38570cad71a9f59547048de86bafcaaced9251179fbba9948cd1659a
                    • Instruction Fuzzy Hash: B92126322041126AD331AB64D80EFB77F98FF95314F50442EF94997081EB659D81C395
                    Function 005F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005F3840
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005F3850
                    • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005F3876
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: cd612b624cea200999ae793a011d7694dae97f8cece09e5d4f02aff8e63f289f
                    • Instruction ID: b0f44d1fad524bcc1923ecaa1aa5e2a28d521ed6cf54acbe1c9bff288ebec802
                    • Opcode Fuzzy Hash: cd612b624cea200999ae793a011d7694dae97f8cece09e5d4f02aff8e63f289f
                    • Instruction Fuzzy Hash: A0218072611118BBEB119F54DC45EBB3B6AFF897A0F118124FA049B190C679DD52C7A0
                    Function 005D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 005D4A08
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005D4A5C
                    • SetErrorMode.KERNEL32(00000000,?,?,005FCC08), ref: 005D4AD0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume
                    • String ID: %lu
                    • API String ID: 2507767853-685833217
                    • Opcode ID: 4ad9681ed7f4f60b9724487b971d3799eee4c1cb8c683c9530a22374443464aa
                    • Instruction ID: 5253c8bb7bcdd2bad6314bf47fe5fde0cd5faa151c286ce17166c2c274f43fba
                    • Opcode Fuzzy Hash: 4ad9681ed7f4f60b9724487b971d3799eee4c1cb8c683c9530a22374443464aa
                    • Instruction Fuzzy Hash: 76317C74A00209AFDB10DF58C985EAA7BF8FF48308F1480A9E809DB352D771ED45CB61
                    Function 005F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005F424F
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005F4264
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005F4271
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: 3a88d8c0f71ca20418c9bb1b5930d39473a80c397fb2d9ecbe6281d6ba7fe467
                    • Instruction ID: d79c72d22c192dfb0aa2e9d6960554713c75e65c29de4b6660207c220f91fb7c
                    • Opcode Fuzzy Hash: 3a88d8c0f71ca20418c9bb1b5930d39473a80c397fb2d9ecbe6281d6ba7fe467
                    • Instruction Fuzzy Hash: 6D11E031240248BEEF205E28CC06FBB3FADFF95B64F010524FA55E60A0D275D811DB20
                    Function 005C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                      • Part of subcall function 005C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005C2DC5
                      • Part of subcall function 005C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 005C2DD6
                      • Part of subcall function 005C2DA7: GetCurrentThreadId.KERNEL32 ref: 005C2DDD
                      • Part of subcall function 005C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005C2DE4
                    • GetFocus.USER32 ref: 005C2F78
                      • Part of subcall function 005C2DEE: GetParent.USER32(00000000), ref: 005C2DF9
                    • GetClassNameW.USER32(?,?,00000100), ref: 005C2FC3
                    • EnumChildWindows.USER32(?,005C303B), ref: 005C2FEB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                    • String ID: %s%d
                    • API String ID: 1272988791-1110647743
                    • Opcode ID: b88ec6a6ebd6d9ca3807ab2e5ef5b6cbe8d6d40dcd0a047113e3ce975505432a
                    • Instruction ID: 15640d6fd29c253543a21cea5051964644f28ea253efc2fcd2ccd794044c6762
                    • Opcode Fuzzy Hash: b88ec6a6ebd6d9ca3807ab2e5ef5b6cbe8d6d40dcd0a047113e3ce975505432a
                    • Instruction Fuzzy Hash: AD11667160020A9BCF54AFA4DC89FED3F6ABFD4304F048079B909D7192DE7559499B60
                    Function 005F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005F58C1
                    • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005F58EE
                    • DrawMenuBar.USER32(?), ref: 005F58FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Menu$InfoItem$Draw
                    • String ID: 0
                    • API String ID: 3227129158-4108050209
                    • Opcode ID: 3667bbc9d1bdfdfc2d483bf88ff47f7f843aa7a19bae2c3a5dfd9b4f54f7d7fb
                    • Instruction ID: 9dc7caf17de9cd591428b5687a57385466622b1dfb847712defb5964f99fe80c
                    • Opcode Fuzzy Hash: 3667bbc9d1bdfdfc2d483bf88ff47f7f843aa7a19bae2c3a5dfd9b4f54f7d7fb
                    • Instruction Fuzzy Hash: 00013C3150021CEEDB619F11D848BAABFB9BF45360F1080A9EA49D6151EB748A84EF21
                    Function 005BD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 005BD3BF
                    • FreeLibrary.KERNEL32 ref: 005BD3E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: AddressFreeLibraryProc
                    • String ID: GetSystemWow64DirectoryW$X64
                    • API String ID: 3013587201-2590602151
                    • Opcode ID: 4586307f1793367862545cbc70c586ea334b55796929085f69851fe0558e44e1
                    • Instruction ID: 36d1ded3181460570edb07cfef86614253af6aeb7a4fb182e09756b0bd281ef9
                    • Opcode Fuzzy Hash: 4586307f1793367862545cbc70c586ea334b55796929085f69851fe0558e44e1
                    • Instruction Fuzzy Hash: C8F05C2550162987D73143104C24DFD7F707F10701B998C35E405E5105F718DC44D6B1
                    Function 005C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 92f24adf4466fd5423c73933c5e7c8e3fe68c4f5cb6dcfc5479c048fa5de8f36
                    • Instruction ID: 7f25360ca3fc46df0b1485922626ef435b04d4780f9c181e7f5804347b926d4d
                    • Opcode Fuzzy Hash: 92f24adf4466fd5423c73933c5e7c8e3fe68c4f5cb6dcfc5479c048fa5de8f36
                    • Instruction Fuzzy Hash: E4C13775A0021AEFCB04CFA4C898FAEBBB5FF48714F249598E505AB291D731ED41DB90
                    Function 005E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Variant$ClearInitInitializeUninitialize
                    • String ID:
                    • API String ID: 1998397398-0
                    • Opcode ID: f38685b2381de273e7dc27fb43aa3ee0246624389d5520ee68f00fc6a39489fd
                    • Instruction ID: 8c9baa06f4e13de9fa918c02466518bd99da159aaa167ad33812eff37c56a3bb
                    • Opcode Fuzzy Hash: f38685b2381de273e7dc27fb43aa3ee0246624389d5520ee68f00fc6a39489fd
                    • Instruction Fuzzy Hash: 14A14D756043059FC714DF29C589A2ABBE5FF8C714F04885AF98A9B362DB30EE05CB51
                    Function 005C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005FFC08,?), ref: 005C05F0
                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005FFC08,?), ref: 005C0608
                    • CLSIDFromProgID.OLE32(?,?,00000000,005FCC40,000000FF,?,00000000,00000800,00000000,?,005FFC08,?), ref: 005C062D
                    • _memcmp.LIBVCRUNTIME ref: 005C064E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FromProg$FreeTask_memcmp
                    • String ID:
                    • API String ID: 314563124-0
                    • Opcode ID: 5dd1545a0045658bdf9df651650e5bf320829e51d972671c3b8ac2683f9fafc4
                    • Instruction ID: 8c17b58f4444fc05f7573390da90bae2b4fe68a8ccb2b865ffb79040f79d0c96
                    • Opcode Fuzzy Hash: 5dd1545a0045658bdf9df651650e5bf320829e51d972671c3b8ac2683f9fafc4
                    • Instruction Fuzzy Hash: F381E975A00109EFCB04DFD4C984EEEBBB9FF89315F205558E506AB290DB71AE46CB60
                    Function 005A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: c396b836247baea0f360bbb50356314f9e8aa1a5b0b0069a6e7ccd9a22e86430
                    • Instruction ID: 29f82041330a1518a8cd57bce5f9e22ef90406689d0ee5d8a8b5d9e03654baac
                    • Opcode Fuzzy Hash: c396b836247baea0f360bbb50356314f9e8aa1a5b0b0069a6e7ccd9a22e86430
                    • Instruction Fuzzy Hash: 19413B35A00A16ABDF217BBD8C4AABE3EA4FF8F370F140625F819D6192F634484157A5
                    Function 005F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(0121E960,?), ref: 005F62E2
                    • ScreenToClient.USER32(?,?), ref: 005F6315
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005F6382
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: bf89316d3c233ae9275d7c5c0862d2612bb6d9d1f5fe0aef232b597a3555be77
                    • Instruction ID: c979cc920ffa4fb7254dcc60782f8e7ca4a87598e8f4587222169b2958e451e5
                    • Opcode Fuzzy Hash: bf89316d3c233ae9275d7c5c0862d2612bb6d9d1f5fe0aef232b597a3555be77
                    • Instruction Fuzzy Hash: D7512974A00209EFCB14DF68D980ABE7BB6FB55360F108569FA159B2A0D734ED41CB90
                    Function 005E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 005E1AFD
                    • WSAGetLastError.WSOCK32 ref: 005E1B0B
                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005E1B8A
                    • WSAGetLastError.WSOCK32 ref: 005E1B94
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorLast$socket
                    • String ID:
                    • API String ID: 1881357543-0
                    • Opcode ID: ffffb4d96fbe497cdaba1c0855fc6645c71f1630b4868018c0b658e0e484a0c1
                    • Instruction ID: 8c7a97773ca86da0318f7687602c353b75b387bcf2a4762f57c7e17dba7b9f51
                    • Opcode Fuzzy Hash: ffffb4d96fbe497cdaba1c0855fc6645c71f1630b4868018c0b658e0e484a0c1
                    • Instruction Fuzzy Hash: 4F41B274600601AFE724AF24C88AF267BE5BB84718F54C458F95A9F3D2D772ED41CB90
                    Function 0059B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 84b7be04bcb964f0c48824656df875d837866927ce70080593b1f37732907fbd
                    • Instruction ID: 01f5cfc15d07900b94ec9b5f9cb6ab83a3422482eddf664c0123a7285cc754fa
                    • Opcode Fuzzy Hash: 84b7be04bcb964f0c48824656df875d837866927ce70080593b1f37732907fbd
                    • Instruction Fuzzy Hash: AF410275A00704AFFB24AF78DD45BAABFAAFBC8710F10452AF506DB292D37199018780
                    Function 005D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005D5783
                    • GetLastError.KERNEL32(?,00000000), ref: 005D57A9
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005D57CE
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005D57FA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 068010c0b9b55d826e5a4516f2369587af1270cb985075e80e962c202d2f65e3
                    • Instruction ID: a9dfb80cd226b14109851d7486acf249636db8fca8fbcebeb545c5c2d4287c77
                    • Opcode Fuzzy Hash: 068010c0b9b55d826e5a4516f2369587af1270cb985075e80e962c202d2f65e3
                    • Instruction Fuzzy Hash: 33413C39200615DFCB20EF15C548A5DBFE2FF99324B188489E84A9B362DB34FD40DB91
                    Function 0059D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00586D71,00000000,00000000,005882D9,?,005882D9,?,00000001,00586D71,?,00000001,005882D9,005882D9), ref: 0059D910
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0059D999
                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0059D9AB
                    • __freea.LIBCMT ref: 0059D9B4
                      • Part of subcall function 00593820: RtlAllocateHeap.NTDLL(00000000,?,00631444,?,0057FDF5,?,?,0056A976,00000010,00631440,005613FC,?,005613C6,?,00561129), ref: 00593852
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                    • String ID:
                    • API String ID: 2652629310-0
                    • Opcode ID: 9fba9eacd61f92c86561da9c1d656d2f7b961590725ba62be7f0d3e9c7d695d7
                    • Instruction ID: e7063144fff3a1024aba1f0d1252928a4faa2146a6f3bfc6a35c71f459119eca
                    • Opcode Fuzzy Hash: 9fba9eacd61f92c86561da9c1d656d2f7b961590725ba62be7f0d3e9c7d695d7
                    • Instruction Fuzzy Hash: 89319D72A0020AABDF24EF64DC45EAE7FB5FB40350B054169FC04E6191EB39CD54CBA0
                    Function 005F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 005F5352
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F5375
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005F5382
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005F53A8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LongWindow$InvalidateMessageRectSend
                    • String ID:
                    • API String ID: 3340791633-0
                    • Opcode ID: cb36eeeee64b8bc9c4d382ed3232cf0b505eff40018bab12b1564dc4ce13113b
                    • Instruction ID: 3aba520d025a5b66d5884d3efc2af4d189000ee15f4aca51ab350390b8ce9a0e
                    • Opcode Fuzzy Hash: cb36eeeee64b8bc9c4d382ed3232cf0b505eff40018bab12b1564dc4ce13113b
                    • Instruction Fuzzy Hash: B831B234A55A0CEFEB309E1CCC05BF97F66BB05390F984911FB10961E1E7B89940EB42
                    Function 005CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 005CABF1
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 005CAC0D
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 005CAC74
                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 005CACC6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: e59d94273ef5c2f647f75dfcd89d22a93afe3c91f5fed207c32ef3ee74ef1cda
                    • Instruction ID: 5667268cef7e3bcd721a815a7f7d3563c1118b0d13ca205e795d19947be742d4
                    • Opcode Fuzzy Hash: e59d94273ef5c2f647f75dfcd89d22a93afe3c91f5fed207c32ef3ee74ef1cda
                    • Instruction Fuzzy Hash: A2311230A4421CAFFF258BA88808FFA7FB5BB89318F04461EF481961D1C3788D859792
                    Function 005F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 005F769A
                    • GetWindowRect.USER32(?,?), ref: 005F7710
                    • PtInRect.USER32(?,?,005F8B89), ref: 005F7720
                    • MessageBeep.USER32(00000000), ref: 005F778C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: 4a2423bb8c176177217f418e9c585d6835406b1d9f3fa42f26c2569b11bbc20b
                    • Instruction ID: e0128ddf44115b900c3d9263db1147e2dfd702066c51bb522715bbd9453eeecb
                    • Opcode Fuzzy Hash: 4a2423bb8c176177217f418e9c585d6835406b1d9f3fa42f26c2569b11bbc20b
                    • Instruction Fuzzy Hash: E2416B34A1A21DDFCB01EF58C894EB97BF6FB4D314F1540A8E614DB2A1C738A946CB90
                    Function 005F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 005F16EB
                      • Part of subcall function 005C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005C3A57
                      • Part of subcall function 005C3A3D: GetCurrentThreadId.KERNEL32 ref: 005C3A5E
                      • Part of subcall function 005C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005C25B3), ref: 005C3A65
                    • GetCaretPos.USER32(?), ref: 005F16FF
                    • ClientToScreen.USER32(00000000,?), ref: 005F174C
                    • GetForegroundWindow.USER32 ref: 005F1752
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: cf7716039680e72223f2a820758d94126a13ee8ec300561f544166e73f776401
                    • Instruction ID: 2dcb76957882bd93ba8b53739fe78c49a1f3b4ecaa3d63138fe2ac28bd5759ac
                    • Opcode Fuzzy Hash: cf7716039680e72223f2a820758d94126a13ee8ec300561f544166e73f776401
                    • Instruction Fuzzy Hash: 48313E75D01149AFCB04EFA9C985DAEBBF9FF88304B5080AAE415E7211DA359E45CBA0
                    Function 005CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 005CD501
                    • Process32FirstW.KERNEL32(00000000,?), ref: 005CD50F
                    • Process32NextW.KERNEL32(00000000,?), ref: 005CD52F
                    • CloseHandle.KERNEL32(00000000), ref: 005CD5DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: 5e6272ed59b7f1f228d16b3a589ebfb1c6d7674adabe0e3b32fd4858441e5cec
                    • Instruction ID: b40460d08797d508162c0abf740808bfedfdff9b7f82a91e4ad51f0b48e7433f
                    • Opcode Fuzzy Hash: 5e6272ed59b7f1f228d16b3a589ebfb1c6d7674adabe0e3b32fd4858441e5cec
                    • Instruction Fuzzy Hash: C1318A711082019FD300EF94C885EABBFF8BFD9344F10092DF581831A1EB719948DBA2
                    Function 005F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00579BB2
                    • GetCursorPos.USER32(?), ref: 005F9001
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005B7711,?,?,?,?,?), ref: 005F9016
                    • GetCursorPos.USER32(?), ref: 005F905E
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005B7711,?,?,?), ref: 005F9094
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: 8e80427c245a7893569d098c13c19be5b02833cd59d5f9d17773b0a2b1c7b5ad
                    • Instruction ID: c31ed13218f8adc85140c1a495b03204c974c09e226eeaf6f9604018fb9ef6dc
                    • Opcode Fuzzy Hash: 8e80427c245a7893569d098c13c19be5b02833cd59d5f9d17773b0a2b1c7b5ad
                    • Instruction Fuzzy Hash: D2214D3560041CAFDB158F94C858FFA7FBAFB8A350F144065F6058B2A1C7399990EB60
                    Function 005CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNEL32(?,005FCB68), ref: 005CD2FB
                    • GetLastError.KERNEL32 ref: 005CD30A
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 005CD319
                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005FCB68), ref: 005CD376
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateDirectory$AttributesErrorFileLast
                    • String ID:
                    • API String ID: 2267087916-0
                    • Opcode ID: 1634343405a38a5f3e103361709bbbc43824764bb0937b5ee6bd31c079a9e0ec
                    • Instruction ID: 6337b9ed5d767c6e4b902082461deffb45a9ebc5c3f81ab5032d5cb6d3469f8c
                    • Opcode Fuzzy Hash: 1634343405a38a5f3e103361709bbbc43824764bb0937b5ee6bd31c079a9e0ec
                    • Instruction Fuzzy Hash: A4217E745042069F8300DF68C9859AABFE8FE95764F504E2EF499C72A1D7309949CBA3
                    Function 005C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005C102A
                      • Part of subcall function 005C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005C1036
                      • Part of subcall function 005C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005C1045
                      • Part of subcall function 005C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005C104C
                      • Part of subcall function 005C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005C1062
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005C15BE
                    • _memcmp.LIBVCRUNTIME ref: 005C15E1
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C1617
                    • HeapFree.KERNEL32(00000000), ref: 005C161E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 1592001646-0
                    • Opcode ID: 648170ec9756962ac928211c187d9cfcb469e972821f1e4f5b610c6315d12b9b
                    • Instruction ID: e9941e9235fa7f6739d9389bb74882ae33398a5f65ff2b36368e7124334644ff
                    • Opcode Fuzzy Hash: 648170ec9756962ac928211c187d9cfcb469e972821f1e4f5b610c6315d12b9b
                    • Instruction Fuzzy Hash: 49216B71E00509AFDF10DFA4C949FEEBBB8FF46344F184459E441AB242D734AA45DB54
                    Function 005F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000EC), ref: 005F280A
                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005F2824
                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005F2832
                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005F2840
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Long$AttributesLayered
                    • String ID:
                    • API String ID: 2169480361-0
                    • Opcode ID: a0ae745534896240720c93ebbe2b5150fd49eb9f6f7d0cb4a465d84706c3171f
                    • Instruction ID: b54222699e76222ddd919c2a57132a0fdaa2317a85a60f6023c8eee90a7d1429
                    • Opcode Fuzzy Hash: a0ae745534896240720c93ebbe2b5150fd49eb9f6f7d0cb4a465d84706c3171f
                    • Instruction Fuzzy Hash: 0D21E03120961AAFD7149B24C844FBA7F95FF85324F148158F526CB6E2CB79EC82CB90
                    Function 005C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 005C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,005C790A,?,000000FF,?,005C8754,00000000,?,0000001C,?,?), ref: 005C8D8C
                      • Part of subcall function 005C8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 005C8DB2
                      • Part of subcall function 005C8D7D: lstrcmpiW.KERNEL32(00000000,?,005C790A,?,000000FF,?,005C8754,00000000,?,0000001C,?,?), ref: 005C8DE3
                    • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005C8754,00000000,?,0000001C,?,?,00000000), ref: 005C7923
                    • lstrcpyW.KERNEL32(00000000,?), ref: 005C7949
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,005C8754,00000000,?,0000001C,?,?,00000000), ref: 005C7984
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 5680e7e1702f7a7bba0c8d611bfca102051e6ddd49a0f5a73743f253be7e60f3
                    • Instruction ID: 625a17c50bd027c3212c6ca5ac2ad480b75c8718219dbe68e35d94ec5e51931d
                    • Opcode Fuzzy Hash: 5680e7e1702f7a7bba0c8d611bfca102051e6ddd49a0f5a73743f253be7e60f3
                    • Instruction Fuzzy Hash: 6B11E93A200706AFCB159F74D845E7A7BE9FF99350B50402EF946C72A4EB319811DBA1
                    Function 005F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000F0), ref: 005F7D0B
                    • SetWindowLongW.USER32(00000000,000000F0,?), ref: 005F7D2A
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005F7D42
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005DB7AD,00000000), ref: 005F7D6B
                      • Part of subcall function 00579BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00579BB2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID:
                    • API String ID: 847901565-0
                    • Opcode ID: 89dd3bf8c5b67433c12caba48bc6b9ea0b799abcbe50db64e34708bcc7a6a390
                    • Instruction ID: c314456aba5e0616a8474fc36bf9103eae579d48272a2ea4e2f0ecf5d3f83451
                    • Opcode Fuzzy Hash: 89dd3bf8c5b67433c12caba48bc6b9ea0b799abcbe50db64e34708bcc7a6a390
                    • Instruction Fuzzy Hash: 4D118E3150861DAFCB109F28DC04A763FA9BF4A360B558724F939CB2E0D7349951DB90
                    Function 005F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001060,?,00000004), ref: 005F56BB
                    • _wcslen.LIBCMT ref: 005F56CD
                    • _wcslen.LIBCMT ref: 005F56D8
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 005F5816
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend_wcslen
                    • String ID:
                    • API String ID: 455545452-0
                    • Opcode ID: b50678ed1caae05022b515e7c55ef642a0a81a92a6946ac449bb9c55b61dc244
                    • Instruction ID: 241822fe66dfd13facc37de0c514e3580df43b37e0e08f51a666f1a95e378067
                    • Opcode Fuzzy Hash: b50678ed1caae05022b515e7c55ef642a0a81a92a6946ac449bb9c55b61dc244
                    • Instruction Fuzzy Hash: 7811B471A0060D96DF20AF658C89AFE7FACFF51760F104526FB15DA081FB788984CB60
                    Function 00591D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 00de3b3dc1eedc1222d657bfa1d057bd819aba542fe46911de15db29e413c563
                    • Instruction ID: 7851dc2023c89b47f22d446f3e22ad0c0d83229927024e16891d79891e69f118
                    • Opcode Fuzzy Hash: 00de3b3dc1eedc1222d657bfa1d057bd819aba542fe46911de15db29e413c563
                    • Instruction Fuzzy Hash: FD018FB2205B2B7EFE1116786CC4F276E1DFF813B8F340725F525911D2DB608C4091A4
                    Function 005C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 005C1A47
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005C1A59
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005C1A6F
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005C1A8A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 2c5d3ca5a1e91e7525ec47d3be3d193148386f820fdc4a622de4ca0e4b2beae4
                    • Instruction ID: 3a9e620af4d2dadc03f5593c3b4630827e76d6652da84557f92aa0460ca6fa0c
                    • Opcode Fuzzy Hash: 2c5d3ca5a1e91e7525ec47d3be3d193148386f820fdc4a622de4ca0e4b2beae4
                    • Instruction Fuzzy Hash: D111273A901219FFEB109BA4CD85FADBB78FB08750F2000A5EA01B7290D6716E50DBD8
                    Function 005CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 005CE1FD
                    • MessageBoxW.USER32(?,?,?,?), ref: 005CE230
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005CE246
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005CE24D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                    • String ID:
                    • API String ID: 2880819207-0
                    • Opcode ID: 3309e9e61a5f73d3a2044ec5e67351196d35250b32bbaf8856a8bcad648441bc
                    • Instruction ID: 0868a0ab1a763835b1579053136234e189df1432df724bc7a7f3a505a73137dd
                    • Opcode Fuzzy Hash: 3309e9e61a5f73d3a2044ec5e67351196d35250b32bbaf8856a8bcad648441bc
                    • Instruction Fuzzy Hash: 1011C876904258BFD7019BE89C0AFAE7FADEB46320F044269F925E7291D6B48904D7A0
                    Function 0058D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,?,0058CFF9,00000000,00000004,00000000), ref: 0058D218
                    • GetLastError.KERNEL32 ref: 0058D224
                    • __dosmaperr.LIBCMT ref: 0058D22B
                    • ResumeThread.KERNEL32(00000000), ref: 0058D249
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Thread$CreateErrorLastResume__dosmaperr
                    • String ID:
                    • API String ID: 173952441-0
                    • Opcode ID: 9173eadd305397d916474a837368af2d59ec5417881914fd4eb570ae4f5d4d4f
                    • Instruction ID: 51c372e104617ce1518c6cdbfd184b3f3acfa41e100ac33f4edbc1a074e7e01c
                    • Opcode Fuzzy Hash: 9173eadd305397d916474a837368af2d59ec5417881914fd4eb570ae4f5d4d4f
                    • Instruction Fuzzy Hash: CC01C43A405109BBDB117BA5DC09AAA7FB9FF81330F100229FD26A21E0DB708905D7B0
                    Function 0056600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0056604C
                    • GetStockObject.GDI32(00000011), ref: 00566060
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0056606A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CreateMessageObjectSendStockWindow
                    • String ID:
                    • API String ID: 3970641297-0
                    • Opcode ID: 357def233f3a2d8572625edd7318795403adbd5ef878a53ac5ca934d8eeb7dd9
                    • Instruction ID: 6f706cf8fa5b9cf31cf21f7c24e91e701afc043a1336e883c65eb841e3d9af6c
                    • Opcode Fuzzy Hash: 357def233f3a2d8572625edd7318795403adbd5ef878a53ac5ca934d8eeb7dd9
                    • Instruction Fuzzy Hash: EB116D72501509BFEF125FA49C48EEABF6DFF193A4F040225FA1596110D7369C60EFA1
                    Function 00583B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00583B56
                      • Part of subcall function 00583AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00583AD2
                      • Part of subcall function 00583AA3: ___AdjustPointer.LIBCMT ref: 00583AED
                    • _UnwindNestedFrames.LIBCMT ref: 00583B6B
                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00583B7C
                    • CallCatchBlock.LIBVCRUNTIME ref: 00583BA4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                    • String ID:
                    • API String ID: 737400349-0
                    • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                    • Instruction ID: b1e45e9f61b28039178b284043be76465bd39a86f9bd5f5c04ac6d7b07fcf8dd
                    • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                    • Instruction Fuzzy Hash: 3301E97210014ABBDF127E95CC4AEEB7F69FF98B54F044014FE4866121D732E961DBA0
                    Function 00593073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005613C6,00000000,00000000,?,0059301A,005613C6,00000000,00000000,00000000,?,0059328B,00000006,FlsSetValue), ref: 005930A5
                    • GetLastError.KERNEL32(?,0059301A,005613C6,00000000,00000000,00000000,?,0059328B,00000006,FlsSetValue,00602290,FlsSetValue,00000000,00000364,?,00592E46), ref: 005930B1
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0059301A,005613C6,00000000,00000000,00000000,?,0059328B,00000006,FlsSetValue,00602290,FlsSetValue,00000000), ref: 005930BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: 215ca68ff72b04a2412afa49f0bfa57e173b460fbba8fdb98fd76a35ca0b54b2
                    • Instruction ID: e371aed0b3e41ba370bd30dd9668b39832376031b4a84b5fc051c8d649a9484b
                    • Opcode Fuzzy Hash: 215ca68ff72b04a2412afa49f0bfa57e173b460fbba8fdb98fd76a35ca0b54b2
                    • Instruction Fuzzy Hash: 8F01F236341226EBDF314B78AC4CA6B7F99BF05BA1B210A24F916E7190D725DD09C6E0
                    Function 005C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 005C747F
                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005C7497
                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005C74AC
                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005C74CA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Type$Register$FileLoadModuleNameUser
                    • String ID:
                    • API String ID: 1352324309-0
                    • Opcode ID: e9f0b1cb9ef13884e346b42c3219a0e7850865902a2609aca82b0883810eb271
                    • Instruction ID: b32e2d8adcfdf809dc54431619f374430ba8fe72ae9300b5b0842c702704dd59
                    • Opcode Fuzzy Hash: e9f0b1cb9ef13884e346b42c3219a0e7850865902a2609aca82b0883810eb271
                    • Instruction Fuzzy Hash: 94117CB52053189FEB208F94DD49FA2BFB8FB04B00F10856DA626D6551D7B4E908EF50
                    Function 005CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005CACD3,?,00008000), ref: 005CB0C4
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005CACD3,?,00008000), ref: 005CB0E9
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005CACD3,?,00008000), ref: 005CB0F3
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005CACD3,?,00008000), ref: 005CB126
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: 68135cdacf6463d51751807138e3004fcf649fd419ce349046d2b893075d6005
                    • Instruction ID: bfe69289bf87f38b1a9cd5beb2bedea2728da933dd724b8cb3b4f0c8a2c7679f
                    • Opcode Fuzzy Hash: 68135cdacf6463d51751807138e3004fcf649fd419ce349046d2b893075d6005
                    • Instruction Fuzzy Hash: 8B112731C0162DEBDF00AFE4E95ABEEBF78BF59711F104499D941B2181CB345A60DB52
                    Function 005C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005C2DC5
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 005C2DD6
                    • GetCurrentThreadId.KERNEL32 ref: 005C2DDD
                    • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005C2DE4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: 3c232ca72dd375fe704d20e40d4316d48c83e5255fa4c036084b4600607e761b
                    • Instruction ID: a06f7995893a3b3afbe51ab40106b260c08e98c50a4c3e24a7d290f78fa53827
                    • Opcode Fuzzy Hash: 3c232ca72dd375fe704d20e40d4316d48c83e5255fa4c036084b4600607e761b
                    • Instruction Fuzzy Hash: 6EE092B11052287BD7201BB69D0DFFB3E6CFF63BA1F000429F106D10809AA8C845E6B0
                    Function 005F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00579639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00579693
                      • Part of subcall function 00579639: SelectObject.GDI32(?,00000000), ref: 005796A2
                      • Part of subcall function 00579639: BeginPath.GDI32(?), ref: 005796B9
                      • Part of subcall function 00579639: SelectObject.GDI32(?,00000000), ref: 005796E2
                    • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005F8887
                    • LineTo.GDI32(?,?,?), ref: 005F8894
                    • EndPath.GDI32(?), ref: 005F88A4
                    • StrokePath.GDI32(?), ref: 005F88B2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: 7184e179e3d2e94d2cfba046d176cff0cbb1019a0d27e264b61cd440556112e8
                    • Instruction ID: b88545c6241f6020554905162b2b29fb4f3f67ebd3df6af7ec623ad6778cfae4
                    • Opcode Fuzzy Hash: 7184e179e3d2e94d2cfba046d176cff0cbb1019a0d27e264b61cd440556112e8
                    • Instruction Fuzzy Hash: 4BF03A3604125DBADB126F94AD0DFEE3E59AF16310F048110FA11A50E1CB795526EBE5
                    Function 005798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 005798CC
                    • SetTextColor.GDI32(?,?), ref: 005798D6
                    • SetBkMode.GDI32(?,00000001), ref: 005798E9
                    • GetStockObject.GDI32(00000005), ref: 005798F1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Color$ModeObjectStockText
                    • String ID:
                    • API String ID: 4037423528-0
                    • Opcode ID: b01524a153d132cf72002731eeadfa969e9be257e221b542f37a344d15336399
                    • Instruction ID: b8be9cb3be8572e6bafc4870a3a5bbbadd411f3026f8d85ec7c4efb7fb0a8b0b
                    • Opcode Fuzzy Hash: b01524a153d132cf72002731eeadfa969e9be257e221b542f37a344d15336399
                    • Instruction Fuzzy Hash: 49E06531244648AADB215B74BD09BF83F10FB66336F148229F6FA980E1C3755654EB10
                    Function 005C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 005C1634
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,005C11D9), ref: 005C163B
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005C11D9), ref: 005C1648
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,005C11D9), ref: 005C164F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 564eb61bf28a695eed2b7dd5e563ad85bed687f7b73e9db28568c35fdbe35855
                    • Instruction ID: 6123960d417fcc7ee30d939595e43c791cb5ed0011ed30674a792371d2289e96
                    • Opcode Fuzzy Hash: 564eb61bf28a695eed2b7dd5e563ad85bed687f7b73e9db28568c35fdbe35855
                    • Instruction Fuzzy Hash: 2DE04F326412159BD7205BF09E0DF6A3F6CAF65791F144828F245C9080DA284489D754
                    Function 005BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 005BD858
                    • GetDC.USER32(00000000), ref: 005BD862
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005BD882
                    • ReleaseDC.USER32(?), ref: 005BD8A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: bcc90fed65f17eb446f12aff020ab3238ca4e5ec40f4ac4edc4b154cf6097e6b
                    • Instruction ID: 7d722a33b8ce49a561f9b5a3b7f56dd7d7dcc5e7d903b70ac2cfca995dfb685f
                    • Opcode Fuzzy Hash: bcc90fed65f17eb446f12aff020ab3238ca4e5ec40f4ac4edc4b154cf6097e6b
                    • Instruction Fuzzy Hash: 54E0E5B4804209DFCB419FA49A0CA7DBFB5BB18311B108429E846E7350DB385909EF50
                    Function 005BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 005BD86C
                    • GetDC.USER32(00000000), ref: 005BD876
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 005BD882
                    • ReleaseDC.USER32(?), ref: 005BD8A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 4c094a855a07701d35e0d47128922b5535a10c7b158a6a188e1b56d7bc772054
                    • Instruction ID: 9e557f0b5a2e6875373cddd281d55317b743979fde931786a6bfaf784b0a5ddb
                    • Opcode Fuzzy Hash: 4c094a855a07701d35e0d47128922b5535a10c7b158a6a188e1b56d7bc772054
                    • Instruction Fuzzy Hash: 63E01A74804208DFCB409FA4D90C67DBFB5BB18310B108418E84AE7350CB3C5909EF50
                    Function 005D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00567620: _wcslen.LIBCMT ref: 00567625
                    • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 005D4ED4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Connection_wcslen
                    • String ID: *$LPT
                    • API String ID: 1725874428-3443410124
                    • Opcode ID: 312b5b816faee3794e57208fac27427e7d08786d42ac618915cbe723e5756902
                    • Instruction ID: e67fc5c7f860d6c919dba683efb339fa34c36451301edb5018470ffae896fac2
                    • Opcode Fuzzy Hash: 312b5b816faee3794e57208fac27427e7d08786d42ac618915cbe723e5756902
                    • Instruction Fuzzy Hash: 2B912C75A002459FCB24DF58C484EAABFF5BF48304F19809AE80A9B362D735ED85CF91
                    Function 0058E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 0058E30D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ErrorHandling__start
                    • String ID: pow
                    • API String ID: 3213639722-2276729525
                    • Opcode ID: 7d683854f77b844ffde2188b91955ede535df5f1d62097aae79406e97e5ad3ee
                    • Instruction ID: fac68cedfa8fb217bb51e79a7af0e0618d1a716e2989b0f7ad4c078aa635bee4
                    • Opcode Fuzzy Hash: 7d683854f77b844ffde2188b91955ede535df5f1d62097aae79406e97e5ad3ee
                    • Instruction Fuzzy Hash: 00515C61A5C20B96CF157728CD0637A3FB8FF44740F344D9AE896522E9EF348C919B46
                    Function 005E7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(005B569E,00000000,?,005FCC08,?,00000000,00000000), ref: 005E78DD
                      • Part of subcall function 00566B57: _wcslen.LIBCMT ref: 00566B6A
                    • CharUpperBuffW.USER32(005B569E,00000000,?,005FCC08,00000000,?,00000000,00000000), ref: 005E783B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: BuffCharUpper$_wcslen
                    • String ID: <sb
                    • API String ID: 3544283678-1973350311
                    • Opcode ID: 06d23966fff48ab8c0cb2023f4d8f0434d07ec7de9b49a03146230be0d66e298
                    • Instruction ID: 4ced9952c0c88e3fdf55c1ac5b3f04750fb75e5991ad2aeb429893d26111e7bc
                    • Opcode Fuzzy Hash: 06d23966fff48ab8c0cb2023f4d8f0434d07ec7de9b49a03146230be0d66e298
                    • Instruction Fuzzy Hash: 15616E3291415EAACF08EBA5CC95DFDBB78BF68300F544525F582B3192EF305A05DBA0
                    Function 0057E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID:
                    • String ID: #
                    • API String ID: 0-1885708031
                    • Opcode ID: 0de93f3d6248d6636508b5177f99663bd3e4440207364f19e4693209d51e4923
                    • Instruction ID: 682904dd5ba35fee3402650be0a2c6910aef2e81780443d3b6e8770be6ed9095
                    • Opcode Fuzzy Hash: 0de93f3d6248d6636508b5177f99663bd3e4440207364f19e4693209d51e4923
                    • Instruction Fuzzy Hash: F1513439504386EFDB15DF68D0476FA7FA4FF59310F288055E8919B291DA30AD42DB90
                    Function 0057F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 0057F2A2
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0057F2BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: b47fab77e9e1607512bfb96e329a6c8eddef72fb6b873565b090e584a40d1067
                    • Instruction ID: 861b1752e8a74e7544d73fd0b0f7d2f70627e49f588ba672882a8c771df705db
                    • Opcode Fuzzy Hash: b47fab77e9e1607512bfb96e329a6c8eddef72fb6b873565b090e584a40d1067
                    • Instruction Fuzzy Hash: 5B517A714187499BD320AF50DC8ABABBBF8FBC4304F81885DF1D942195EF718529CB66
                    Function 005E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005E57E0
                    • _wcslen.LIBCMT ref: 005E57EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: BuffCharUpper_wcslen
                    • String ID: CALLARGARRAY
                    • API String ID: 157775604-1150593374
                    • Opcode ID: 5ac83aab887c9fce3c7ca095f0549ba646306288c4d5be8d01791819c3677a38
                    • Instruction ID: fe9e2c8a1169305d177286e1c9b03670951c6de42cafb29d1a08460a53d327b3
                    • Opcode Fuzzy Hash: 5ac83aab887c9fce3c7ca095f0549ba646306288c4d5be8d01791819c3677a38
                    • Instruction Fuzzy Hash: 9441B031A0420A9FCB18DFA9C8859BEBFF5FF99318F204169E545A7291E7309D81CB90
                    Function 005DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 005DD130
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005DD13A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CrackInternet_wcslen
                    • String ID: |
                    • API String ID: 596671847-2343686810
                    • Opcode ID: 625541435a44d72e91f9921ef07d478c80f1cb41ba14f7c2aeba5a790241199b
                    • Instruction ID: 3235d0c3b749f134e04994748ec00d627faafbb0c6654b89edce4fa44d4c40ac
                    • Opcode Fuzzy Hash: 625541435a44d72e91f9921ef07d478c80f1cb41ba14f7c2aeba5a790241199b
                    • Instruction Fuzzy Hash: 6F311E71D0011AABCF15EFA4CC89AEFBFB9FF44300F10011AF815A6265D731AA56DBA0
                    Function 005F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 005F3621
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005F365C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: e7a1cbfc1fd60e354720e3da6aefed38e611452ae8ed9123999f77ebbeac8897
                    • Instruction ID: 3c84697098aef572b315b538cfb0bbc7687bcd66b66cf08c6c924715c90e93e6
                    • Opcode Fuzzy Hash: e7a1cbfc1fd60e354720e3da6aefed38e611452ae8ed9123999f77ebbeac8897
                    • Instruction Fuzzy Hash: 9E319071100208AEEB109F68DC84EFB7BA9FF88724F009619F9A5D7290DB34ED81D760
                    Function 005F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 005F461F
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005F4634
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: '
                    • API String ID: 3850602802-1997036262
                    • Opcode ID: 3db76724708e806c864488fcce00689960cafd6eef07a18ecf40d7092853d040
                    • Instruction ID: 94221756313b872fb21ea388f38ed6a19b9d66441e63bdca6233c2672f49f9f8
                    • Opcode Fuzzy Hash: 3db76724708e806c864488fcce00689960cafd6eef07a18ecf40d7092853d040
                    • Instruction Fuzzy Hash: B1311874A0120E9FDB14DFA9C990BEA7BB5FF49300F14406AEA05EB391D774A941DF90
                    Function 005F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005F327C
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005F3287
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 35bf7d1e2fdb077c07a0654624ba1ab4dc574ced71c71ce2f3ceee40868f1cbb
                    • Instruction ID: ce9d31b390eec7100413adaf2476d4771c4cbfa147f157dec35f87383262c922
                    • Opcode Fuzzy Hash: 35bf7d1e2fdb077c07a0654624ba1ab4dc574ced71c71ce2f3ceee40868f1cbb
                    • Instruction Fuzzy Hash: 8611907520020D6FFF219E54DC84EBB3B6BFB94364F104525FA189B290D6399D519B60
                    Function 005F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0056600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0056604C
                      • Part of subcall function 0056600E: GetStockObject.GDI32(00000011), ref: 00566060
                      • Part of subcall function 0056600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0056606A
                    • GetWindowRect.USER32(00000000,?), ref: 005F377A
                    • GetSysColor.USER32(00000012), ref: 005F3794
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: 82ff1f0a82ced27e24051a0c946ce3b84362c9606590f821c48ac40823ec8ea5
                    • Instruction ID: 476140dc1fbd09848a8572f7dcac7d52155c75cceaabc1956d5e77399493ef1d
                    • Opcode Fuzzy Hash: 82ff1f0a82ced27e24051a0c946ce3b84362c9606590f821c48ac40823ec8ea5
                    • Instruction Fuzzy Hash: BF112CB261020EAFEB00DFA8CC45EFA7BB8FB08314F004924FA55E2250E739E955DB50
                    Function 005DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005DCD7D
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005DCDA6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: fa378bde27c1a0bd0f1e7c7bb29512d399b773c8ea407c30582a130d46c5f4e9
                    • Instruction ID: f1df3fc5e6efe2f13caef3f37f8b47636f7349281fb7f139b145bc209550de17
                    • Opcode Fuzzy Hash: fa378bde27c1a0bd0f1e7c7bb29512d399b773c8ea407c30582a130d46c5f4e9
                    • Instruction Fuzzy Hash: B111A3712056767AD7386A6A8C45EF7BE6AFF227A4F00463BB109C3280D6649844D6F0
                    Function 005F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 005F34AB
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005F34BA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 9ccb1872a2fa7b486cea5ef1f80aca6be98320d8a0e17baad088249ba01d5882
                    • Instruction ID: 8ce3931a164940623365f708b4b526ff6a4f5e5e22640e2b85e48ea11521ac79
                    • Opcode Fuzzy Hash: 9ccb1872a2fa7b486cea5ef1f80aca6be98320d8a0e17baad088249ba01d5882
                    • Instruction Fuzzy Hash: 2011587110020CAAFF128E64DC4CABA3E6AFB55374F504724FA61971E4C679EC51AB60
                    Function 005C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    • CharUpperBuffW.USER32(?,?,?), ref: 005C6CB6
                    • _wcslen.LIBCMT ref: 005C6CC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharUpper
                    • String ID: STOP
                    • API String ID: 1256254125-2411985666
                    • Opcode ID: d88d1dddce5ebd071044378664f03747f423da4d0f9006fa156c10dbcc7bb3a1
                    • Instruction ID: 0045f6201a8450c9bd7880892631f5b14fc8dfaf97c1e34a8608586a2e379ce1
                    • Opcode Fuzzy Hash: d88d1dddce5ebd071044378664f03747f423da4d0f9006fa156c10dbcc7bb3a1
                    • Instruction Fuzzy Hash: 8D01A1326005278ECB20AEFDDC85EBF7FA9BAA1710B500928E86297194EA31DE00C650
                    Function 005C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005C3CCA
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005C1D4C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: 7721df9fc4016e478f13ea209d7cfae2f81db4cf8c3311869fc1e83783e6901e
                    • Instruction ID: 1900713ca0a03cee1dccc13b845fd54f856544ee741ae211e51f5e64b88418f0
                    • Opcode Fuzzy Hash: 7721df9fc4016e478f13ea209d7cfae2f81db4cf8c3311869fc1e83783e6901e
                    • Instruction Fuzzy Hash: 2601D871601619AFCB14EBE4CD55EFE7B69FF97350B14091DF823572C2EA309908D660
                    Function 005C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005C3CCA
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 005C1C46
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: a4da5602cc0a26637b31af18c1eea392ee45197c7f0d372637a4bc21827ce570
                    • Instruction ID: 78f451795d9a4b3710671a2a324d11efc108fa158cb30d55e21883d8bba3441e
                    • Opcode Fuzzy Hash: a4da5602cc0a26637b31af18c1eea392ee45197c7f0d372637a4bc21827ce570
                    • Instruction Fuzzy Hash: 0F0184756815096BDB14EBD0CA59EFF7BACBF52340F14002DB40667282EA349E18E6B5
                    Function 005C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005C3CCA
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 005C1CC8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: 1e7e461f4643cf684ad3559a3da45c58aa73b308b3a2afaa03bb0b2da4dd2921
                    • Instruction ID: e332677a1330159ab768cfbf18adb9a6f1b881e7f6f61d7cccde2f95ee3852d4
                    • Opcode Fuzzy Hash: 1e7e461f4643cf684ad3559a3da45c58aa73b308b3a2afaa03bb0b2da4dd2921
                    • Instruction Fuzzy Hash: D101A7716405196BDB14E7D4CB16FFE7BACBB52380F140019B802B7282EA349F18D675
                    Function 0057A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 0057A529
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Init_thread_footer_wcslen
                    • String ID: ,%c$3y[
                    • API String ID: 2551934079-398146797
                    • Opcode ID: 213bb80f93d2f9e68f77212b3c3ffabc26fbf833c0ad251bfb8a7b05ae70a24c
                    • Instruction ID: 06983ac01a4867ccf338dc560411359e3abdb96856911f952fa0b18e90911e66
                    • Opcode Fuzzy Hash: 213bb80f93d2f9e68f77212b3c3ffabc26fbf833c0ad251bfb8a7b05ae70a24c
                    • Instruction Fuzzy Hash: BF01F73170061687CE00F768E81FA6D3F59BBC5720F404424F50A671C2DE615E0596D7
                    Function 005C1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00569CB3: _wcslen.LIBCMT ref: 00569CBD
                      • Part of subcall function 005C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005C3CCA
                    • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 005C1DD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: 7a8e7d6165e9fd44322bd966f9caeaae21272d13f41c7d9d81500e4ac0b1c413
                    • Instruction ID: e3fac83590bd84e529aad91cf56e2c02475f0202fed618a501ac8675df56cf41
                    • Opcode Fuzzy Hash: 7a8e7d6165e9fd44322bd966f9caeaae21272d13f41c7d9d81500e4ac0b1c413
                    • Instruction Fuzzy Hash: DDF0F471A4061A6BDB14F7E4CD56FFE7F6CBF52340F040919B823A72C2DA7059088664
                    Function 005F8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00633018,0063305C), ref: 005F81BF
                    • CloseHandle.KERNEL32 ref: 005F81D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CloseCreateHandleProcess
                    • String ID: \0c
                    • API String ID: 3712363035-2434402519
                    • Opcode ID: b1c40808b5a8a91a49393ce206a3187b4ecaa73f94b4b69ec96f5ffad156b37c
                    • Instruction ID: 126996d097de2999409e8fcc16b4bc9c68ecfb07c058b0641b261643501ad5d6
                    • Opcode Fuzzy Hash: b1c40808b5a8a91a49393ce206a3187b4ecaa73f94b4b69ec96f5ffad156b37c
                    • Instruction Fuzzy Hash: 20F089B1640314BEF3146B616C45F773E5DEB14755F000420BF08D52A1D7798E0497F4
                    Function 005E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: _wcslen
                    • String ID: 3, 3, 16, 1
                    • API String ID: 176396367-3042988571
                    • Opcode ID: 5bd64408089457b0c33b66c62b28e9e39183167ad072b714a94e6b9840019280
                    • Instruction ID: 426cd6801a4467da3479ab39ba027acdc088e0709e6778f100cc7f86e430547a
                    • Opcode Fuzzy Hash: 5bd64408089457b0c33b66c62b28e9e39183167ad072b714a94e6b9840019280
                    • Instruction Fuzzy Hash: 37E02B02205362109735227BACC597F5E8AFFCD750710182BFDC5D22A6EA94CD9193A0
                    Function 005C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005C0B23
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Message
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 2030045667-4017498283
                    • Opcode ID: dd8234a24ef17400b4cbab2ac274cf210444c7c61a8ea3510c6ae4db710003d0
                    • Instruction ID: 7c66b404712c7eaed34b6381d38a28a165ba99ea12e16123d43234f2f561d6e6
                    • Opcode Fuzzy Hash: dd8234a24ef17400b4cbab2ac274cf210444c7c61a8ea3510c6ae4db710003d0
                    • Instruction Fuzzy Hash: A7E0D83128531D2AD22476947D07F997E88EF05B14F10443AFB58954C38AE168909BE9
                    Function 00580D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0057F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00580D71,?,?,?,0056100A), ref: 0057F7CE
                    • IsDebuggerPresent.KERNEL32(?,?,?,0056100A), ref: 00580D75
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0056100A), ref: 00580D84
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00580D7F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 55579361-631824599
                    • Opcode ID: dffa72fbde9943252964571b6e1ec377e6304f4d1c53dff3f1c38e16973e22d7
                    • Instruction ID: bc1cc81d832ad75bf29dfb73065c22f6211f44de96980714c20c1deb4a62d7da
                    • Opcode Fuzzy Hash: dffa72fbde9943252964571b6e1ec377e6304f4d1c53dff3f1c38e16973e22d7
                    • Instruction Fuzzy Hash: B1E06D742003018BE7A0AFB8E5083567FE4FF10744F00992DE986D7691EBB9E448DB91
                    Function 0057E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 0057E3D5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: Init_thread_footer
                    • String ID: 0%c$8%c
                    • API String ID: 1385522511-2241630064
                    • Opcode ID: 6b7752528325d1f53a0aa6110a632fa6ccf30cd0531060b2e878516e26fd0baf
                    • Instruction ID: 67c6a719a66af3a58f20a1e953c9ba64d295d5eb7df54dc5518f6cac8ec89c28
                    • Opcode Fuzzy Hash: 6b7752528325d1f53a0aa6110a632fa6ccf30cd0531060b2e878516e26fd0baf
                    • Instruction Fuzzy Hash: 6DE08632414B22CBC704EB18FC7EB883B57BB4D330B5069E5E656971D19B703A41A7D5
                    Function 005BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: LocalTime
                    • String ID: %.3d$X64
                    • API String ID: 481472006-1077770165
                    • Opcode ID: fd059863c2af59919ad023e1ab6fb6f26432596d807497d041f065b827154337
                    • Instruction ID: 34343c8f7c46b8443e5e285ae1a2e95d0315846feea511c64a0db480d01997e8
                    • Opcode Fuzzy Hash: fd059863c2af59919ad023e1ab6fb6f26432596d807497d041f065b827154337
                    • Instruction Fuzzy Hash: 9FD0EC69809159E9CA90D7909C498F9FB7CBB58301F508862F90A91040F628E508AB71
                    Function 005F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005F236C
                    • PostMessageW.USER32(00000000), ref: 005F2373
                      • Part of subcall function 005CE97B: Sleep.KERNEL32 ref: 005CE9F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: c2f7444acf92b818beee3acfbdf263dba3e00796c770b7c6a2cc4fbafcf01c7b
                    • Instruction ID: e1794f9ad4d565db3191e8d53eba52c03f8909f8c78a67360ad4f66f564bec3b
                    • Opcode Fuzzy Hash: c2f7444acf92b818beee3acfbdf263dba3e00796c770b7c6a2cc4fbafcf01c7b
                    • Instruction Fuzzy Hash: 08D0A9323803147AE264A370EC0FFC66A25AB11B00F0009267201EA0D0C8B4A804CA04
                    Function 005F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005F232C
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005F233F
                      • Part of subcall function 005CE97B: Sleep.KERNEL32 ref: 005CE9F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: a7740aa5717f5906559a0ba06f8c926042b66c93a1ce01646c128c45b9dd7226
                    • Instruction ID: 7e5af1a6557a55a3a592eea8497b5fc46d74d9071479a67da0ea7028de545e2a
                    • Opcode Fuzzy Hash: a7740aa5717f5906559a0ba06f8c926042b66c93a1ce01646c128c45b9dd7226
                    • Instruction Fuzzy Hash: 21D0A932384314BAE264A370EC0FFD66E25AB10B00F0009267205EA0D0C8B4A804CA00
                    Function 0059BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0059BE93
                    • GetLastError.KERNEL32 ref: 0059BEA1
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0059BEFC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1682780262.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                    • Associated: 00000000.00000002.1682755407.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.00000000005FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682848717.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682909180.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1682925227.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_560000_3TpW2Sn68z.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast
                    • String ID:
                    • API String ID: 1717984340-0
                    • Opcode ID: ecffddb9aeed743fd0c5ec407bc505599d895b9db267a7d2999626d19f21b7c1
                    • Instruction ID: 671edf4e545420d6b21ab2014d968c9b84769729797e3c3031f29847b1854622
                    • Opcode Fuzzy Hash: ecffddb9aeed743fd0c5ec407bc505599d895b9db267a7d2999626d19f21b7c1
                    • Instruction Fuzzy Hash: AF41E63460020AEFFF219F64EE84ABA7FA9FF41310F144169F959971A1DB308D00DB50