Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7xonkSJwuY.exe

Overview

General Information

Sample name:7xonkSJwuY.exe
renamed because original name is a hash value
Original sample name:36881de84e2d129a6a32e7a5c5537aee.exe
Analysis ID:1538405
MD5:36881de84e2d129a6a32e7a5c5537aee
SHA1:7e022793522c1f22103a5946ac4b204f3ab58706
SHA256:9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7xonkSJwuY.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\7xonkSJwuY.exe" MD5: 36881DE84E2D129A6A32E7A5C5537AEE)
    • pteropod.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\7xonkSJwuY.exe" MD5: 36881DE84E2D129A6A32E7A5C5537AEE)
      • RegSvcs.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\7xonkSJwuY.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 7796 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • pteropod.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" MD5: 36881DE84E2D129A6A32E7A5C5537AEE)
      • RegSvcs.exe (PID: 7940 cmdline: "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: RedLine

{"C2 url": ["162.251.122.86:5798"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x777a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7817:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x792c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7428:$cnc4: POST / HTTP/1.1
        00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x797a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7a17:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7b2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x7628:$cnc4: POST / HTTP/1.1
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.pteropod.exe.2ec0000.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              5.2.pteropod.exe.2ec0000.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x797a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x7a17:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x7b2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x7628:$cnc4: POST / HTTP/1.1
              1.2.pteropod.exe.c10000.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                1.2.pteropod.exe.c10000.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x5b7a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x5c17:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x5d2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x5828:$cnc4: POST / HTTP/1.1
                5.2.pteropod.exe.2ec0000.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , ProcessId: 7796, ProcessName: wscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs" , ProcessId: 7796, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe, ProcessId: 7508, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:12.280819+020020432341A Network Trojan was detected162.251.122.865798192.168.2.449732TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:12.141900+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:17.334957+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:17.551342+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:17.704856+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:17.869834+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:18.124874+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:18.129914+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:18.865275+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:19.072918+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:19.216159+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:19.352473+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:19.517333+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:19.655440+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:20.045535+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:20.657105+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:20.825730+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:21.019224+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:21.181704+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:21.319308+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:21.496685+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:21.647902+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:21.786715+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:21.923123+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  2024-10-21T08:22:22.115591+020020432311A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:17.556288+020020460561A Network Trojan was detected162.251.122.865798192.168.2.449732TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:12.141900+020020460451A Network Trojan was detected192.168.2.449732162.251.122.865798TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:08.832977+020028528701Malware Command and Control Activity Detected162.251.122.8657903192.168.2.449730TCP
                  2024-10-21T08:22:19.777468+020028528701Malware Command and Control Activity Detected162.251.122.8657903192.168.2.449730TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:19.779826+020028529231Malware Command and Control Activity Detected192.168.2.449730162.251.122.8657903TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:08.832977+020028528741Malware Command and Control Activity Detected162.251.122.8657903192.168.2.449730TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T08:22:19.638440+020028531931Malware Command and Control Activity Detected192.168.2.449730162.251.122.8657903TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 2.2.RegSvcs.exe.6be0000.0.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["162.251.122.86:5798"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeReversingLabs: Detection: 63%
                  Multi AV Scanner detection for submitted file
                  Source: 7xonkSJwuY.exeReversingLabs: Detection: 63%
                  Source: 7xonkSJwuY.exeVirustotal: Detection: 30%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 7xonkSJwuY.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpackString decryptor: 162.251.122.86
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpackString decryptor: 57903
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpackString decryptor: <123456789>
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpackString decryptor: <Xwormmm>
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpackString decryptor: XWorm V5.6
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpackString decryptor: USB.exe
                  Source: 7xonkSJwuY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452126
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,1_2_0045C999
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,1_2_00436ADE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00434BEE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,1_2_00436D2D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442E1F
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0045DD7C FindFirstFileW,FindClose,1_2_0045DD7C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD29
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00475FE5
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452126
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,5_2_0045C999
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,5_2_00436ADE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00434BEE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,5_2_00436D2D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442E1F
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0045DD7C FindFirstFileW,FindClose,5_2_0045DD7C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD29
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00475FE5
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8D
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then inc dword ptr [ebp-20h]2_2_07088400
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0708AF6Eh2_2_0708AF4D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 071466FAh2_2_07146438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 07145647h2_2_07144EE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 07147172h2_2_07146D46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 071475F2h2_2_07146D46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0714D278h2_2_0714CD80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0714AE72h2_2_0714ABA2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 07143A0Dh2_2_07143602
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 07143A0Dh2_2_07143630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 07149EB1h2_2_07149E99

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49732 -> 162.251.122.86:5798
                  Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49732 -> 162.251.122.86:5798
                  Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 162.251.122.86:5798 -> 192.168.2.4:49732
                  Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 162.251.122.86:57903 -> 192.168.2.4:49730
                  Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 162.251.122.86:57903 -> 192.168.2.4:49730
                  Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 162.251.122.86:5798 -> 192.168.2.4:49732
                  Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 162.251.122.86:57903
                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49730 -> 162.251.122.86:57903
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 162.251.122.86:5798
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 162.251.122.86 ports 0,3,5,7,9,5798,57903
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 162.251.122.86:57903
                  Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.251.122.86
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00459FFF
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00459FFF
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0047C08E
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C08E

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004364AA
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004364AA
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00409A400_2_00409A40
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004120380_2_00412038
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0047E1FA0_2_0047E1FA
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0041A46B0_2_0041A46B
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0041240C0_2_0041240C
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004045E00_2_004045E0
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004128180_2_00412818
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0047CBF00_2_0047CBF0
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044EBBC0_2_0044EBBC
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00412C380_2_00412C38
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044ED9A0_2_0044ED9A
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00424F700_2_00424F70
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0041AF0D0_2_0041AF0D
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004271610_2_00427161
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004212BE0_2_004212BE
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004433900_2_00443390
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004433910_2_00443391
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0041D7500_2_0041D750
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004037E00_2_004037E0
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004278590_2_00427859
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0040F8900_2_0040F890
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0042397B0_2_0042397B
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00411B630_2_00411B63
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00423EBF0_2_00423EBF
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_03E8F2A00_2_03E8F2A0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00409A401_2_00409A40
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004120381_2_00412038
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0047E1FA1_2_0047E1FA
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0041A46B1_2_0041A46B
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0041240C1_2_0041240C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004045E01_2_004045E0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004128181_2_00412818
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0047CBF01_2_0047CBF0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0044EBBC1_2_0044EBBC
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00412C381_2_00412C38
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0044ED9A1_2_0044ED9A
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00424F701_2_00424F70
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0041AF0D1_2_0041AF0D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004271611_2_00427161
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004212BE1_2_004212BE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004433901_2_00443390
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004433911_2_00443391
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0041D7501_2_0041D750
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004037E01_2_004037E0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004278591_2_00427859
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0040F8901_2_0040F890
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0042397B1_2_0042397B
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00411B631_2_00411B63
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00423EBF1_2_00423EBF
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_03E4CA901_2_03E4CA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_026BD5042_2_026BD504
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0A6A02_2_06F0A6A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0EEEC2_2_06F0EEEC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0AE202_2_06F0AE20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0EEEC2_2_06F0EEEC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0EEEC2_2_06F0EEEC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07049F802_2_07049F80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070443D82_2_070443D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070473F12_2_070473F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070865302_2_07086530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0708C4102_2_0708C410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0708A4632_2_0708A463
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070841A02_2_070841A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0708B0002_2_0708B000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0708BBA92_2_0708BBA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070865212_2_07086521
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0708AFF02_2_0708AFF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_071445102_2_07144510
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0714B5682_2_0714B568
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_071495B02_2_071495B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_071464382_2_07146438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0714A4682_2_0714A468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07148E482_2_07148E48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07144EE82_2_07144EE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07146D462_2_07146D46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0714CD802_2_0714CD80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07143CA82_2_07143CA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0714EB902_2_0714EB90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07145A662_2_07145A66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_071488082_2_07148808
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_071487F82_2_071487F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_071436022_2_07143602
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_071436302_2_07143630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07148E382_2_07148E38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07143C982_2_07143C98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07141B382_2_07141B38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07141B482_2_07141B48
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00409A405_2_00409A40
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004120385_2_00412038
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0047E1FA5_2_0047E1FA
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0041A46B5_2_0041A46B
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0041240C5_2_0041240C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004045E05_2_004045E0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004128185_2_00412818
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0047CBF05_2_0047CBF0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0044EBBC5_2_0044EBBC
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00412C385_2_00412C38
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0044ED9A5_2_0044ED9A
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00424F705_2_00424F70
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0041AF0D5_2_0041AF0D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004271615_2_00427161
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004212BE5_2_004212BE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004433905_2_00443390
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004433915_2_00443391
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0041D7505_2_0041D750
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004037E05_2_004037E0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004278595_2_00427859
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0040F8905_2_0040F890
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0042397B5_2_0042397B
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00411B635_2_00411B63
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00423EBF5_2_00423EBF
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_03BA8A085_2_03BA8A08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02450EC06_2_02450EC0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 00425210 appears 56 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 00445975 appears 130 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 0041171A appears 74 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 0041832D appears 52 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 004136BC appears 36 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 004092C0 appears 50 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 0041718C appears 88 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 00401B70 appears 46 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 0040E6D0 appears 70 times
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: String function: 0043362D appears 38 times
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: String function: 00445975 appears 65 times
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: String function: 0041171A appears 37 times
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: String function: 0041718C appears 44 times
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: String function: 0040E6D0 appears 35 times
                  Source: 7xonkSJwuY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/5@0/1
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,1_2_00464422
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004364AA
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,5_2_00464422
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004364AA
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeFile created: C:\Users\user\AppData\Local\arrogatinglyJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\fCXrE8L4kRTm48Ov
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeFile created: C:\Users\user\AppData\Local\Temp\drawlinglyJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
                  Source: 7xonkSJwuY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002F56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: 7xonkSJwuY.exeReversingLabs: Detection: 63%
                  Source: 7xonkSJwuY.exeVirustotal: Detection: 30%
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeFile read: C:\Users\user\Desktop\7xonkSJwuY.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\7xonkSJwuY.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeProcess created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe"
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe"
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeProcess created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: Binary string: wntdll.pdbUGP source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs.Net Code: Memory
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs.Net Code: Memory
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                  Source: 7xonkSJwuY.exeStatic PE information: real checksum: 0xa2135 should be: 0xc344d
                  Source: pteropod.exe.0.drStatic PE information: real checksum: 0xa2135 should be: 0xc344d
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004171D1 push ecx; ret 1_2_004171E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0E013 push esp; ret 2_2_06F0E025
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0DD17 push edi; iretd 2_2_06F0DD32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F0EAC7 pushad ; ret 2_2_06F0EAD5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070415B2 push eax; iretd 2_2_070415B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0708B628 push C40705FCh; iretd 2_2_0708B635
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070E3BCF push eax; ret 2_2_070E3BD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070E4274 pushad ; ret 2_2_070E4275
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070E4698 push es; ret 2_2_070E490C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_070E48FC push es; ret 2_2_070E490C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07146408 push esp; ret 2_2_07146409
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07145FB0 push esp; retf 2_2_07145FBD
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004171D1 push ecx; ret 5_2_004171E4
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeFile created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbsJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_004772DE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_004375B0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_004772DE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_004375B0
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004440780_2_00444078
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004440781_2_00444078
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004440785_2_00444078
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeAPI/Special instruction interceptor: Address: 3E4C6B4
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeAPI/Special instruction interceptor: Address: 3BA862C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7215Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2602Jump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeAPI coverage: 3.3 %
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeAPI coverage: 3.5 %
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeAPI coverage: 3.4 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452126
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,1_2_0045C999
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,1_2_00436ADE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00434BEE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,1_2_00436D2D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442E1F
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0045DD7C FindFirstFileW,FindClose,1_2_0045DD7C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD29
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00475FE5
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452126
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,5_2_0045C999
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,5_2_00436ADE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00434BEE
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,5_2_00436D2D
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442E1F
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0045DD7C FindFirstFileW,FindClose,5_2_0045DD7C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD29
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00475FE5
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8D
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: pteropod.exe, 00000001.00000002.1710250692.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1700281231.0000000003084000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OKSBRDRMWQEMu
                  Source: RegSvcs.exe, 00000002.00000002.1927969800.0000000000ABC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_07088F60 LdrInitializeThunk,2_2_07088F60
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_03E8F190 mov eax, dword ptr fs:[00000030h]0_2_03E8F190
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_03E8F130 mov eax, dword ptr fs:[00000030h]0_2_03E8F130
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_03E8DAB0 mov eax, dword ptr fs:[00000030h]0_2_03E8DAB0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_03E4B2A0 mov eax, dword ptr fs:[00000030h]1_2_03E4B2A0
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_03E4C980 mov eax, dword ptr fs:[00000030h]1_2_03E4C980
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_03E4C920 mov eax, dword ptr fs:[00000030h]1_2_03E4C920
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_03BA7218 mov eax, dword ptr fs:[00000030h]5_2_03BA7218
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_03BA8898 mov eax, dword ptr fs:[00000030h]5_2_03BA8898
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_03BA88F8 mov eax, dword ptr fs:[00000030h]5_2_03BA88F8
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0042202E SetUnhandledExceptionFilter,1_2_0042202E
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004230F5
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00417D93
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00421FA7
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0042202E SetUnhandledExceptionFilter,5_2_0042202E
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_004230F5
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00417D93
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00421FA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6F3008Jump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2FD008Jump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
                  Source: pteropod.exeBinary or memory string: Shell_TrayWnd
                  Source: 7xonkSJwuY.exe, pteropod.exe.0.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.6be0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.6be0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
                  Yara detected XWorm
                  Source: Yara matchFile source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 7508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 7856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7940, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                  Source: pteropod.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
                  Source: pteropod.exeBinary or memory string: WIN_XP
                  Source: pteropod.exeBinary or memory string: WIN_XPe
                  Source: pteropod.exeBinary or memory string: WIN_VISTA
                  Source: pteropod.exeBinary or memory string: WIN_7
                  Source: Yara matchFile source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.6be0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.6be0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
                  Yara detected XWorm
                  Source: Yara matchFile source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 7508, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: pteropod.exe PID: 7856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7940, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
                  Source: C:\Users\user\Desktop\7xonkSJwuY.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_004741BB
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,1_2_0046483C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 1_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,1_2_0047AD92
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_004741BB
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,5_2_0046483C
                  Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exeCode function: 5_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,5_2_0047AD92

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		221
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares121
                  Input Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		2
                  Software Packing                  		NTDS228
                  System Information Discovery                  		Distributed Component Object Model2
                  Clipboard Data                  		1
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets541
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		Cached Domain Credentials221
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538405 Sample: 7xonkSJwuY.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 13 other signatures 2->37 7 7xonkSJwuY.exe 3 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 25 C:\Users\user\AppData\Local\...\pteropod.exe, PE32 7->25 dropped 47 Contains functionality to detect sleep reduction / modifications 7->47 13 pteropod.exe 1 7->13         started        49 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->49 17 pteropod.exe 11->17         started        signatures5 process6 file7 27 C:\Users\user\AppData\...\pteropod.vbs, data 13->27 dropped 51 Multi AV Scanner detection for dropped file 13->51 53 Machine Learning detection for dropped file 13->53 55 Drops VBS files to the startup folder 13->55 61 2 other signatures 13->61 19 RegSvcs.exe 5 4 13->19         started        57 Writes to foreign memory regions 17->57 59 Maps a DLL or memory area into another process 17->59 23 RegSvcs.exe 1 17->23         started        signatures8 process9 dnsIp10 29 162.251.122.86, 49730, 49732, 57903 UNREAL-SERVERSUS Canada 19->29 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->39 41 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->41 43 Tries to harvest and steal browser information (history, passwords, etc) 19->43 45 Tries to steal Crypto Currency Wallets 19->45 signatures11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  7xonkSJwuY.exe63%ReversingLabsWin32.Trojan.AutoitInject
                  7xonkSJwuY.exe30%VirustotalBrowse
                  7xonkSJwuY.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\arrogatingly\pteropod.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\arrogatingly\pteropod.exe63%ReversingLabsWin32.Trojan.AutoitInject

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                  https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                  https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                  http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                  http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                  http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id14ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://tempuri.org/Entity/Id23ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://tempuri.org/Entity/Id12ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://tempuri.org/RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://tempuri.org/Entity/Id2ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id9RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id8RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://tempuri.org/Entity/Id6ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://tempuri.org/Entity/Id5RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id4RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/Entity/Id7RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://tempuri.org/Entity/Id6RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id19ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id13ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id15ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Entity/Id5ResponseDRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://api.ip.sb/ipRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/04/scRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id1ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://tempuri.org/Entity/Id9ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://tempuri.org/Entity/Id20RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://tempuri.org/Entity/Id21RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://tempuri.org/Entity/Id22RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id23RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://tempuri.org/Entity/Id24RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://tempuri.org/Entity/Id24ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://tempuri.org/Entity/Id1ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://tempuri.org/Entity/Id21ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id10RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id11RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id10ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id12RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id16ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id13RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id14RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id15RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id16RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://tempuri.org/Entity/Id17RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id18RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id5ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://tempuri.org/Entity/Id19RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://tempuri.org/Entity/Id15ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id10ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id11ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id8ResponseRegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id17ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/soap/envelope/RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id8ResponseDRegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        162.251.122.86
                                                                                                        		unknownCanada
                                                                                                        		64236UNREAL-SERVERSUStrue

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1538405
                                                                                                        Start date and time:2024-10-21 08:21:05 +02:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 7m 36s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:10
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:7xonkSJwuY.exe
                                                                                                        renamed because original name is a hash value
                                                                                                        Original Sample Name:36881de84e2d129a6a32e7a5c5537aee.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.expl.evad.winEXE@10/5@0/1
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 80%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        • Number of executed functions: 46
                                                                                                        • Number of non-executed functions: 318
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Execution Graph export aborted for target RegSvcs.exe, PID 7940 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        02:22:07API Interceptor3x Sleep call for process: RegSvcs.exe modified
                                                                                                        07:22:03AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        No context

                                                                                                        Domains

                                                                                                        No context

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        UNREAL-SERVERSUSRFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                        • 212.162.149.53
                                                                                                        PO OCTOBER 2024 _ PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                        • 162.251.122.111
                                                                                                        1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 204.10.160.167
                                                                                                        na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                        • 204.10.160.167
                                                                                                        Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                                                                        • 204.10.160.167
                                                                                                        PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                        • 212.162.149.53
                                                                                                        YNEu6suZ37.exeGet hashmaliciousGuLoaderBrowse
                                                                                                        • 204.10.160.209
                                                                                                        PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                        • 212.162.149.53
                                                                                                        nL0Vxav3OB.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 204.10.160.212
                                                                                                        tyRPPK48Mk.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 204.10.160.212

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):323
                                                                                                        Entropy (8bit):5.363435887027673
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:Q3La/xwcz92W+P12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hz92n4M9tDLI4MWuPTAv
                                                                                                        MD5:A92E44C0313DAFEC1988D0D379E41A2F
                                                                                                        SHA1:C2F5644C418A81C1FB40F74298FF39D1420BFAC0
                                                                                                        SHA-256:F3F3E681BE07C36042639B1679ACF8B2D23BE037713D5E395C48006840DBE77A
                                                                                                        SHA-512:4F32FE6F35FC6EB4D4CF41EDEDE3C6B3FDFE31E58DA6FC7B301B1EBD3FBEEE64681C928B45E87CD556A1D32D32CB5932764EAB22FFEE11E42B8D5EB0DCFDC22C
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):29
                                                                                                        Entropy (8bit):3.598349098128234
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                                                        MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                                                        SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                                                        SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                                                        SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview:....### explorer ###..[WIN]r

                                                                                                        C:\Users\user\AppData\Local\Temp\drawlingly

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\7xonkSJwuY.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):36864
                                                                                                        Entropy (8bit):6.8165733399748865
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:768:g5QWDmTBbxsrlsAETgNEsBrf0UbaUoWMETC+7bFy4:tFclZETg7BrbroWMBS/
                                                                                                        MD5:E5273617C63B8D068AD1FD31111B1B15
                                                                                                        SHA1:7BE066E4925D913A819F0749EB75A2F99A114211
                                                                                                        SHA-256:1AA59205A83EEC1B12058BE28AF3D7D078FCCC5D028F80FCE4D0332F546B6CA1
                                                                                                        SHA-512:41625581E3CB69478C05AE1093621097349FF285047DB11DE47F7A3C8F927FFDD0F0E01B93DB1F39A94F37F51F482F12719904C73F267C0901C3519407C894D1
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:...6SV7CKIL7..Z2.R06D9MW.05Q9PGTZ6PV7COIL7XRZ2HR06D9MWT05Q9P.TZ6^I.MO.E.y.[~.sd^-Jm'&_R#X=g7;X>9Cc-,lE-<z[&rty.. 80U.\4ZcTZ6PV7C..L7.SY2..5QD9MWT05Q.PEUQ7[V7.OIL?XRZ2HR..D9MwT05.9PGT.6Pv7COKL7\RZ2HR06@9MWT05Q9PFTZ4PV7COIN7..Z2XR0&D9MWD05A9PGTZ6@V7COIL7XRZ2..06.9MWT.5Q.TGTZ6PV7COIL7XRZ2HR0.D9AWT05Q9PGTZ6PV7COIL7XRZ2HR06D9MWT05Q9PGTZ6PV7COIL7XRZ.HR86D9MWT05Q9POtZ6.V7COIL7XRZ2f&UN09MW`.5Q9pGTZ.PV7AOIL7XRZ2HR06D9mWTP.#J"$TZ6.R7CO.L7XTZ2H.06D9MWT05Q9PGT.6P..1*%#TXRV2HR0.D9MUT05.9PGTZ6PV7COIL7.RZpHR06D9MWT05Q9PGTJ.PV7COI.7XRX2MR.bD9..T04Q9PSTZ0PV7COIL7XRZ2HR06D9MWT05Q9PGTZ6PV7COIL7XRZ2HR06D9SU|15Q3zYVr2PV=i.:J7XX.3HR4EC9M].25Q=#OTZ<.U7CK:E7XX.6HR4.D9^gU0:Q9PFTZ'.W7CK&F7XXP.HT.6W.LW[05Q;PGE$4PV3,DIL=RyZ4bR#.E9BWT06Q9A9WZ6T9;COCF.XTp2[b16K9MWP05@GTGT^Y]V7IEbL1rRI.JR!6D9HWT!7R.AGTP.BV7IEbL1rRZ2[b16O9MWR05@;xTTZ<Z}7EeI_.YRU2HR76D(.RT07y-PG^P.PP.C\yM7SRZ2@R0'F.XWT:?z9VmTI.QV/COIE7XCX.IR0-i3eVT0.[.VlPX<{V1i\yN7HRZ2BR0'G+M.A25Q"V.VZ6K|)Ag^L7RxI.IR.6D9FWT!KH9PM.Y6PM.IgKL7s.C2HXN/D9G].03{'RoCZ6Z|$sMI

                                                                                                        C:\Users\user\AppData\Local\arrogatingly\pteropod.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\7xonkSJwuY.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):781957
                                                                                                        Entropy (8bit):6.874954318558831
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QL4ohDPj:ffmMv6Ckr7Mny5QLjzj
                                                                                                        MD5:36881DE84E2D129A6A32E7A5C5537AEE
                                                                                                        SHA1:7E022793522C1F22103A5946AC4B204F3AB58706
                                                                                                        SHA-256:9378BCF50D0A58428C5B2F7FD2284579927A48FD2E9D8F4F8395F932CB3DB1A6
                                                                                                        SHA-512:CC3BE75F7857CEF10939000C49C925AA7BAFFD3E6507C84CCA3BFBDC7223CCBB336BBDD43F5CF023F523790E4E59E7E1F08BF2F969F64AB76E1111E19C533179
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: ReversingLabs, Detection: 63%
                                                                                                        Reputation:low
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@..........................P......5!........@.......@.....................<...T.................................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Local\arrogatingly\pteropod.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):282
                                                                                                        Entropy (8bit):3.4150380438165855
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1El119ycK6E7nriIM8lfQVn:DsO+vNloRKQ1El11VEDmA2n
                                                                                                        MD5:DFE0D8B6772C7C0561A38C745918EEB8
                                                                                                        SHA1:BA987A6B8115948EE4B6F3D06DDE20B02D233BDC
                                                                                                        SHA-256:24050CF02CD21CAB96F409BB8086656BABC1D546799EB0D5C078F6709DF5F814
                                                                                                        SHA-512:0698CD8048EA8F1C10CAF04568FBE7A6EBEF5B640E6D4D61080A81CC976829C6408F38781381E3DF87943FC733E781F802D203514CA10FC1026E6484B2540449
                                                                                                        Malicious:true
                                                                                                        Reputation:low
                                                                                                        Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.a.r.r.o.g.a.t.i.n.g.l.y.\.p.t.e.r.o.p.o.d...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Entropy (8bit):6.874954318558831
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) a (10002005/4) 95.11%
                                                                                                        • AutoIt3 compiled script executable (510682/80) 4.86%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                        File name:7xonkSJwuY.exe
                                                                                                        File size:781'957 bytes
                                                                                                        MD5:36881de84e2d129a6a32e7a5c5537aee
                                                                                                        SHA1:7e022793522c1f22103a5946ac4b204f3ab58706
                                                                                                        SHA256:9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6
                                                                                                        SHA512:cc3be75f7857cef10939000c49c925aa7baffd3e6507c84cca3bfbdc7223ccbb336bbdd43f5cf023f523790e4e59e7e1f08bf2f969f64ab76e1111e19c533179
                                                                                                        SSDEEP:12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QL4ohDPj:ffmMv6Ckr7Mny5QLjzj
                                                                                                        TLSH:36F4BF12F3D680B6D9A33971297BE32BEB3575194323C5CBA7E02E778E211409B36761
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                                                        File Icon

                                                                                                        Icon Hash:1733312925935517

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x416310
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:5
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:5
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:5
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        call 00007FDA0850287Ch
                                                                                                        jmp 00007FDA084F664Eh
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        push ebp
                                                                                                        mov ebp, esp
                                                                                                        push edi
                                                                                                        push esi
                                                                                                        mov esi, dword ptr [ebp+0Ch]
                                                                                                        mov ecx, dword ptr [ebp+10h]
                                                                                                        mov edi, dword ptr [ebp+08h]
                                                                                                        mov eax, ecx
                                                                                                        mov edx, ecx
                                                                                                        add eax, esi
                                                                                                        cmp edi, esi
                                                                                                        jbe 00007FDA084F67DAh
                                                                                                        cmp edi, eax
                                                                                                        jc 00007FDA084F697Ah
                                                                                                        cmp ecx, 00000100h
                                                                                                        jc 00007FDA084F67F1h
                                                                                                        cmp dword ptr [004A94E0h], 00000000h
                                                                                                        je 00007FDA084F67E8h
                                                                                                        push edi
                                                                                                        push esi
                                                                                                        and edi, 0Fh
                                                                                                        and esi, 0Fh
                                                                                                        cmp edi, esi
                                                                                                        pop esi
                                                                                                        pop edi
                                                                                                        jne 00007FDA084F67DAh
                                                                                                        pop esi
                                                                                                        pop edi
                                                                                                        pop ebp
                                                                                                        jmp 00007FDA084F6C3Ah
                                                                                                        test edi, 00000003h
                                                                                                        jne 00007FDA084F67E7h
                                                                                                        shr ecx, 02h
                                                                                                        and edx, 03h
                                                                                                        cmp ecx, 08h
                                                                                                        jc 00007FDA084F67FCh
                                                                                                        rep movsd
                                                                                                        jmp dword ptr [00416494h+edx*4]
                                                                                                        nop
                                                                                                        mov eax, edi
                                                                                                        mov edx, 00000003h
                                                                                                        sub ecx, 04h
                                                                                                        jc 00007FDA084F67DEh
                                                                                                        and eax, 03h
                                                                                                        add ecx, eax
                                                                                                        jmp dword ptr [004163A8h+eax*4]
                                                                                                        jmp dword ptr [004164A4h+ecx*4]
                                                                                                        nop
                                                                                                        jmp dword ptr [00416428h+ecx*4]
                                                                                                        nop
                                                                                                        mov eax, E4004163h
                                                                                                        arpl word ptr [ecx+00h], ax
                                                                                                        or byte ptr [ecx+eax*2+00h], ah
                                                                                                        and edx, ecx
                                                                                                        mov al, byte ptr [esi]
                                                                                                        mov byte ptr [edi], al
                                                                                                        mov al, byte ptr [esi+01h]
                                                                                                        mov byte ptr [edi+01h], al
                                                                                                        mov al, byte ptr [esi+02h]
                                                                                                        shr ecx, 02h
                                                                                                        mov byte ptr [edi+02h], al
                                                                                                        add esi, 03h
                                                                                                        add edi, 03h
                                                                                                        cmp ecx, 08h
                                                                                                        jc 00007FDA084F679Eh

                                                                                                        Rich Headers

                                                                                                        Programming Language:
                                                                                                        • [ASM] VS2008 SP1 build 30729
                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                        • [C++] VS2008 SP1 build 30729
                                                                                                        • [ C ] VS2005 build 50727
                                                                                                        • [IMP] VS2005 build 50727
                                                                                                        • [ASM] VS2008 build 21022
                                                                                                        • [RES] VS2008 build 21022
                                                                                                        • [LNK] VS2008 SP1 build 30729

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                        .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                        RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                        RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                        RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                                        RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                                        RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                                        RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                                        RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                                        RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                                        RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                                        RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                                        RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                                        RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                                        RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                        RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                                        RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                                        RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                                                                                                        RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                        RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                        RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                                                                                                        RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                                        RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                                                                                                        RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                                                                                                        RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                                                                                                        RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                                                                                                        RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                                                                                                        RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                                                                        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                                                                        GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                                                                        OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                                                                        Possible Origin

                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                        EnglishGreat Britain
                                                                                                        EnglishUnited States

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-10-21T08:22:08.832977+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1162.251.122.8657903192.168.2.449730TCP
                                                                                                        2024-10-21T08:22:08.832977+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21162.251.122.8657903192.168.2.449730TCP
                                                                                                        2024-10-21T08:22:12.141900+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:12.141900+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:12.280819+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1162.251.122.865798192.168.2.449732TCP
                                                                                                        2024-10-21T08:22:17.334957+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:17.551342+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:17.556288+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1162.251.122.865798192.168.2.449732TCP
                                                                                                        2024-10-21T08:22:17.704856+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:17.869834+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:18.124874+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:18.129914+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:18.865275+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:19.072918+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:19.216159+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:19.352473+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:19.517333+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:19.638440+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449730162.251.122.8657903TCP
                                                                                                        2024-10-21T08:22:19.655440+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:19.777468+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1162.251.122.8657903192.168.2.449730TCP
                                                                                                        2024-10-21T08:22:19.779826+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449730162.251.122.8657903TCP
                                                                                                        2024-10-21T08:22:20.045535+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:20.657105+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:20.825730+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:21.019224+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:21.181704+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:21.319308+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:21.496685+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:21.647902+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:21.786715+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:21.923123+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP
                                                                                                        2024-10-21T08:22:22.115591+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.449732162.251.122.865798TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Oct 21, 2024 08:22:07.806113005 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:07.811203003 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:07.811304092 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:07.889448881 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:07.897794962 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:08.832977057 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:08.885428905 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.778394938 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.778414965 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.778423071 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.778434038 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.778448105 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.778470993 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.778475046 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.778584003 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.778584003 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.789305925 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.789315939 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.789325953 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.789336920 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.789361000 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.789391041 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.794074059 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.794085979 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.794096947 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.794107914 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.794142008 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.794169903 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.898551941 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.898566008 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.898580074 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.898591042 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.898614883 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.898655891 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.903270960 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.903289080 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.903300047 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.903311968 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.903325081 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.903342962 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.903372049 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.908127069 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.908140898 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.908190012 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.909415960 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.909435987 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.909461021 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.912878990 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.912890911 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.912940025 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.914169073 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.914181948 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.914192915 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.914216995 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.914244890 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.917634964 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.917648077 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.917690992 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.918926001 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.918939114 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.918948889 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.918998003 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.922424078 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.922436953 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.922486067 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.923635006 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.923650980 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:09.923682928 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:09.979178905 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.018848896 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.018860102 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.018871069 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.018881083 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.018893003 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.018894911 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.018940926 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.019195080 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.019207001 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.019217014 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.019226074 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.019237041 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.019248009 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.019283056 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.019283056 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.020057917 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020075083 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020085096 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020097017 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020107985 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.020109892 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020138025 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.020812035 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020824909 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020843983 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020853996 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.020854950 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020869017 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.020885944 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.020906925 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.029782057 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.029793024 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.029803991 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.029818058 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.029829979 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.029845953 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.029880047 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.030067921 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.030077934 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.030086994 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.030105114 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.030114889 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.030122042 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.030126095 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.030141115 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.030145884 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.030160904 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.030189991 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.030973911 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031081915 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031092882 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031102896 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031114101 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031126022 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031131029 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.031137943 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031150103 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.031176090 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.031785011 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031801939 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031814098 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031821012 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.031822920 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031836987 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.031845093 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.031887054 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.032349110 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.032377005 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.032390118 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.032433987 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.032448053 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.032459021 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.032504082 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.138835907 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.138894081 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.138907909 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.138940096 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.139056921 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139107943 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.139147997 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139166117 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139179945 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139190912 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139204979 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139209986 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.139216900 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139230013 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139233112 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.139254093 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.139511108 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139556885 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.139595032 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139612913 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139624119 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139635086 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.139655113 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.139686108 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.140085936 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140105009 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140116930 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140127897 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140137911 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.140141964 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140155077 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140161037 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.140166998 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140180111 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140192032 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140203953 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.140219927 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.140747070 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140765905 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.140794992 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.151719093 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151762962 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151773930 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151796103 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151808977 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151819944 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.151820898 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151834965 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151843071 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.151849031 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151865005 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.151868105 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151881933 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.151916027 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.152077913 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152113914 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152126074 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152154922 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.152184963 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.152195930 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152206898 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152225971 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152239084 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152247906 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.152252913 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152266026 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152276993 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.152278900 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.152298927 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.153032064 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.153043985 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.153055906 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:10.153129101 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:10.153129101 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:11.483937979 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:11.488872051 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:11.488956928 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:11.497539043 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:11.502505064 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:12.104427099 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:12.141900063 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:12.146903992 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:12.280818939 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:12.322945118 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:17.334956884 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:17.339770079 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.470288992 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.470300913 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.470312119 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.470316887 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.470328093 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.470367908 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:17.510435104 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:17.551342010 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:17.556288004 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.685169935 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.704855919 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:17.709867001 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.709904909 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.709953070 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.709963083 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.710028887 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.710046053 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.710095882 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.710113049 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.861428976 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:17.869833946 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:17.875776052 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.005131960 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.057420015 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.124874115 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.129831076 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.129848003 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.129890919 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.129899979 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.129914045 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.129939079 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.129952908 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.129961967 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.129993916 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130002975 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130012989 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130013943 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.130029917 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130053997 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.130079031 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.130106926 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130115032 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130136013 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130145073 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130167961 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.130198002 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.130219936 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130228996 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130263090 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.130280018 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.130327940 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.135490894 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.137991905 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.139712095 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.141876936 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143076897 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143085003 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143090963 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143138885 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143157005 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143178940 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143205881 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143213987 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143265009 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143291950 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143310070 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143318892 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143326998 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143352032 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143361092 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143373966 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143399954 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143409014 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143425941 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143461943 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143469095 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143480062 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143515110 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143518925 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143532991 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143541098 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143558025 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143565893 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143565893 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143594980 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143599033 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143608093 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143610954 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143647909 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143656015 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143666029 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143692017 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143707991 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143712997 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143716097 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143718958 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143731117 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143748045 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143760920 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143789053 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143794060 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143798113 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143807888 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.143836975 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143865108 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143872976 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143896103 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143904924 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143913031 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143923044 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143932104 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143940926 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.143949032 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.144027948 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.146795988 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.146833897 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148060083 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148068905 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148180962 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148190022 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148196936 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148205042 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148227930 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148236036 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148329973 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148339033 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148341894 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148349047 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148365021 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148377895 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148397923 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148406982 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148494959 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148499966 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.148504972 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148535967 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148544073 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148551941 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.148552895 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148576021 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148621082 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148629904 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148669958 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148680925 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148684025 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.148704052 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.149082899 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.149091959 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.150352001 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.150569916 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.150625944 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.153485060 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153502941 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153592110 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153600931 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153671980 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153681040 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153697014 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153704882 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153754950 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153764009 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153789043 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153803110 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153879881 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153887987 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153934956 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153944016 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153981924 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.153990030 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154035091 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154079914 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154120922 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154138088 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154181957 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154238939 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154247046 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154284954 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154297113 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154331923 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154340982 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154388905 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154397011 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154402971 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154536009 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154545069 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154552937 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154563904 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154609919 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154623032 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154669046 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154706001 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154762983 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154833078 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.154841900 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155081987 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.155143023 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.155482054 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155558109 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155581951 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155674934 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155708075 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155785084 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155822992 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155867100 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155942917 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.155987978 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156061888 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156133890 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156176090 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156260967 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156317949 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156413078 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156455040 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156533003 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156569004 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156651020 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156697989 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156740904 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156750917 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156857967 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156877041 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156886101 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.156898022 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.157139063 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.157197952 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.160047054 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160120964 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160218000 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160228014 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160235882 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160244942 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160262108 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160269976 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160288095 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160298109 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160351992 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160361052 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160371065 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160379887 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160406113 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160414934 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160497904 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160506964 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160528898 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160537958 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160556078 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160564899 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160619020 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160628080 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160667896 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160676956 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160690069 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160701036 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160711050 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160769939 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160788059 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160797119 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160844088 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160852909 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160887003 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160939932 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160958052 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160965919 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.160998106 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161006927 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161077023 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161086082 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161128998 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161138058 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161174059 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161206007 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161248922 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161304951 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.161314964 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162008047 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162055969 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162071943 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162082911 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162189960 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162199974 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162208080 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162216902 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162255049 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.162269115 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162277937 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162291050 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162301064 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162307978 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.162450075 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162460089 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162468910 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162477970 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162487030 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162496090 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162514925 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162528038 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162535906 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162548065 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162568092 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162578106 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162622929 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162631989 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162643909 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162653923 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162666082 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162674904 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162698984 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162708044 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162727118 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162756920 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162765980 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162821054 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162831068 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162837982 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162878036 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162887096 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162894964 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162904024 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162971973 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162981033 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162985086 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.162992001 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.163017988 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.163028002 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.163037062 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.163098097 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.163106918 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.163110018 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.163139105 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167222023 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167232037 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167275906 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167284966 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167349100 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167362928 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167387962 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167398930 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167423010 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.167434931 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167481899 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.167562008 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167571068 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167577982 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167587996 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167598009 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167627096 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167635918 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167644024 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167651892 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167660952 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167679071 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167690039 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167697906 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167747974 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167757034 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167768955 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167820930 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167829990 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167836905 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167851925 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167897940 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167907000 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167928934 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.167937994 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168050051 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168060064 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168067932 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168076992 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168085098 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168095112 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168103933 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168142080 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168150902 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168154955 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168162107 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168170929 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168180943 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168189049 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168196917 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168293953 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168303013 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168309927 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168318987 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.168328047 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173211098 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173219919 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173290968 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173300028 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173414946 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.173453093 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173460960 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173468113 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173471928 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.173476934 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173485041 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173504114 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173512936 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173521042 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173537016 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173544884 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173599005 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173608065 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173656940 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173665047 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173676014 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173685074 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173717022 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173726082 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173758984 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173767090 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173788071 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173794985 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173824072 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173832893 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173881054 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173888922 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173904896 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173913002 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173942089 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173949957 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173959017 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.173968077 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174119949 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174129009 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174138069 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174146891 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174154043 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174170971 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174179077 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174185991 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174194098 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174197912 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174201965 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174211025 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174226999 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174236059 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174252987 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174261093 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.174300909 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179523945 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179533958 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179584026 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179595947 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179640055 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179647923 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179651976 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179655075 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179672003 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179681063 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179730892 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179738045 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.179739952 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179794073 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.179867983 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179877043 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179883957 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179892063 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179905891 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179913998 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179948092 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179955959 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179975986 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.179994106 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180013895 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180022955 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180067062 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180075884 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180114031 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180121899 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180135965 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180213928 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180222034 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180224895 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180249929 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180258036 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180402040 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180486917 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180496931 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180502892 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180520058 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180529118 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180583000 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180591106 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180617094 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180624962 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180682898 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180691957 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180711031 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180866957 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180875063 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180918932 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180927992 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180943012 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.180951118 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185746908 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185755014 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185762882 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185770988 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185789108 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185796976 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185830116 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185838938 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185884953 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185894012 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185899019 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.185900927 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185909986 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185929060 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185936928 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.185995102 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186003923 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186434984 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186443090 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186448097 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186482906 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186619043 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186628103 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186635017 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186649084 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186656952 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186674118 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186681986 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186690092 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186753988 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186763048 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186810017 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186817884 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186871052 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186878920 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186918974 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186927080 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.186968088 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187016964 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187031984 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187043905 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187077045 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187094927 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187243938 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187252045 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187254906 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187262058 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187269926 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187278986 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187295914 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187304020 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187333107 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187340021 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.187350035 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191704988 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191713095 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191766977 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191775084 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191840887 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191848993 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191857100 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191865921 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191885948 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191894054 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191900015 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191906929 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191943884 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.191951990 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192322969 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192409992 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192418098 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192434072 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192441940 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192487001 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192496061 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.192504883 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.862605095 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:18.865274906 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:18.870081902 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.000081062 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.041781902 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.072917938 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.077866077 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.206924915 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.216159105 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.221108913 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.350187063 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.352473021 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.357321024 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.486540079 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.517333031 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.522264004 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.638439894 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.643476009 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.651298046 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.655440092 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.660339117 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.777467966 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.779825926 CEST4973057903192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:19.784934044 CEST5790349730162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.789446115 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:19.838546038 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:20.045535088 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:20.050632000 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:20.179604053 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:20.229202986 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:20.657104969 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:20.662056923 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:20.662069082 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:20.662080050 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:20.791332006 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:20.825730085 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:20.830590010 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:20.959789991 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.010445118 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.019223928 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.024146080 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024166107 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024265051 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024275064 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024317980 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024327993 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024450064 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024457932 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024465084 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024473906 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.024483919 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.028913975 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.028923035 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.028990030 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.028999090 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.029017925 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.029027939 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.171839952 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.181704044 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.186800003 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.315538883 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.319308043 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.324074984 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.453180075 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.494829893 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.496685028 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.501501083 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.630681038 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.647902012 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.652914047 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.781852007 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.786715031 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.791582108 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.921361923 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:21.923122883 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:21.927954912 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:22.057149887 CEST579849732162.251.122.86192.168.2.4
                                                                                                        Oct 21, 2024 08:22:22.104193926 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:22.115591049 CEST497325798192.168.2.4162.251.122.86
                                                                                                        Oct 21, 2024 08:22:22.115766048 CEST4973057903192.168.2.4162.251.122.86

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Oct 21, 2024 08:22:40.252168894 CEST5350223162.159.36.2192.168.2.4
                                                                                                        Oct 21, 2024 08:22:40.878885984 CEST53560681.1.1.1192.168.2.4

                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:02:21:54
                                                                                                        Start date:21/10/2024
                                                                                                        Path:C:\Users\user\Desktop\7xonkSJwuY.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\7xonkSJwuY.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:781'957 bytes
                                                                                                        MD5 hash:36881DE84E2D129A6A32E7A5C5537AEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:02:21:57
                                                                                                        Start date:21/10/2024
                                                                                                        Path:C:\Users\user\AppData\Local\arrogatingly\pteropod.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\7xonkSJwuY.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:781'957 bytes
                                                                                                        MD5 hash:36881DE84E2D129A6A32E7A5C5537AEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 63%, ReversingLabs
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:02:22:00
                                                                                                        Start date:21/10/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\7xonkSJwuY.exe"
                                                                                                        Imagebase:0x570000
                                                                                                        File size:45'984 bytes
                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:02:22:11
                                                                                                        Start date:21/10/2024
                                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
                                                                                                        Imagebase:0x7ff673d40000
                                                                                                        File size:170'496 bytes
                                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:02:22:12
                                                                                                        Start date:21/10/2024
                                                                                                        Path:C:\Users\user\AppData\Local\arrogatingly\pteropod.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\arrogatingly\pteropod.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:781'957 bytes
                                                                                                        MD5 hash:36881DE84E2D129A6A32E7A5C5537AEE
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:02:22:16
                                                                                                        Start date:21/10/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\arrogatingly\pteropod.exe"
                                                                                                        Imagebase:0x160000
                                                                                                        File size:45'984 bytes
                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:2.9%
                                                                                                          Dynamic/Decrypted Code Coverage:1.1%
                                                                                                          Signature Coverage:3.2%
                                                                                                          Total number of Nodes:1654
                                                                                                          Total number of Limit Nodes:33
                                                                                                          execution_graph 84604 40f110 RegOpenKeyExW 84605 40f13c RegQueryValueExW RegCloseKey 84604->84605 84606 40f15f 84604->84606 84605->84606 84607 429212 84612 410b90 84607->84612 84610 411421 __cinit 74 API calls 84611 42922f 84610->84611 84613 410b9a __write_nolock 84612->84613 84614 41171a 75 API calls 84613->84614 84615 410c31 GetModuleFileNameW 84614->84615 84629 413db0 84615->84629 84617 410c66 _wcsncat 84632 413e3c 84617->84632 84620 41171a 75 API calls 84621 410ca3 _wcscpy 84620->84621 84622 410cd1 RegOpenKeyExW 84621->84622 84623 429bc3 RegQueryValueExW 84622->84623 84624 410cf7 84622->84624 84625 429cd9 RegCloseKey 84623->84625 84627 429bf2 _wcscat _wcslen _wcsncpy 84623->84627 84624->84610 84626 41171a 75 API calls 84626->84627 84627->84626 84628 429cd8 84627->84628 84628->84625 84635 413b95 84629->84635 84665 41abec 84632->84665 84636 413c2f 84635->84636 84642 413bae 84635->84642 84637 413d60 84636->84637 84638 413d7b 84636->84638 84661 417f23 67 API calls __getptd_noexit 84637->84661 84663 417f23 67 API calls __getptd_noexit 84638->84663 84641 413d65 84644 413cfb 84641->84644 84662 417ebb 6 API calls 2 library calls 84641->84662 84642->84636 84645 413c1d 84642->84645 84657 41ab19 67 API calls _set_new_mode 84642->84657 84644->84617 84645->84636 84653 413c9b 84645->84653 84658 41ab19 67 API calls _set_new_mode 84645->84658 84647 413d03 84647->84636 84647->84644 84649 413d8e 84647->84649 84648 413cb9 84648->84636 84655 413cd6 84648->84655 84659 41ab19 67 API calls _set_new_mode 84648->84659 84664 41ab19 67 API calls _set_new_mode 84649->84664 84652 413cef 84660 41ab19 67 API calls _set_new_mode 84652->84660 84653->84647 84653->84648 84655->84636 84655->84644 84655->84652 84657->84645 84658->84653 84659->84655 84660->84644 84661->84641 84663->84641 84664->84644 84666 41ac02 84665->84666 84667 41abfd 84665->84667 84674 417f23 67 API calls __getptd_noexit 84666->84674 84667->84666 84673 41ac22 84667->84673 84669 41ac07 84675 417ebb 6 API calls 2 library calls 84669->84675 84672 410c99 84672->84620 84673->84672 84676 417f23 67 API calls __getptd_noexit 84673->84676 84674->84669 84676->84669 84677 401230 84678 401241 _memset 84677->84678 84679 4012c5 84677->84679 84680 401be0 77 API calls 84678->84680 84681 40126b 84680->84681 84682 4012ae KillTimer SetTimer 84681->84682 84683 42aa61 84681->84683 84684 401298 84681->84684 84682->84679 84685 42aa8b Shell_NotifyIconW 84683->84685 84686 42aa69 Shell_NotifyIconW 84683->84686 84687 4012a2 84684->84687 84688 42aaac 84684->84688 84685->84682 84686->84682 84687->84682 84691 42aaf8 Shell_NotifyIconW 84687->84691 84689 42aad7 Shell_NotifyIconW 84688->84689 84690 42aab5 Shell_NotifyIconW 84688->84690 84689->84682 84690->84682 84691->84682 84692 4034b0 84693 4034b9 84692->84693 84694 4034bd 84692->84694 84695 41171a 75 API calls 84694->84695 84696 42a0ba 84694->84696 84697 4034fe _memcpy_s ctype 84695->84697 83129 4161c2 83130 4161d3 83129->83130 83164 41aa31 HeapCreate 83130->83164 83133 416212 83166 416e29 GetModuleHandleW 83133->83166 83137 416223 __RTC_Initialize 83200 41b669 83137->83200 83140 416231 83141 41623d GetCommandLineW 83140->83141 83269 4117af 67 API calls 3 library calls 83140->83269 83215 42235f GetEnvironmentStringsW 83141->83215 83144 41623c 83144->83141 83145 41624c 83221 4222b1 GetModuleFileNameW 83145->83221 83147 416256 83148 416261 83147->83148 83270 4117af 67 API calls 3 library calls 83147->83270 83225 422082 83148->83225 83154 416272 83238 41186e 83154->83238 83155 416279 83157 416284 __wwincmdln 83155->83157 83272 4117af 67 API calls 3 library calls 83155->83272 83244 40d7f0 83157->83244 83160 4162b3 83274 411a4b 67 API calls _doexit 83160->83274 83163 4162b8 _flsall 83165 416206 83164->83165 83165->83133 83267 41616a 67 API calls 3 library calls 83165->83267 83167 416e44 83166->83167 83168 416e3d 83166->83168 83170 416fac 83167->83170 83171 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 83167->83171 83275 41177f Sleep GetModuleHandleW 83168->83275 83305 416ad5 70 API calls 2 library calls 83170->83305 83174 416e97 TlsAlloc 83171->83174 83173 416e43 83173->83167 83176 416218 83174->83176 83177 416ee5 TlsSetValue 83174->83177 83176->83137 83268 41616a 67 API calls 3 library calls 83176->83268 83177->83176 83178 416ef6 83177->83178 83276 411a69 6 API calls 4 library calls 83178->83276 83180 416efb 83277 41696e TlsGetValue 83180->83277 83183 41696e __encode_pointer 6 API calls 83184 416f16 83183->83184 83185 41696e __encode_pointer 6 API calls 83184->83185 83186 416f26 83185->83186 83187 41696e __encode_pointer 6 API calls 83186->83187 83188 416f36 83187->83188 83287 41828b InitializeCriticalSectionAndSpinCount __ioinit 83188->83287 83190 416f43 83190->83170 83288 4169e9 TlsGetValue 83190->83288 83195 4169e9 __decode_pointer 6 API calls 83196 416f8a 83195->83196 83196->83170 83197 416f91 83196->83197 83304 416b12 67 API calls 5 library calls 83197->83304 83199 416f99 GetCurrentThreadId 83199->83176 83418 41718c 83200->83418 83202 41b675 GetStartupInfoA 83203 416ffb __calloc_crt 67 API calls 83202->83203 83210 41b696 83203->83210 83204 41b8b4 _flsall 83204->83140 83205 41b831 GetStdHandle 83209 41b7fb 83205->83209 83206 416ffb __calloc_crt 67 API calls 83206->83210 83207 41b896 SetHandleCount 83207->83204 83208 41b843 GetFileType 83208->83209 83209->83204 83209->83205 83209->83207 83209->83208 83420 4189e6 InitializeCriticalSectionAndSpinCount _flsall 83209->83420 83210->83204 83210->83206 83210->83209 83211 41b77e 83210->83211 83211->83204 83211->83209 83212 41b7a7 GetFileType 83211->83212 83419 4189e6 InitializeCriticalSectionAndSpinCount _flsall 83211->83419 83212->83211 83216 422370 83215->83216 83217 422374 83215->83217 83216->83145 83218 416fb6 __malloc_crt 67 API calls 83217->83218 83220 422395 _memcpy_s 83218->83220 83219 42239c FreeEnvironmentStringsW 83219->83145 83220->83219 83222 4222e6 _wparse_cmdline 83221->83222 83223 416fb6 __malloc_crt 67 API calls 83222->83223 83224 422329 _wparse_cmdline 83222->83224 83223->83224 83224->83147 83226 42209a _wcslen 83225->83226 83230 416267 83225->83230 83227 416ffb __calloc_crt 67 API calls 83226->83227 83233 4220be _wcslen 83227->83233 83228 422123 83229 413a88 ___free_lconv_mon 67 API calls 83228->83229 83229->83230 83230->83154 83271 4117af 67 API calls 3 library calls 83230->83271 83231 416ffb __calloc_crt 67 API calls 83231->83233 83232 422149 83234 413a88 ___free_lconv_mon 67 API calls 83232->83234 83233->83228 83233->83230 83233->83231 83233->83232 83236 422108 83233->83236 83421 426349 67 API calls _set_new_mode 83233->83421 83234->83230 83236->83233 83422 417d93 10 API calls 3 library calls 83236->83422 83239 41187c __IsNonwritableInCurrentImage 83238->83239 83423 418486 83239->83423 83241 41189a __initterm_e 83243 4118b9 __IsNonwritableInCurrentImage __initterm 83241->83243 83427 411421 83241->83427 83243->83155 83245 431bcb 83244->83245 83246 40d80c 83244->83246 83471 4092c0 83246->83471 83248 40d847 83475 40eb50 83248->83475 83251 40d877 83478 411ac6 67 API calls 4 library calls 83251->83478 83254 40d888 83479 411b24 67 API calls _set_new_mode 83254->83479 83256 40d891 83480 40f370 SystemParametersInfoW SystemParametersInfoW 83256->83480 83258 40d89f 83481 40d6d0 GetCurrentDirectoryW 83258->83481 83260 40d8a7 SystemParametersInfoW 83261 40d8d4 83260->83261 83262 40d8cd FreeLibrary 83260->83262 83263 4092c0 VariantClear 83261->83263 83262->83261 83264 40d8dd 83263->83264 83265 4092c0 VariantClear 83264->83265 83266 40d8e6 83265->83266 83266->83160 83273 411a1f 67 API calls _doexit 83266->83273 83267->83133 83268->83137 83269->83144 83270->83148 83271->83154 83272->83157 83273->83160 83274->83163 83275->83173 83276->83180 83278 4169a7 GetModuleHandleW 83277->83278 83279 416986 83277->83279 83281 4169c2 GetProcAddress 83278->83281 83282 4169b7 83278->83282 83279->83278 83280 416990 TlsGetValue 83279->83280 83285 41699b 83280->83285 83284 41699f 83281->83284 83306 41177f Sleep GetModuleHandleW 83282->83306 83284->83183 83285->83278 83285->83284 83286 4169bd 83286->83281 83286->83284 83287->83190 83289 416a01 83288->83289 83290 416a22 GetModuleHandleW 83288->83290 83289->83290 83291 416a0b TlsGetValue 83289->83291 83292 416a32 83290->83292 83293 416a3d GetProcAddress 83290->83293 83296 416a16 83291->83296 83307 41177f Sleep GetModuleHandleW 83292->83307 83295 416a1a 83293->83295 83295->83170 83298 416ffb 83295->83298 83296->83290 83296->83295 83297 416a38 83297->83293 83297->83295 83301 417004 83298->83301 83300 416f70 83300->83170 83300->83195 83301->83300 83302 417022 Sleep 83301->83302 83308 422452 83301->83308 83303 417037 83302->83303 83303->83300 83303->83301 83304->83199 83305->83176 83306->83286 83307->83297 83309 42245e _flsall 83308->83309 83310 422476 83309->83310 83320 422495 _memset 83309->83320 83321 417f23 67 API calls __getptd_noexit 83310->83321 83312 42247b 83322 417ebb 6 API calls 2 library calls 83312->83322 83314 422507 HeapAlloc 83314->83320 83317 42248b _flsall 83317->83301 83320->83314 83320->83317 83323 418407 83320->83323 83330 41a74c 5 API calls 2 library calls 83320->83330 83331 42254e LeaveCriticalSection _doexit 83320->83331 83332 411afc 6 API calls __decode_pointer 83320->83332 83321->83312 83324 41841c 83323->83324 83325 41842f EnterCriticalSection 83323->83325 83333 418344 83324->83333 83325->83320 83327 418422 83327->83325 83361 4117af 67 API calls 3 library calls 83327->83361 83329 41842e 83329->83325 83330->83320 83331->83320 83332->83320 83334 418350 _flsall 83333->83334 83335 418360 83334->83335 83336 418378 83334->83336 83362 418252 67 API calls 2 library calls 83335->83362 83344 418386 _flsall 83336->83344 83365 416fb6 83336->83365 83338 418365 83363 4180a7 67 API calls 7 library calls 83338->83363 83342 4183a7 83347 418407 __lock 67 API calls 83342->83347 83343 418398 83371 417f23 67 API calls __getptd_noexit 83343->83371 83344->83327 83345 41836c 83364 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83345->83364 83349 4183ae 83347->83349 83351 4183e2 83349->83351 83352 4183b6 83349->83352 83353 413a88 ___free_lconv_mon 67 API calls 83351->83353 83372 4189e6 InitializeCriticalSectionAndSpinCount _flsall 83352->83372 83356 4183d3 83353->83356 83355 4183c1 83355->83356 83373 413a88 83355->83373 83387 4183fe LeaveCriticalSection _doexit 83356->83387 83359 4183cd 83386 417f23 67 API calls __getptd_noexit 83359->83386 83361->83329 83362->83338 83363->83345 83368 416fbf 83365->83368 83367 416ff5 83367->83342 83367->83343 83368->83367 83369 416fd6 Sleep 83368->83369 83388 4138ba 83368->83388 83370 416feb 83369->83370 83370->83367 83370->83368 83371->83344 83372->83355 83374 413a94 _flsall 83373->83374 83375 413ad3 83374->83375 83376 413b0d _flsall __dosmaperr 83374->83376 83378 418407 __lock 65 API calls 83374->83378 83375->83376 83377 413ae8 RtlFreeHeap 83375->83377 83376->83359 83377->83376 83379 413afa 83377->83379 83381 413aab ___sbh_find_block 83378->83381 83417 417f23 67 API calls __getptd_noexit 83379->83417 83383 413ac5 83381->83383 83415 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __fptostr 83381->83415 83382 413aff GetLastError 83382->83376 83416 413ade LeaveCriticalSection _doexit 83383->83416 83386->83356 83387->83344 83389 41396d 83388->83389 83400 4138cc 83388->83400 83413 411afc 6 API calls __decode_pointer 83389->83413 83391 413973 83414 417f23 67 API calls __getptd_noexit 83391->83414 83394 413965 83394->83368 83397 413929 RtlAllocateHeap 83397->83400 83398 4138dd 83398->83400 83406 418252 67 API calls 2 library calls 83398->83406 83407 4180a7 67 API calls 7 library calls 83398->83407 83408 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83398->83408 83400->83394 83400->83397 83400->83398 83401 413959 83400->83401 83404 41395e 83400->83404 83409 41386b 67 API calls 4 library calls 83400->83409 83410 411afc 6 API calls __decode_pointer 83400->83410 83411 417f23 67 API calls __getptd_noexit 83401->83411 83412 417f23 67 API calls __getptd_noexit 83404->83412 83406->83398 83407->83398 83409->83400 83410->83400 83411->83404 83412->83394 83413->83391 83414->83394 83415->83383 83416->83375 83417->83382 83418->83202 83419->83211 83420->83209 83421->83233 83422->83236 83425 41848c 83423->83425 83424 41696e __encode_pointer 6 API calls 83424->83425 83425->83424 83426 4184a4 83425->83426 83426->83241 83430 4113e5 83427->83430 83429 41142e 83429->83243 83431 4113f1 _flsall 83430->83431 83438 41181b 83431->83438 83437 411412 _flsall 83437->83429 83439 418407 __lock 67 API calls 83438->83439 83440 4113f6 83439->83440 83441 4112fa 83440->83441 83442 4169e9 __decode_pointer 6 API calls 83441->83442 83443 41130e 83442->83443 83444 4169e9 __decode_pointer 6 API calls 83443->83444 83445 41131e 83444->83445 83446 4113a1 83445->83446 83464 4170e7 68 API calls 5 library calls 83445->83464 83461 41141b 83446->83461 83448 41133c 83449 411388 83448->83449 83452 411357 83448->83452 83453 411366 83448->83453 83450 41696e __encode_pointer 6 API calls 83449->83450 83451 411396 83450->83451 83454 41696e __encode_pointer 6 API calls 83451->83454 83465 417047 73 API calls _realloc 83452->83465 83453->83446 83456 411360 83453->83456 83454->83446 83456->83453 83458 41137c 83456->83458 83466 417047 73 API calls _realloc 83456->83466 83460 41696e __encode_pointer 6 API calls 83458->83460 83459 411376 83459->83446 83459->83458 83460->83449 83467 411824 83461->83467 83464->83448 83465->83456 83466->83459 83470 41832d LeaveCriticalSection 83467->83470 83469 411420 83469->83437 83470->83469 83472 4092c8 ctype 83471->83472 83473 429db0 VariantClear 83472->83473 83474 4092d5 ctype 83472->83474 83473->83474 83474->83248 83519 40eb70 83475->83519 83478->83254 83479->83256 83480->83258 83523 401f80 83481->83523 83483 40d6f1 IsDebuggerPresent 83484 431a9d MessageBoxA 83483->83484 83485 40d6ff 83483->83485 83486 431ab6 83484->83486 83485->83486 83487 40d71f 83485->83487 83625 403e90 75 API calls 3 library calls 83486->83625 83593 40f3b0 83487->83593 83491 40d73a GetFullPathNameW 83623 401440 127 API calls _wcscat 83491->83623 83493 40d77a 83494 40d782 83493->83494 83495 431b09 SetCurrentDirectoryW 83493->83495 83496 40d78b 83494->83496 83626 43604b 6 API calls 83494->83626 83495->83494 83605 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 83496->83605 83500 431b28 83500->83496 83502 431b30 GetModuleFileNameW 83500->83502 83504 431ba4 GetForegroundWindow ShellExecuteW 83502->83504 83505 431b4c 83502->83505 83503 40d795 83509 40d7a8 83503->83509 83613 40e1e0 83503->83613 83510 40d7c7 83504->83510 83627 401b70 83505->83627 83509->83510 83624 401000 Shell_NotifyIconW _memset 83509->83624 83512 40d7d1 SetCurrentDirectoryW 83510->83512 83512->83260 83513 431b66 83634 40d3b0 75 API calls 2 library calls 83513->83634 83516 431b72 GetForegroundWindow ShellExecuteW 83517 431b9f 83516->83517 83517->83510 83518 40eba0 LoadLibraryA GetProcAddress 83518->83251 83520 40d86e 83519->83520 83521 40eb76 LoadLibraryA 83519->83521 83520->83251 83520->83518 83521->83520 83522 40eb87 GetProcAddress 83521->83522 83522->83520 83635 40e680 83523->83635 83527 401fa2 GetModuleFileNameW 83653 40ff90 83527->83653 83529 401fbd 83665 4107b0 83529->83665 83532 401b70 75 API calls 83533 401fe4 83532->83533 83668 4019e0 83533->83668 83535 401ff2 83536 4092c0 VariantClear 83535->83536 83537 402002 83536->83537 83538 401b70 75 API calls 83537->83538 83539 40201c 83538->83539 83540 4019e0 76 API calls 83539->83540 83541 40202c 83540->83541 83542 401b70 75 API calls 83541->83542 83543 40203c 83542->83543 83676 40c3e0 83543->83676 83545 40204d 83694 40c060 83545->83694 83549 40206e 83706 4115d0 83549->83706 83552 42c174 83554 401a70 75 API calls 83552->83554 83553 402088 83555 4115d0 __wcsicoll 79 API calls 83553->83555 83556 42c189 83554->83556 83557 402093 83555->83557 83559 401a70 75 API calls 83556->83559 83557->83556 83558 40209e 83557->83558 83560 4115d0 __wcsicoll 79 API calls 83558->83560 83561 42c1a7 83559->83561 83562 4020a9 83560->83562 83563 42c1b0 GetModuleFileNameW 83561->83563 83562->83563 83564 4020b4 83562->83564 83566 401a70 75 API calls 83563->83566 83565 4115d0 __wcsicoll 79 API calls 83564->83565 83567 4020bf 83565->83567 83568 42c1e2 83566->83568 83569 402107 83567->83569 83573 401a70 75 API calls 83567->83573 83579 42c20a _wcscpy 83567->83579 83718 40df50 75 API calls 83568->83718 83572 402119 83569->83572 83569->83579 83571 42c1f1 83574 401a70 75 API calls 83571->83574 83575 42c243 83572->83575 83714 40e7e0 76 API calls 83572->83714 83577 4020e5 _wcscpy 83573->83577 83578 42c201 83574->83578 83584 401a70 75 API calls 83577->83584 83578->83579 83580 401a70 75 API calls 83579->83580 83588 402148 83580->83588 83581 402132 83715 40d030 76 API calls 83581->83715 83583 40213e 83585 4092c0 VariantClear 83583->83585 83584->83569 83585->83588 83586 402184 83590 4092c0 VariantClear 83586->83590 83588->83586 83591 401a70 75 API calls 83588->83591 83716 40d030 76 API calls 83588->83716 83717 40e640 76 API calls 83588->83717 83592 402196 ctype 83590->83592 83591->83588 83592->83483 83594 42ccf4 _memset 83593->83594 83595 40f3c9 83593->83595 83597 42cd05 GetOpenFileNameW 83594->83597 84438 40ffb0 76 API calls ctype 83595->84438 83597->83595 83599 40d732 83597->83599 83598 40f3d2 84439 410130 SHGetMalloc 83598->84439 83599->83491 83599->83493 83601 40f3d9 84444 410020 88 API calls __wcsicoll 83601->84444 83603 40f3e7 84445 40f400 83603->84445 83606 42b9d3 83605->83606 83607 41025a LoadImageW RegisterClassExW 83605->83607 84490 443e8f EnumResourceNamesW LoadImageW 83606->84490 84489 4102f0 7 API calls 83607->84489 83610 40d790 83612 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 83610->83612 83611 42b9da 83612->83503 83614 40e207 _memset 83613->83614 83615 40e262 83614->83615 83616 42aa14 DestroyIcon 83614->83616 83617 40e2a4 83615->83617 84513 43737d 84 API calls __wcsicoll 83615->84513 83616->83615 83619 40e2c0 Shell_NotifyIconW 83617->83619 83620 42aa50 Shell_NotifyIconW 83617->83620 84491 401be0 83619->84491 83622 40e2da 83622->83509 83623->83493 83624->83510 83625->83493 83626->83500 83628 401b76 _wcslen 83627->83628 83629 41171a 75 API calls 83628->83629 83632 401bc5 83628->83632 83630 401bad _memcpy_s 83629->83630 83631 41171a 75 API calls 83630->83631 83631->83632 83633 40d3b0 75 API calls 2 library calls 83632->83633 83633->83513 83634->83516 83636 40c060 75 API calls 83635->83636 83637 401f90 83636->83637 83638 402940 83637->83638 83639 40294a __write_nolock 83638->83639 83719 4021e0 83639->83719 83642 402972 83652 4029a4 83642->83652 83731 401cf0 83642->83731 83644 402a8c 83645 401b70 75 API calls 83644->83645 83651 402abe 83644->83651 83647 402ab3 83645->83647 83646 401b70 75 API calls 83646->83652 83742 40d970 75 API calls 2 library calls 83647->83742 83648 401cf0 75 API calls 83648->83652 83651->83527 83652->83644 83652->83646 83652->83648 83734 402ae0 83652->83734 83741 40d970 75 API calls 2 library calls 83652->83741 83767 40f5e0 83653->83767 83656 40ffa6 83656->83529 83658 42b6d8 83661 42b6e6 83658->83661 83823 434fe1 83658->83823 83660 413a88 ___free_lconv_mon 67 API calls 83662 42b6f5 83660->83662 83661->83660 83663 434fe1 106 API calls 83662->83663 83664 42b702 83663->83664 83664->83529 83666 41171a 75 API calls 83665->83666 83667 401fd6 83666->83667 83667->83532 83669 401a03 83668->83669 83673 4019e5 83668->83673 83670 401a1a 83669->83670 83669->83673 84427 404260 76 API calls 83670->84427 83671 4019ff 83671->83535 83673->83671 84426 404260 76 API calls 83673->84426 83675 401a26 83675->83535 83677 40c3e4 83676->83677 83678 40c42c 83676->83678 83681 40c3f0 83677->83681 83689 42a475 83677->83689 83679 42a422 83678->83679 83680 40c435 83678->83680 83682 42a427 83679->83682 83683 42a445 83679->83683 83684 40c441 83680->83684 83688 42a455 83680->83688 84428 4042f0 75 API calls __cinit 83681->84428 83692 40c3fb 83682->83692 84430 453155 75 API calls 83682->84430 84431 453155 75 API calls 83683->84431 84429 4042f0 75 API calls __cinit 83684->84429 84432 453155 75 API calls 83688->84432 84433 453155 75 API calls 83689->84433 83692->83545 83695 41171a 75 API calls 83694->83695 83696 40c088 83695->83696 83697 41171a 75 API calls 83696->83697 83698 402061 83697->83698 83699 401a70 83698->83699 83700 401a90 83699->83700 83701 401a77 83699->83701 83702 4021e0 75 API calls 83700->83702 83703 401a8d 83701->83703 84434 404080 75 API calls _memcpy_s 83701->84434 83704 401a9c 83702->83704 83703->83549 83704->83549 83707 4115e1 83706->83707 83708 411650 83706->83708 83713 40207d 83707->83713 84435 417f23 67 API calls __getptd_noexit 83707->84435 84437 4114bf 79 API calls 3 library calls 83708->84437 83711 4115ed 84436 417ebb 6 API calls 2 library calls 83711->84436 83713->83552 83713->83553 83714->83581 83715->83583 83716->83588 83717->83588 83718->83571 83720 4021f1 _wcslen 83719->83720 83721 42a598 83719->83721 83724 402205 83720->83724 83725 402226 83720->83725 83759 40c740 83721->83759 83723 42a5a2 83743 404020 75 API calls ctype 83724->83743 83744 401380 83725->83744 83730 40220c _memcpy_s 83730->83642 83732 402ae0 75 API calls 83731->83732 83733 401cf7 83732->83733 83733->83642 83735 42a06a 83734->83735 83736 402aef 83734->83736 83737 401380 75 API calls 83735->83737 83736->83652 83738 42a072 83737->83738 83739 41171a 75 API calls 83738->83739 83740 42a095 _memcpy_s 83739->83740 83740->83652 83741->83652 83742->83651 83743->83730 83745 41171a 75 API calls 83744->83745 83746 401387 83745->83746 83746->83723 83747 41171a 83746->83747 83748 411724 83747->83748 83749 4138ba _malloc 67 API calls 83748->83749 83750 41173e 83748->83750 83754 411740 std::bad_alloc::bad_alloc 83748->83754 83764 411afc 6 API calls __decode_pointer 83748->83764 83749->83748 83750->83730 83752 411766 83765 4116fd 67 API calls std::exception::exception 83752->83765 83754->83752 83756 411421 __cinit 74 API calls 83754->83756 83755 411770 83766 41805b RaiseException 83755->83766 83756->83752 83758 41177e 83760 40c752 83759->83760 83761 40c747 83759->83761 83760->83723 83761->83760 83762 402ae0 75 API calls 83761->83762 83763 42a572 _memcpy_s 83762->83763 83763->83723 83764->83748 83765->83755 83766->83758 83827 40f580 83767->83827 83769 40f5f8 _strcat ctype 83835 40f6d0 83769->83835 83774 42b2ee 83864 4151b0 83774->83864 83776 40f679 83776->83774 83777 40f681 83776->83777 83851 414e94 83777->83851 83781 40f68b 83781->83656 83786 452574 83781->83786 83783 42b31d 83870 415484 83783->83870 83785 42b33d 83787 41557c _fseek 105 API calls 83786->83787 83788 4525df 83787->83788 84371 4523ce 83788->84371 83791 4525fc 83791->83658 83792 4151b0 __fread_nolock 81 API calls 83793 45261d 83792->83793 83794 4151b0 __fread_nolock 81 API calls 83793->83794 83795 45262e 83794->83795 83796 4151b0 __fread_nolock 81 API calls 83795->83796 83797 452649 83796->83797 83798 4151b0 __fread_nolock 81 API calls 83797->83798 83799 452666 83798->83799 83800 41557c _fseek 105 API calls 83799->83800 83801 452682 83800->83801 83802 4138ba _malloc 67 API calls 83801->83802 83803 45268e 83802->83803 83804 4138ba _malloc 67 API calls 83803->83804 83805 45269b 83804->83805 83806 4151b0 __fread_nolock 81 API calls 83805->83806 83807 4526ac 83806->83807 83808 44afdc GetSystemTimeAsFileTime 83807->83808 83809 4526bf 83808->83809 83810 4526d5 83809->83810 83811 4526fd 83809->83811 83812 413a88 ___free_lconv_mon 67 API calls 83810->83812 83813 452704 83811->83813 83814 45275b 83811->83814 83815 4526df 83812->83815 84377 44b195 83813->84377 83817 413a88 ___free_lconv_mon 67 API calls 83814->83817 83819 413a88 ___free_lconv_mon 67 API calls 83815->83819 83818 452759 83817->83818 83818->83658 83821 4526e8 83819->83821 83820 452753 83822 413a88 ___free_lconv_mon 67 API calls 83820->83822 83821->83658 83822->83818 83824 434ff1 83823->83824 83825 434feb 83823->83825 83824->83661 83826 414e94 __fcloseall 106 API calls 83825->83826 83826->83824 83828 429440 83827->83828 83829 40f589 _wcslen 83827->83829 83830 40f58f WideCharToMultiByte 83829->83830 83831 40f5d8 83830->83831 83832 40f5ad 83830->83832 83831->83769 83833 41171a 75 API calls 83832->83833 83834 40f5bb WideCharToMultiByte 83833->83834 83834->83769 83836 40f6dd _strlen 83835->83836 83883 40f790 83836->83883 83839 414e06 83902 414d40 83839->83902 83841 40f666 83841->83774 83842 40f450 83841->83842 83845 40f45a _strcat _memcpy_s __write_nolock 83842->83845 83843 4151b0 __fread_nolock 81 API calls 83843->83845 83845->83843 83846 42936d 83845->83846 83850 40f531 83845->83850 83985 41557c 83845->83985 83847 41557c _fseek 105 API calls 83846->83847 83848 429394 83847->83848 83849 4151b0 __fread_nolock 81 API calls 83848->83849 83849->83850 83850->83776 83852 414ea0 _flsall 83851->83852 83853 414ed1 83852->83853 83854 414eb4 83852->83854 83856 415965 __lock_file 68 API calls 83853->83856 83860 414ec9 _flsall 83853->83860 84124 417f23 67 API calls __getptd_noexit 83854->84124 83858 414ee9 83856->83858 83857 414eb9 84125 417ebb 6 API calls 2 library calls 83857->84125 84108 414e1d 83858->84108 83860->83781 84193 41511a 83864->84193 83866 4151c8 83867 44afdc 83866->83867 84364 4431e0 83867->84364 83869 44affd 83869->83783 83871 415490 _flsall 83870->83871 83872 4154bb 83871->83872 83873 41549e 83871->83873 83874 415965 __lock_file 68 API calls 83872->83874 84368 417f23 67 API calls __getptd_noexit 83873->84368 83876 4154c3 83874->83876 83879 4152e7 __ftell_nolock 71 API calls 83876->83879 83877 4154a3 84369 417ebb 6 API calls 2 library calls 83877->84369 83880 4154cf 83879->83880 84370 4154e8 LeaveCriticalSection LeaveCriticalSection _ftell 83880->84370 83882 4154b3 _flsall 83882->83785 83884 40f7ae _memset 83883->83884 83886 40f628 83884->83886 83887 415258 83884->83887 83886->83839 83888 415285 83887->83888 83889 415268 83887->83889 83888->83889 83891 41528c 83888->83891 83898 417f23 67 API calls __getptd_noexit 83889->83898 83900 41c551 103 API calls 15 library calls 83891->83900 83892 41526d 83899 417ebb 6 API calls 2 library calls 83892->83899 83895 4152b2 83896 41527d 83895->83896 83901 4191c9 101 API calls 6 library calls 83895->83901 83896->83884 83898->83892 83900->83895 83901->83896 83903 414d4c _flsall 83902->83903 83904 414d5f 83903->83904 83906 414d95 83903->83906 83954 417f23 67 API calls __getptd_noexit 83904->83954 83921 41e28c 83906->83921 83907 414d64 83955 417ebb 6 API calls 2 library calls 83907->83955 83910 414d9a 83911 414da1 83910->83911 83912 414dae 83910->83912 83956 417f23 67 API calls __getptd_noexit 83911->83956 83914 414dd6 83912->83914 83915 414db6 83912->83915 83939 41dfd8 83914->83939 83957 417f23 67 API calls __getptd_noexit 83915->83957 83919 414d74 _flsall @_EH4_CallFilterFunc@8 83919->83841 83922 41e298 _flsall 83921->83922 83923 418407 __lock 67 API calls 83922->83923 83924 41e2a6 83923->83924 83925 41e322 83924->83925 83930 418344 __mtinitlocknum 67 API calls 83924->83930 83936 41e31b 83924->83936 83962 4159a6 68 API calls __lock 83924->83962 83963 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 83924->83963 83926 416fb6 __malloc_crt 67 API calls 83925->83926 83928 41e32c 83926->83928 83928->83936 83964 4189e6 InitializeCriticalSectionAndSpinCount _flsall 83928->83964 83930->83924 83932 41e3b0 _flsall 83932->83910 83933 41e351 83934 41e35c 83933->83934 83935 41e36f EnterCriticalSection 83933->83935 83937 413a88 ___free_lconv_mon 67 API calls 83934->83937 83935->83936 83959 41e3bb 83936->83959 83937->83936 83940 41dffb __wopenfile 83939->83940 83941 41e015 83940->83941 83953 41e1e9 83940->83953 83971 4136bc 79 API calls 2 library calls 83940->83971 83969 417f23 67 API calls __getptd_noexit 83941->83969 83943 41e01a 83970 417ebb 6 API calls 2 library calls 83943->83970 83944 41e247 83966 425db0 83944->83966 83949 41e1e2 83949->83953 83972 4136bc 79 API calls 2 library calls 83949->83972 83951 41e201 83951->83953 83973 4136bc 79 API calls 2 library calls 83951->83973 83953->83941 83953->83944 83954->83907 83956->83919 83957->83919 83958 414dfc LeaveCriticalSection LeaveCriticalSection _ftell 83958->83919 83965 41832d LeaveCriticalSection 83959->83965 83961 41e3c2 83961->83932 83962->83924 83963->83924 83964->83933 83965->83961 83974 425ce4 83966->83974 83968 414de1 83968->83958 83969->83943 83971->83949 83972->83951 83973->83953 83977 425cf0 _flsall 83974->83977 83975 425d03 83976 417f23 _set_new_mode 67 API calls 83975->83976 83978 425d08 83976->83978 83977->83975 83979 425d41 83977->83979 83980 417ebb _set_new_mode 6 API calls 83978->83980 83981 4255c4 __tsopen_nolock 132 API calls 83979->83981 83984 425d17 _flsall 83980->83984 83982 425d5b 83981->83982 83983 425d82 __sopen_helper LeaveCriticalSection 83982->83983 83983->83984 83984->83968 83989 415588 _flsall 83985->83989 83986 415596 84016 417f23 67 API calls __getptd_noexit 83986->84016 83988 4155c4 83998 415965 83988->83998 83989->83986 83989->83988 83990 41559b 84017 417ebb 6 API calls 2 library calls 83990->84017 83997 4155ab _flsall 83997->83845 83999 415977 83998->83999 84000 415999 EnterCriticalSection 83998->84000 83999->84000 84001 41597f 83999->84001 84002 4155cc 84000->84002 84003 418407 __lock 67 API calls 84001->84003 84004 4154f2 84002->84004 84003->84002 84005 415512 84004->84005 84006 415502 84004->84006 84008 415524 84005->84008 84019 4152e7 84005->84019 84073 417f23 67 API calls __getptd_noexit 84006->84073 84036 41486c 84008->84036 84009 415507 84018 4155f7 LeaveCriticalSection LeaveCriticalSection _ftell 84009->84018 84016->83990 84018->83997 84020 41531a 84019->84020 84021 4152fa 84019->84021 84022 41453a __fileno 67 API calls 84020->84022 84074 417f23 67 API calls __getptd_noexit 84021->84074 84024 415320 84022->84024 84027 41efd4 __locking 71 API calls 84024->84027 84025 4152ff 84075 417ebb 6 API calls 2 library calls 84025->84075 84028 415335 84027->84028 84029 4153a9 84028->84029 84031 415364 84028->84031 84035 41530f 84028->84035 84076 417f23 67 API calls __getptd_noexit 84029->84076 84032 41efd4 __locking 71 API calls 84031->84032 84031->84035 84033 415404 84032->84033 84034 41efd4 __locking 71 API calls 84033->84034 84033->84035 84034->84035 84035->84008 84037 414885 84036->84037 84041 4148a7 84036->84041 84038 41453a __fileno 67 API calls 84037->84038 84037->84041 84039 4148a0 84038->84039 84077 41c3cf 101 API calls 6 library calls 84039->84077 84042 41453a 84041->84042 84043 414549 84042->84043 84047 41455e 84042->84047 84078 417f23 67 API calls __getptd_noexit 84043->84078 84045 41454e 84079 417ebb 6 API calls 2 library calls 84045->84079 84048 41efd4 84047->84048 84049 41efe0 _flsall 84048->84049 84050 41f003 84049->84050 84051 41efe8 84049->84051 84052 41f011 84050->84052 84058 41f052 84050->84058 84100 417f36 67 API calls __getptd_noexit 84051->84100 84102 417f36 67 API calls __getptd_noexit 84052->84102 84054 41efed 84101 417f23 67 API calls __getptd_noexit 84054->84101 84057 41f016 84103 417f23 67 API calls __getptd_noexit 84057->84103 84080 41ba3b 84058->84080 84061 41f058 84063 41f065 84061->84063 84064 41f07b 84061->84064 84062 41f01d 84104 417ebb 6 API calls 2 library calls 84062->84104 84090 41ef5f 84063->84090 84105 417f23 67 API calls __getptd_noexit 84064->84105 84068 41eff5 _flsall 84068->84009 84069 41f073 84107 41f0a6 LeaveCriticalSection __unlock_fhandle 84069->84107 84070 41f080 84106 417f36 67 API calls __getptd_noexit 84070->84106 84073->84009 84074->84025 84076->84035 84077->84041 84078->84045 84081 41ba47 _flsall 84080->84081 84082 41baa2 84081->84082 84085 418407 __lock 67 API calls 84081->84085 84083 41bac4 _flsall 84082->84083 84084 41baa7 EnterCriticalSection 84082->84084 84083->84061 84084->84083 84086 41ba73 84085->84086 84087 41ba8a 84086->84087 84089 4189e6 __ioinit InitializeCriticalSectionAndSpinCount 84086->84089 84088 41bad2 ___lock_fhandle LeaveCriticalSection 84087->84088 84088->84082 84089->84087 84091 41b9c4 __chsize_nolock 67 API calls 84090->84091 84092 41ef6e 84091->84092 84093 41ef84 SetFilePointer 84092->84093 84094 41ef74 84092->84094 84096 41efa3 84093->84096 84097 41ef9b GetLastError 84093->84097 84095 417f23 _set_new_mode 67 API calls 84094->84095 84098 41ef79 84095->84098 84096->84098 84099 417f49 __dosmaperr 67 API calls 84096->84099 84097->84096 84098->84069 84099->84098 84100->84054 84101->84068 84102->84057 84103->84062 84105->84070 84106->84069 84107->84068 84109 414e31 84108->84109 84110 414e4d 84108->84110 84154 417f23 67 API calls __getptd_noexit 84109->84154 84113 41486c __flush 101 API calls 84110->84113 84117 414e46 84110->84117 84112 414e36 84155 417ebb 6 API calls 2 library calls 84112->84155 84115 414e59 84113->84115 84127 41e680 84115->84127 84126 414f08 LeaveCriticalSection LeaveCriticalSection _ftell 84117->84126 84119 41453a __fileno 67 API calls 84120 414e67 84119->84120 84131 41e5b3 84120->84131 84122 414e6d 84122->84117 84123 413a88 ___free_lconv_mon 67 API calls 84122->84123 84123->84117 84124->83857 84126->83860 84128 41e690 84127->84128 84129 414e61 84127->84129 84128->84129 84130 413a88 ___free_lconv_mon 67 API calls 84128->84130 84129->84119 84130->84129 84132 41e5bf _flsall 84131->84132 84133 41e5e2 84132->84133 84134 41e5c7 84132->84134 84136 41e5f0 84133->84136 84139 41e631 84133->84139 84171 417f36 67 API calls __getptd_noexit 84134->84171 84173 417f36 67 API calls __getptd_noexit 84136->84173 84137 41e5cc 84172 417f23 67 API calls __getptd_noexit 84137->84172 84142 41ba3b ___lock_fhandle 68 API calls 84139->84142 84141 41e5f5 84174 417f23 67 API calls __getptd_noexit 84141->84174 84144 41e637 84142->84144 84146 41e652 84144->84146 84147 41e644 84144->84147 84145 41e5fc 84175 417ebb 6 API calls 2 library calls 84145->84175 84176 417f23 67 API calls __getptd_noexit 84146->84176 84156 41e517 84147->84156 84151 41e64c 84177 41e676 LeaveCriticalSection __unlock_fhandle 84151->84177 84153 41e5d4 _flsall 84153->84122 84154->84112 84178 41b9c4 84156->84178 84158 41e57d 84191 41b93e 68 API calls 2 library calls 84158->84191 84160 41e527 84160->84158 84163 41b9c4 __chsize_nolock 67 API calls 84160->84163 84170 41e55b 84160->84170 84161 41b9c4 __chsize_nolock 67 API calls 84165 41e567 CloseHandle 84161->84165 84162 41e585 84169 41e5a7 84162->84169 84192 417f49 67 API calls 3 library calls 84162->84192 84164 41e552 84163->84164 84166 41b9c4 __chsize_nolock 67 API calls 84164->84166 84165->84158 84167 41e573 GetLastError 84165->84167 84166->84170 84167->84158 84169->84151 84170->84158 84170->84161 84171->84137 84172->84153 84173->84141 84174->84145 84176->84151 84177->84153 84179 41b9d1 84178->84179 84180 41b9e9 84178->84180 84181 417f36 __set_osfhnd 67 API calls 84179->84181 84183 417f36 __set_osfhnd 67 API calls 84180->84183 84190 41ba2e 84180->84190 84182 41b9d6 84181->84182 84184 417f23 _set_new_mode 67 API calls 84182->84184 84185 41ba17 84183->84185 84186 41b9de 84184->84186 84187 417f23 _set_new_mode 67 API calls 84185->84187 84186->84160 84188 41ba1e 84187->84188 84189 417ebb _set_new_mode 6 API calls 84188->84189 84189->84190 84190->84160 84191->84162 84192->84169 84194 415126 _flsall 84193->84194 84195 41513a _memset 84194->84195 84196 41516f 84194->84196 84197 415164 _flsall 84194->84197 84222 417f23 67 API calls __getptd_noexit 84195->84222 84198 415965 __lock_file 68 API calls 84196->84198 84197->83866 84199 415177 84198->84199 84206 414f10 84199->84206 84202 415154 84223 417ebb 6 API calls 2 library calls 84202->84223 84209 414f2e _memset 84206->84209 84213 414f4c 84206->84213 84207 414f37 84275 417f23 67 API calls __getptd_noexit 84207->84275 84209->84207 84209->84213 84220 414f8b 84209->84220 84210 414f3c 84276 417ebb 6 API calls 2 library calls 84210->84276 84224 4151a6 LeaveCriticalSection LeaveCriticalSection _ftell 84213->84224 84214 4150a9 _memset 84278 417f23 67 API calls __getptd_noexit 84214->84278 84215 4150d5 _memset 84279 417f23 67 API calls __getptd_noexit 84215->84279 84217 41453a __fileno 67 API calls 84217->84220 84220->84213 84220->84214 84220->84215 84220->84217 84225 41ed9e 84220->84225 84255 41e6b1 84220->84255 84277 41ee9b 67 API calls 3 library calls 84220->84277 84222->84202 84224->84197 84226 41edaa _flsall 84225->84226 84227 41edb2 84226->84227 84228 41edcd 84226->84228 84349 417f36 67 API calls __getptd_noexit 84227->84349 84230 41eddb 84228->84230 84234 41ee1c 84228->84234 84351 417f36 67 API calls __getptd_noexit 84230->84351 84232 41edb7 84350 417f23 67 API calls __getptd_noexit 84232->84350 84233 41ede0 84352 417f23 67 API calls __getptd_noexit 84233->84352 84237 41ee29 84234->84237 84238 41ee3d 84234->84238 84354 417f36 67 API calls __getptd_noexit 84237->84354 84239 41ba3b ___lock_fhandle 68 API calls 84238->84239 84242 41ee43 84239->84242 84240 41ede7 84353 417ebb 6 API calls 2 library calls 84240->84353 84244 41ee50 84242->84244 84245 41ee66 84242->84245 84243 41ee2e 84355 417f23 67 API calls __getptd_noexit 84243->84355 84280 41e7dc 84244->84280 84356 417f23 67 API calls __getptd_noexit 84245->84356 84248 41edbf _flsall 84248->84220 84251 41ee5e 84358 41ee91 LeaveCriticalSection __unlock_fhandle 84251->84358 84252 41ee6b 84357 417f36 67 API calls __getptd_noexit 84252->84357 84256 41e6c1 84255->84256 84260 41e6de 84255->84260 84362 417f23 67 API calls __getptd_noexit 84256->84362 84257 41e6d6 84257->84220 84259 41e6c6 84363 417ebb 6 API calls 2 library calls 84259->84363 84260->84257 84262 41e713 84260->84262 84359 423600 84260->84359 84264 41453a __fileno 67 API calls 84262->84264 84265 41e727 84264->84265 84266 41ed9e __read 79 API calls 84265->84266 84267 41e72e 84266->84267 84267->84257 84268 41453a __fileno 67 API calls 84267->84268 84269 41e751 84268->84269 84269->84257 84270 41453a __fileno 67 API calls 84269->84270 84271 41e75d 84270->84271 84271->84257 84272 41453a __fileno 67 API calls 84271->84272 84273 41e769 84272->84273 84274 41453a __fileno 67 API calls 84273->84274 84274->84257 84275->84210 84277->84220 84278->84210 84279->84210 84281 41e813 84280->84281 84282 41e7f8 84280->84282 84283 41e822 84281->84283 84285 41e849 84281->84285 84284 417f36 __set_osfhnd 67 API calls 84282->84284 84286 417f36 __set_osfhnd 67 API calls 84283->84286 84287 41e7fd 84284->84287 84289 41e868 84285->84289 84300 41e87c 84285->84300 84288 41e827 84286->84288 84290 417f23 _set_new_mode 67 API calls 84287->84290 84292 417f23 _set_new_mode 67 API calls 84288->84292 84293 417f36 __set_osfhnd 67 API calls 84289->84293 84301 41e805 84290->84301 84291 41e8d4 84295 417f36 __set_osfhnd 67 API calls 84291->84295 84294 41e82e 84292->84294 84296 41e86d 84293->84296 84297 417ebb _set_new_mode 6 API calls 84294->84297 84298 41e8d9 84295->84298 84299 417f23 _set_new_mode 67 API calls 84296->84299 84297->84301 84302 417f23 _set_new_mode 67 API calls 84298->84302 84303 41e874 84299->84303 84300->84291 84300->84301 84304 41e8b0 84300->84304 84305 41e8f5 84300->84305 84301->84251 84302->84303 84306 417ebb _set_new_mode 6 API calls 84303->84306 84304->84291 84309 41e8bb ReadFile 84304->84309 84308 416fb6 __malloc_crt 67 API calls 84305->84308 84306->84301 84310 41e90b 84308->84310 84311 41ed62 GetLastError 84309->84311 84312 41e9e7 84309->84312 84315 41e931 84310->84315 84316 41e913 84310->84316 84313 41ebe8 84311->84313 84314 41ed6f 84311->84314 84312->84311 84319 41e9fb 84312->84319 84323 417f49 __dosmaperr 67 API calls 84313->84323 84328 41eb6d 84313->84328 84317 417f23 _set_new_mode 67 API calls 84314->84317 84320 423462 __lseeki64_nolock 69 API calls 84315->84320 84318 417f23 _set_new_mode 67 API calls 84316->84318 84321 41ed74 84317->84321 84322 41e918 84318->84322 84319->84328 84330 41ea17 84319->84330 84333 41ec2d 84319->84333 84324 41e93d 84320->84324 84325 417f36 __set_osfhnd 67 API calls 84321->84325 84326 417f36 __set_osfhnd 67 API calls 84322->84326 84323->84328 84324->84309 84325->84328 84326->84301 84327 413a88 ___free_lconv_mon 67 API calls 84327->84301 84328->84301 84328->84327 84329 41eb32 84335 41ebbe MultiByteToWideChar 84329->84335 84331 41ea7d ReadFile 84330->84331 84338 41eafa 84330->84338 84336 41ea9b GetLastError 84331->84336 84341 41eaa5 84331->84341 84332 41eca5 ReadFile 84334 41ecc4 GetLastError 84332->84334 84342 41ecce 84332->84342 84333->84328 84333->84332 84334->84333 84334->84342 84335->84328 84337 41ebe2 GetLastError 84335->84337 84336->84330 84336->84341 84337->84313 84338->84328 84338->84329 84339 41eb75 84338->84339 84340 41eb68 84338->84340 84339->84329 84346 41ebac 84339->84346 84343 417f23 _set_new_mode 67 API calls 84340->84343 84341->84330 84344 423462 __lseeki64_nolock 69 API calls 84341->84344 84342->84333 84345 423462 __lseeki64_nolock 69 API calls 84342->84345 84343->84328 84344->84341 84345->84342 84347 423462 __lseeki64_nolock 69 API calls 84346->84347 84348 41ebbb 84347->84348 84348->84335 84349->84232 84350->84248 84351->84233 84352->84240 84354->84243 84355->84240 84356->84252 84357->84251 84358->84248 84360 416fb6 __malloc_crt 67 API calls 84359->84360 84361 423615 84360->84361 84361->84262 84362->84259 84367 414cef GetSystemTimeAsFileTime __aulldiv 84364->84367 84366 4431ef 84366->83869 84367->84366 84368->83877 84370->83882 84375 4523e1 _wcscpy 84371->84375 84372 4151b0 81 API calls __fread_nolock 84372->84375 84373 44afdc GetSystemTimeAsFileTime 84373->84375 84374 452553 84374->83791 84374->83792 84375->84372 84375->84373 84375->84374 84376 41557c 105 API calls _fseek 84375->84376 84376->84375 84378 44b1a6 84377->84378 84380 44b1b4 84377->84380 84379 414e06 138 API calls 84378->84379 84379->84380 84381 44b1ca 84380->84381 84382 44b1c2 84380->84382 84383 414e06 138 API calls 84380->84383 84412 4352d1 81 API calls 2 library calls 84381->84412 84382->83820 84385 44b2c1 84383->84385 84385->84381 84387 44b2cf 84385->84387 84386 44b20d 84388 44b211 84386->84388 84389 44b23b 84386->84389 84390 44b2dc 84387->84390 84391 414e94 __fcloseall 106 API calls 84387->84391 84393 44b21e 84388->84393 84395 414e94 __fcloseall 106 API calls 84388->84395 84413 43526e 84389->84413 84390->83820 84391->84390 84396 44b22e 84393->84396 84399 414e94 __fcloseall 106 API calls 84393->84399 84394 44b242 84397 44b270 84394->84397 84398 44b248 84394->84398 84395->84393 84396->83820 84423 44b0af 111 API calls 84397->84423 84400 44b255 84398->84400 84402 414e94 __fcloseall 106 API calls 84398->84402 84399->84396 84403 44b265 84400->84403 84405 414e94 __fcloseall 106 API calls 84400->84405 84402->84400 84403->83820 84404 44b276 84424 43522c 67 API calls ___free_lconv_mon 84404->84424 84405->84403 84407 44b27c 84408 44b289 84407->84408 84409 414e94 __fcloseall 106 API calls 84407->84409 84410 44b299 84408->84410 84411 414e94 __fcloseall 106 API calls 84408->84411 84409->84408 84410->83820 84411->84410 84412->84386 84414 4138ba _malloc 67 API calls 84413->84414 84415 43527d 84414->84415 84416 4138ba _malloc 67 API calls 84415->84416 84417 43528d 84416->84417 84418 4138ba _malloc 67 API calls 84417->84418 84419 43529d 84418->84419 84421 4352bc 84419->84421 84425 43522c 67 API calls ___free_lconv_mon 84419->84425 84421->84394 84422 4352c8 84422->84394 84423->84404 84424->84407 84425->84422 84426->83671 84427->83675 84428->83692 84429->83692 84430->83692 84431->83688 84432->83692 84433->83692 84434->83703 84435->83711 84437->83713 84438->83598 84440 410148 SHGetDesktopFolder 84439->84440 84441 4101a3 _wcscpy 84439->84441 84440->84441 84442 41015a _wcscpy 84440->84442 84441->83601 84442->84441 84443 41018a SHGetPathFromIDListW 84442->84443 84443->84441 84444->83603 84446 40f5e0 152 API calls 84445->84446 84447 40f417 84446->84447 84448 42ca37 84447->84448 84450 40f42c 84447->84450 84451 42ca1f 84447->84451 84449 452574 140 API calls 84448->84449 84453 42ca50 84449->84453 84483 4037e0 139 API calls 7 library calls 84450->84483 84484 43717f 110 API calls _printf 84451->84484 84456 42ca76 84453->84456 84457 42ca54 84453->84457 84455 42ca2d 84455->84448 84460 41171a 75 API calls 84456->84460 84459 434fe1 106 API calls 84457->84459 84458 40f446 84458->83599 84461 42ca5e 84459->84461 84475 42cacc ctype 84460->84475 84485 43717f 110 API calls _printf 84461->84485 84463 42ccc3 84465 413a88 ___free_lconv_mon 67 API calls 84463->84465 84464 42ca6c 84464->84456 84466 42cccd 84465->84466 84467 434fe1 106 API calls 84466->84467 84468 42ccda 84467->84468 84472 401b70 75 API calls 84472->84475 84475->84463 84475->84472 84476 402cc0 75 API calls 2 library calls 84475->84476 84477 4026a0 84475->84477 84486 445051 75 API calls _memcpy_s 84475->84486 84487 44c80c 87 API calls 3 library calls 84475->84487 84488 44b408 75 API calls 84475->84488 84476->84475 84478 4026af 84477->84478 84480 40276b 84477->84480 84479 41171a 75 API calls 84478->84479 84478->84480 84482 4026ee ctype 84478->84482 84479->84482 84480->84475 84481 41171a 75 API calls 84481->84482 84482->84480 84482->84481 84483->84458 84484->84455 84485->84464 84486->84475 84487->84475 84488->84475 84489->83610 84490->83611 84492 401bfb 84491->84492 84512 401cde 84491->84512 84514 4013a0 84492->84514 84495 42a9a0 LoadStringW 84498 42a9bb 84495->84498 84496 401c18 84497 4021e0 75 API calls 84496->84497 84499 401c2d 84497->84499 84520 40df50 75 API calls 84498->84520 84501 401c3a 84499->84501 84502 42a9cd 84499->84502 84501->84498 84503 401c44 84501->84503 84521 40d3b0 75 API calls 2 library calls 84502->84521 84519 40d3b0 75 API calls 2 library calls 84503->84519 84506 42a9dc 84507 42a9f0 84506->84507 84509 401c53 _memset _wcscpy _wcsncpy 84506->84509 84522 40d3b0 75 API calls 2 library calls 84507->84522 84511 401cc2 Shell_NotifyIconW 84509->84511 84510 42a9fe 84511->84512 84512->83622 84513->83617 84515 41171a 75 API calls 84514->84515 84516 4013c4 84515->84516 84517 401380 75 API calls 84516->84517 84518 4013d3 84517->84518 84518->84495 84518->84496 84519->84509 84520->84509 84521->84506 84522->84510 84523 444343 84526 444326 84523->84526 84525 44434e WriteFile 84527 444340 84526->84527 84528 4442c7 84526->84528 84527->84525 84533 40e190 SetFilePointerEx 84528->84533 84530 4442e0 SetFilePointerEx 84534 40e190 SetFilePointerEx 84530->84534 84532 4442ff 84532->84525 84533->84530 84534->84532 84698 431914 84699 431920 84698->84699 84700 431928 84699->84700 84701 43193d 84699->84701 84962 45e62e 116 API calls 3 library calls 84700->84962 84963 47f2b4 174 API calls 84701->84963 84704 43194a 84741 4095b0 ctype 84704->84741 84964 45e62e 116 API calls 3 library calls 84704->84964 84706 409708 84708 4097af 84708->84706 84949 40d590 VariantClear 84708->84949 84710 4315b8 WaitForSingleObject 84712 4315d6 GetExitCodeProcess CloseHandle 84710->84712 84710->84741 84711 431623 Sleep 84716 43163b timeGetTime 84711->84716 84735 409894 84711->84735 84953 40d590 VariantClear 84712->84953 84716->84735 84717 40986e Sleep 84720 409880 timeGetTime 84717->84720 84717->84735 84720->84735 84721 4098f1 TranslateMessage DispatchMessageW 84721->84741 84722 431673 CloseHandle 84722->84735 84723 43170c GetExitCodeProcess CloseHandle 84723->84735 84725 46e641 134 API calls 84725->84735 84727 46dd22 133 API calls 84727->84735 84729 431781 Sleep 84729->84741 84732 40d590 VariantClear 84732->84735 84735->84722 84735->84723 84735->84725 84735->84727 84735->84729 84735->84732 84740 4092c0 VariantClear 84735->84740 84735->84741 84950 447e59 75 API calls 84735->84950 84951 453b07 77 API calls 84735->84951 84952 4646a2 76 API calls 84735->84952 84954 444233 88 API calls _wcslen 84735->84954 84955 457509 VariantClear 84735->84955 84956 404120 84735->84956 84960 4717e3 VariantClear 84735->84960 84961 436272 6 API calls 84735->84961 84738 45e62e 116 API calls 84738->84741 84739 4319c9 VariantClear 84739->84741 84740->84735 84741->84706 84741->84708 84741->84710 84741->84711 84741->84717 84741->84721 84741->84735 84741->84738 84741->84739 84742 4092c0 VariantClear 84741->84742 84744 40b380 84741->84744 84768 409340 84741->84768 84801 409030 84741->84801 84815 40d300 84741->84815 84820 40d320 84741->84820 84826 409a40 84741->84826 84965 40e380 VariantClear ctype 84741->84965 84742->84741 84745 40b3a5 84744->84745 84746 40b53d 84744->84746 84747 430a99 84745->84747 84753 40b3b6 84745->84753 84966 45e62e 116 API calls 3 library calls 84746->84966 84967 45e62e 116 API calls 3 library calls 84747->84967 84750 430aae 84755 4092c0 VariantClear 84750->84755 84751 40b528 84751->84741 84753->84750 84756 40b3f2 84753->84756 84767 40b4fd ctype 84753->84767 84754 430dc9 84754->84754 84755->84751 84757 40b429 84756->84757 84758 430ae9 VariantClear 84756->84758 84764 40b476 ctype 84756->84764 84765 40b43b ctype 84757->84765 84968 40e380 VariantClear ctype 84757->84968 84758->84765 84759 430d41 VariantClear 84759->84767 84760 40b4eb 84760->84767 84969 40e380 VariantClear ctype 84760->84969 84762 41171a 75 API calls 84762->84764 84764->84760 84766 430d08 ctype 84764->84766 84765->84762 84765->84764 84766->84759 84766->84767 84767->84751 84970 45e62e 116 API calls 3 library calls 84767->84970 84769 409386 84768->84769 84775 409395 84768->84775 84971 4042f0 75 API calls __cinit 84769->84971 84772 42fba9 84975 45e62e 116 API calls 3 library calls 84772->84975 84774 42fc07 84977 45e62e 116 API calls 3 library calls 84774->84977 84775->84772 84775->84774 84776 42fc85 84775->84776 84780 42fd4f 84775->84780 84781 42fcd8 84775->84781 84783 42fd39 84775->84783 84789 40946f 84775->84789 84791 4094c1 84775->84791 84794 40947b 84775->84794 84797 4092c0 VariantClear 84775->84797 84800 409484 ctype 84775->84800 84974 453155 75 API calls 84775->84974 84976 40c620 118 API calls 84775->84976 84978 45e62e 116 API calls 3 library calls 84775->84978 84979 4781ae 140 API calls 84776->84979 84784 4092c0 VariantClear 84780->84784 84981 47f2b4 174 API calls 84781->84981 84782 42fc9c 84782->84800 84980 45e62e 116 API calls 3 library calls 84782->84980 84983 45e62e 116 API calls 3 library calls 84783->84983 84784->84800 84787 42fce9 84787->84800 84982 45e62e 116 API calls 3 library calls 84787->84982 84972 409210 VariantClear 84789->84972 84791->84800 84973 404260 76 API calls 84791->84973 84795 4092c0 VariantClear 84794->84795 84795->84800 84797->84775 84798 4094e1 84799 4092c0 VariantClear 84798->84799 84799->84800 84800->84741 84984 409110 117 API calls 84801->84984 84803 42ceb6 84994 410ae0 VariantClear ctype 84803->84994 84805 40906e 84805->84803 84807 42cea9 84805->84807 84809 4090a4 84805->84809 84806 42cebf 84993 45e62e 116 API calls 3 library calls 84807->84993 84985 404160 84809->84985 84812 4090f0 ctype 84812->84741 84813 4092c0 VariantClear 84814 4090be ctype 84813->84814 84814->84812 84814->84813 84816 4292e3 84815->84816 84817 40d30c 84815->84817 84818 429323 84816->84818 84819 4292fd TranslateAcceleratorW 84816->84819 84817->84741 84818->84741 84819->84817 84821 4296d0 84820->84821 84822 40d32f 84820->84822 84821->84741 84823 42972a IsDialogMessageW 84822->84823 84824 40d33c 84822->84824 85129 4340ec GetClassLongW 84822->85129 84823->84822 84823->84824 84824->84741 84827 409a66 _wcslen 84826->84827 84828 41171a 75 API calls 84827->84828 84888 40aade _memcpy_s ctype 84827->84888 84829 409a9c _memcpy_s 84828->84829 84831 41171a 75 API calls 84829->84831 84830 401380 75 API calls 84832 42cee9 84830->84832 84833 409abd 84831->84833 84835 41171a 75 API calls 84832->84835 84834 409aeb CharUpperBuffW 84833->84834 84838 409b09 ctype 84833->84838 84833->84888 84834->84838 84876 42cf10 _memcpy_s 84835->84876 84879 409b88 ctype 84838->84879 85131 47d10e 150 API calls 84838->85131 84839 4092c0 VariantClear 84840 42e5e0 84839->84840 85161 410ae0 VariantClear ctype 84840->85161 84842 42e5f2 84843 409e4a 84845 41171a 75 API calls 84843->84845 84849 409ea4 84843->84849 84843->84876 84844 40aa5b 84846 41171a 75 API calls 84844->84846 84845->84849 84862 40aa81 _memcpy_s ctype 84846->84862 84847 40c3e0 75 API calls 84847->84879 84848 409ed0 84852 42d50d 84848->84852 84909 409ef8 _memcpy_s ctype 84848->84909 85140 40b800 VariantClear VariantClear ctype 84848->85140 84849->84848 84850 41171a 75 API calls 84849->84850 84851 42d480 84850->84851 84854 42d491 84851->84854 85136 44b3f6 75 API calls 84851->85136 84856 42d527 84852->84856 85141 40b800 VariantClear VariantClear ctype 84852->85141 84853 42d195 VariantClear 84853->84879 85137 40df50 75 API calls 84854->85137 84856->84909 85142 40e2e0 VariantClear ctype 84856->85142 84857 40a3a7 84859 40a415 84857->84859 84911 42db5c 84857->84911 84866 41171a 75 API calls 84859->84866 84860 4092c0 VariantClear 84860->84879 84870 41171a 75 API calls 84862->84870 84885 40a41c 84866->84885 84867 41171a 75 API calls 84867->84879 84870->84888 84871 42d4a6 85138 4530b3 75 API calls 84871->85138 84873 42db96 85147 45e62e 116 API calls 3 library calls 84873->85147 84875 42d128 84878 4092c0 VariantClear 84875->84878 85160 45e62e 116 API calls 3 library calls 84876->85160 84877 42d4d7 85139 4530b3 75 API calls 84877->85139 84884 42d131 84878->84884 84879->84843 84879->84844 84879->84847 84879->84853 84879->84860 84879->84862 84879->84867 84879->84875 84879->84876 84880 42d20c 84879->84880 84886 42dbb9 84879->84886 85132 40c620 118 API calls 84879->85132 85134 40be00 75 API calls 2 library calls 84879->85134 85135 40e380 VariantClear ctype 84879->85135 84880->84741 85133 410ae0 VariantClear ctype 84884->85133 84896 40a481 84885->84896 85148 40c8a0 VariantClear ctype 84885->85148 84886->84839 84888->84830 84890 402cc0 75 API calls 84890->84909 84891 41171a 75 API calls 84891->84909 84892 44b3f6 75 API calls 84892->84909 84894 4092c0 VariantClear 84922 40a534 _memcpy_s ctype 84894->84922 84895 411421 74 API calls __cinit 84895->84909 84897 40a4ed 84896->84897 84898 42dc1e VariantClear 84896->84898 84896->84922 84902 40a4ff ctype 84897->84902 85149 40e380 VariantClear ctype 84897->85149 84898->84902 84901 41171a 75 API calls 84901->84922 84902->84901 84902->84922 84903 4019e0 76 API calls 84903->84909 84906 42deb6 VariantClear 84906->84922 84907 40a73c 84910 42e237 84907->84910 84917 40a76b 84907->84917 84908 40e380 VariantClear 84908->84922 84909->84857 84909->84873 84909->84888 84909->84890 84909->84891 84909->84892 84909->84895 84909->84903 84909->84911 84916 40a053 84909->84916 85143 45ee98 75 API calls 84909->85143 85144 404260 76 API calls 84909->85144 85145 409210 VariantClear 84909->85145 85153 46e709 VariantClear VariantClear ctype 84910->85153 85146 4721e5 VariantClear 84911->85146 84912 42dfe9 VariantClear 84912->84922 84913 42df47 VariantClear 84913->84922 84914 40a7a2 84928 40a7ad ctype 84914->84928 85154 40b800 VariantClear VariantClear ctype 84914->85154 84916->84741 84917->84914 84940 40a800 ctype 84917->84940 85130 40b800 VariantClear VariantClear ctype 84917->85130 84920 41171a 75 API calls 84920->84922 84921 41171a 75 API calls 84926 42dd10 VariantInit VariantCopy 84921->84926 84922->84894 84922->84906 84922->84907 84922->84908 84922->84910 84922->84912 84922->84913 84922->84920 84922->84921 85150 46e9cd 75 API calls 84922->85150 85151 409210 VariantClear 84922->85151 85152 44cc6c VariantClear ctype 84922->85152 84923 40a8b0 84934 40a8c2 ctype 84923->84934 85156 40e380 VariantClear ctype 84923->85156 84924 42e312 84925 42e337 VariantClear 84924->84925 84924->84934 84925->84934 84926->84922 84927 42dd30 VariantClear 84926->84927 84927->84922 84929 40a7ee 84928->84929 84933 42e2a7 VariantClear 84928->84933 84928->84940 84929->84940 85155 40e380 VariantClear ctype 84929->85155 84931 42e3b2 84936 42e3da VariantClear 84931->84936 84942 40a91a ctype 84931->84942 84933->84940 84934->84931 84935 40a908 84934->84935 84935->84942 85157 40e380 VariantClear ctype 84935->85157 84936->84942 84938 42e47f 84943 42e4a3 VariantClear 84938->84943 84948 40a957 ctype 84938->84948 84939 40a945 84939->84948 85158 40e380 VariantClear ctype 84939->85158 84940->84923 84940->84924 84942->84938 84942->84939 84943->84948 84945 40aa22 ctype 84945->84741 84946 42e559 VariantClear 84946->84948 84948->84945 84948->84946 85159 40e380 VariantClear ctype 84948->85159 84949->84706 84950->84735 84951->84735 84952->84735 84953->84735 84954->84735 84955->84735 84957 40412e 84956->84957 84958 4092c0 VariantClear 84957->84958 84959 404138 84958->84959 84959->84729 84960->84735 84961->84735 84962->84741 84963->84704 84964->84741 84965->84741 84966->84747 84967->84750 84968->84765 84969->84767 84970->84754 84971->84775 84972->84794 84973->84798 84974->84775 84975->84800 84976->84775 84977->84800 84978->84775 84979->84782 84980->84800 84981->84787 84982->84800 84983->84780 84984->84805 84986 4092c0 VariantClear 84985->84986 84987 40416e 84986->84987 84988 404120 VariantClear 84987->84988 84989 40419b 84988->84989 84995 40efe0 84989->84995 85003 4734b7 84989->85003 84990 4041c6 84990->84803 84990->84814 84993->84803 84994->84806 84996 40eff5 CreateFileW 84995->84996 84997 4299bf 84995->84997 84998 40f017 84996->84998 84997->84998 84999 4299c4 CreateFileW 84997->84999 84998->84990 84999->84998 85000 4299ea 84999->85000 85047 40e0d0 SetFilePointerEx SetFilePointerEx 85000->85047 85002 4299f5 85002->84998 85004 453063 111 API calls 85003->85004 85005 4734d7 85004->85005 85006 473545 85005->85006 85007 47350c 85005->85007 85048 463c42 85006->85048 85008 4092c0 VariantClear 85007->85008 85013 473514 85008->85013 85010 473558 85011 47355c 85010->85011 85027 473595 85010->85027 85014 4092c0 VariantClear 85011->85014 85012 473616 85061 463d7e 85012->85061 85013->84990 85023 473564 85014->85023 85016 453063 111 API calls 85016->85027 85017 473622 85018 473697 85017->85018 85019 47362c 85017->85019 85095 457838 85018->85095 85022 4092c0 VariantClear 85019->85022 85025 473634 85022->85025 85023->84990 85025->84990 85026 473655 85029 4092c0 VariantClear 85026->85029 85027->85012 85027->85016 85027->85026 85107 462f5a 87 API calls __wcsicoll 85027->85107 85041 47365d 85029->85041 85031 4736b0 85108 45e62e 116 API calls 3 library calls 85031->85108 85032 4736c9 85109 40e7e0 76 API calls 85032->85109 85035 4736ba GetCurrentProcess TerminateProcess 85035->85032 85036 4736db 85045 4736ff 85036->85045 85110 40d030 76 API calls 85036->85110 85038 473731 85043 473744 FreeLibrary 85038->85043 85044 47374b 85038->85044 85039 4736f1 85111 46b945 134 API calls 2 library calls 85039->85111 85041->84990 85043->85044 85044->84990 85045->85038 85112 40d030 76 API calls 85045->85112 85113 46b945 134 API calls 2 library calls 85045->85113 85047->85002 85114 45335b 76 API calls 85048->85114 85050 463c5d 85115 442c52 80 API calls _wcslen 85050->85115 85052 463c72 85054 40c060 75 API calls 85052->85054 85060 463cac 85052->85060 85055 463c8e 85054->85055 85116 4608ce 75 API calls _memcpy_s 85055->85116 85057 463ca4 85059 40c740 75 API calls 85057->85059 85058 463cf7 85058->85010 85059->85060 85060->85058 85117 462f5a 87 API calls __wcsicoll 85060->85117 85062 453063 111 API calls 85061->85062 85063 463d99 85062->85063 85064 463de0 85063->85064 85065 463dca 85063->85065 85119 40c760 78 API calls 85064->85119 85118 453081 111 API calls 85065->85118 85068 463dd0 LoadLibraryW 85070 463e09 85068->85070 85069 463de7 85074 463e19 85069->85074 85120 40c760 78 API calls 85069->85120 85072 463e3e 85070->85072 85070->85074 85075 463e4e 85072->85075 85076 463e7b 85072->85076 85073 463dfb 85073->85074 85121 40c760 78 API calls 85073->85121 85074->85017 85122 40d500 75 API calls 85075->85122 85124 40c760 78 API calls 85076->85124 85080 463e57 85123 45efe7 77 API calls ctype 85080->85123 85081 463e82 GetProcAddress 85084 463e90 85081->85084 85083 463e62 GetProcAddress 85086 463e79 85083->85086 85084->85074 85085 463edf 85084->85085 85084->85086 85085->85074 85089 463eef FreeLibrary 85085->85089 85086->85084 85125 403470 75 API calls _memcpy_s 85086->85125 85088 463eb4 85126 40d500 75 API calls 85088->85126 85089->85074 85091 463ebd 85127 45efe7 77 API calls ctype 85091->85127 85093 463ec8 GetProcAddress 85128 401330 ctype 85093->85128 85096 457a4c 85095->85096 85102 45785f _strcat _wcslen _wcscpy ctype 85095->85102 85103 410d40 85096->85103 85097 40c760 78 API calls 85097->85102 85098 453081 111 API calls 85098->85102 85099 443576 78 API calls 85099->85102 85100 4138ba 67 API calls _malloc 85100->85102 85101 40f580 77 API calls 85101->85102 85102->85096 85102->85097 85102->85098 85102->85099 85102->85100 85102->85101 85104 410d55 85103->85104 85105 410ded VirtualProtect 85104->85105 85106 410dbb 85104->85106 85105->85106 85106->85031 85106->85032 85107->85027 85108->85035 85109->85036 85110->85039 85111->85045 85112->85045 85113->85045 85114->85050 85115->85052 85116->85057 85117->85058 85118->85068 85119->85069 85120->85073 85121->85070 85122->85080 85123->85083 85124->85081 85125->85088 85126->85091 85127->85093 85128->85085 85129->84822 85130->84914 85131->84838 85132->84879 85133->84945 85134->84879 85135->84879 85136->84854 85137->84871 85138->84877 85139->84848 85140->84852 85141->84856 85142->84909 85143->84909 85144->84909 85145->84909 85146->84873 85147->84886 85148->84885 85149->84902 85150->84922 85151->84922 85152->84922 85153->84914 85154->84928 85155->84940 85156->84934 85157->84942 85158->84948 85159->84948 85160->84886 85161->84842 85162 3e8dff0 85176 3e8bc00 85162->85176 85164 3e8e0e6 85179 3e8dee0 85164->85179 85166 3e8e10f CreateFileW 85168 3e8e161 85166->85168 85169 3e8e166 85166->85169 85169->85168 85170 3e8e17d VirtualAlloc 85169->85170 85170->85168 85171 3e8e19e ReadFile 85170->85171 85171->85168 85172 3e8e1b9 85171->85172 85173 3e8cc70 12 API calls 85172->85173 85174 3e8e1d3 85173->85174 85175 3e8cee0 GetPEB GetPEB 85174->85175 85175->85168 85182 3e8f130 GetPEB 85176->85182 85178 3e8c28b 85178->85164 85180 3e8dee9 Sleep 85179->85180 85181 3e8def7 85180->85181 85183 3e8f15a 85182->85183 85183->85178 84535 46d22f 84538 46d098 84535->84538 84537 46d241 84539 46d0b5 84538->84539 84540 46d115 84539->84540 84541 46d0b9 84539->84541 84593 45c216 78 API calls 84540->84593 84542 41171a 75 API calls 84541->84542 84545 46d0c0 84542->84545 84544 46d126 84546 46d0f8 84544->84546 84553 46d142 84544->84553 84547 46d0cc 84545->84547 84586 40d940 76 API calls 84545->84586 84549 4092c0 VariantClear 84546->84549 84587 453063 84547->84587 84551 46d0fd 84549->84551 84551->84537 84554 46d1c8 84553->84554 84556 46d158 84553->84556 84598 4676a3 78 API calls 84554->84598 84560 453063 111 API calls 84556->84560 84557 46d0ea 84557->84553 84561 46d0ee 84557->84561 84559 46d1ce 84599 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84559->84599 84569 46d15e 84560->84569 84561->84546 84592 44ade5 CloseHandle ctype 84561->84592 84562 46d18d 84594 467fce 82 API calls 84562->84594 84566 46d196 84568 4013a0 75 API calls 84566->84568 84567 46d1e7 84571 4092c0 VariantClear 84567->84571 84580 46d194 84567->84580 84570 46d1a2 84568->84570 84569->84562 84569->84566 84595 40df50 75 API calls 84570->84595 84571->84580 84573 46d1ac 84596 40d3b0 75 API calls 2 library calls 84573->84596 84575 46d224 84575->84537 84576 46d1b8 84597 467fce 82 API calls 84576->84597 84579 46d216 84600 44ade5 CloseHandle ctype 84579->84600 84580->84575 84582 40d900 84580->84582 84583 40d917 84582->84583 84584 40d909 84582->84584 84583->84584 84585 40d91c CloseHandle 84583->84585 84584->84579 84585->84579 84586->84547 84588 45306e 84587->84588 84589 45307a 84587->84589 84588->84589 84601 452e2a 111 API calls 5 library calls 84588->84601 84591 40dfa0 83 API calls 84589->84591 84591->84557 84592->84546 84593->84544 84594->84580 84595->84573 84596->84576 84597->84580 84598->84559 84599->84567 84600->84575 84601->84589 85184 42919b 85189 40ef10 85184->85189 85187 411421 __cinit 74 API calls 85188 4291aa 85187->85188 85190 41171a 75 API calls 85189->85190 85191 40ef17 85190->85191 85192 42ad48 85191->85192 85197 40ef40 74 API calls __cinit 85191->85197 85194 40ef2a 85198 40e470 85194->85198 85197->85194 85199 40c060 75 API calls 85198->85199 85200 40e483 GetVersionExW 85199->85200 85201 4021e0 75 API calls 85200->85201 85202 40e4bb 85201->85202 85224 40e600 85202->85224 85209 42accc 85210 42ad28 GetSystemInfo 85209->85210 85214 42ad38 GetSystemInfo 85210->85214 85211 40e557 GetCurrentProcess 85244 40ee30 LoadLibraryA GetProcAddress 85211->85244 85212 40e56c 85212->85214 85237 40eee0 85212->85237 85217 40e5c9 85241 40eea0 85217->85241 85220 40e5e0 85222 40e5f1 FreeLibrary 85220->85222 85223 40e5f4 85220->85223 85221 40e5dd FreeLibrary 85221->85220 85222->85223 85223->85187 85225 40e60b 85224->85225 85226 40c740 75 API calls 85225->85226 85227 40e4c2 85226->85227 85228 40e620 85227->85228 85229 40e62a 85228->85229 85230 42ac93 85229->85230 85231 40c740 75 API calls 85229->85231 85232 40e4ce 85231->85232 85232->85209 85233 40ee70 85232->85233 85234 40e551 85233->85234 85235 40ee76 LoadLibraryA 85233->85235 85234->85211 85234->85212 85235->85234 85236 40ee87 GetProcAddress 85235->85236 85236->85234 85238 40e5bf 85237->85238 85239 40eee6 LoadLibraryA 85237->85239 85238->85210 85238->85217 85239->85238 85240 40eef7 GetProcAddress 85239->85240 85240->85238 85245 40eec0 LoadLibraryA GetProcAddress 85241->85245 85243 40e5d3 GetNativeSystemInfo 85243->85220 85243->85221 85244->85212 85245->85243 85246 42e89e 85253 40c000 85246->85253 85248 42e8ac 85249 409a40 165 API calls 85248->85249 85250 42e8ca 85249->85250 85264 44b92e VariantClear 85250->85264 85252 42f3ae 85254 40c014 85253->85254 85255 40c007 85253->85255 85256 40c01a 85254->85256 85257 40c02c 85254->85257 85265 409210 VariantClear 85255->85265 85266 409210 VariantClear 85256->85266 85261 41171a 75 API calls 85257->85261 85259 40c00f 85259->85248 85263 40c033 85261->85263 85262 40c023 85262->85248 85263->85248 85264->85252 85265->85259 85266->85262 84602 40116e 84603 401119 DefWindowProcW 84602->84603

                                                                                                          Executed Functions

                                                                                                          Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcslen.LIBCMT ref: 00409A61
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                          • String ID: 0vH$4RH
                                                                                                          • API String ID: 1143807570-2085553193
                                                                                                          • Opcode ID: 871ee0cf3e7049cfc52ffc1c0c6a20d390630c46fc92d40781a439c75a0ca281
                                                                                                          • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                                                                          • Opcode Fuzzy Hash: 871ee0cf3e7049cfc52ffc1c0c6a20d390630c46fc92d40781a439c75a0ca281
                                                                                                          • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                                                                          Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                                                                            • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\7xonkSJwuY.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                                                                            • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                                                                            • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                                                                          • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                                                                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\7xonkSJwuY.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                                                                            • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\7xonkSJwuY.exe,00000004), ref: 0040D7D6
                                                                                                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\7xonkSJwuY.exe,00000004), ref: 00431B0E
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\7xonkSJwuY.exe,00000004), ref: 00431B3F
                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                                                                          • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                                                                            • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                                            • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                                            • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                                            • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                                            • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                                                                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                                            • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                                            • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                                            • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                                                                            • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                                                                          • String ID: @GH$@GH$C:\Users\user\Desktop\7xonkSJwuY.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                          • API String ID: 2493088469-2744423633
                                                                                                          • Opcode ID: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                                                          • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                                                                          • Opcode Fuzzy Hash: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
                                                                                                          • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                                                                          Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1316 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1325 40e506-40e509 1316->1325 1326 42accc-42acd1 1316->1326 1329 40e540-40e555 call 40ee70 1325->1329 1330 40e50b-40e51c 1325->1330 1327 42acd3-42acdb 1326->1327 1328 42acdd-42ace0 1326->1328 1332 42ad12-42ad20 1327->1332 1333 42ace2-42aceb 1328->1333 1334 42aced-42acf0 1328->1334 1343 40e557-40e573 GetCurrentProcess call 40ee30 1329->1343 1344 40e579-40e5a8 1329->1344 1335 40e522-40e525 1330->1335 1336 42ac9b-42aca7 1330->1336 1342 42ad28-42ad2d GetSystemInfo 1332->1342 1333->1332 1334->1332 1340 42acf2-42ad06 1334->1340 1335->1329 1341 40e527-40e537 1335->1341 1338 42acb2-42acba 1336->1338 1339 42aca9-42acad 1336->1339 1338->1329 1339->1329 1345 42ad08-42ad0c 1340->1345 1346 42ad0e 1340->1346 1347 42acbf-42acc7 1341->1347 1348 40e53d 1341->1348 1350 42ad38-42ad3d GetSystemInfo 1342->1350 1343->1344 1357 40e575 1343->1357 1344->1350 1351 40e5ae-40e5c3 call 40eee0 1344->1351 1345->1332 1346->1332 1347->1329 1348->1329 1351->1342 1356 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1351->1356 1360 40e5e0-40e5ef 1356->1360 1361 40e5dd-40e5de FreeLibrary 1356->1361 1357->1344 1362 40e5f1-40e5f2 FreeLibrary 1360->1362 1363 40e5f4-40e5ff 1360->1363 1361->1360 1362->1363
                                                                                                          APIs
                                                                                                          • GetVersionExW.KERNEL32 ref: 0040E495
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                                                                          • String ID: pMH
                                                                                                          • API String ID: 2923339712-2522892712
                                                                                                          • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                                          • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                                                                          • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                                          • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                                                                          Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: IsThemeActive$uxtheme.dll
                                                                                                          • API String ID: 2574300362-3542929980
                                                                                                          • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                                          • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                                                                          • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                                          • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                                                                          Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                                                                          • __wsplitpath.LIBCMT ref: 00410C61
                                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                          • _wcsncat.LIBCMT ref: 00410C78
                                                                                                          • __wmakepath.LIBCMT ref: 00410C94
                                                                                                            • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                          • _wcscpy.LIBCMT ref: 00410CCC
                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                                                                          • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                                                                          • _wcscat.LIBCMT ref: 00429C43
                                                                                                          • _wcslen.LIBCMT ref: 00429C55
                                                                                                          • _wcslen.LIBCMT ref: 00429C66
                                                                                                          • _wcscat.LIBCMT ref: 00429C80
                                                                                                          • _wcsncpy.LIBCMT ref: 00429CC0
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                                                                          • API String ID: 1004883554-2276155026
                                                                                                          • Opcode ID: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                                                                                          • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                                                                          • Opcode Fuzzy Hash: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                                                                                          • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                                                                          Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
                                                                                                            • Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00409870
                                                                                                          • timeGetTime.WINMM ref: 00409880
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharSleepTimeUpper_wcslentime
                                                                                                          • String ID:
                                                                                                          • API String ID: 3219444185-0
                                                                                                          • Opcode ID: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
                                                                                                          • Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
                                                                                                          • Opcode Fuzzy Hash: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
                                                                                                          • Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A
                                                                                                          Function 004161C2 Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1206 4161c2-4161d1 1207 4161d3-4161df 1206->1207 1208 4161fa 1206->1208 1207->1208 1209 4161e1-4161e8 1207->1209 1210 4161fd-416209 call 41aa31 1208->1210 1209->1208 1211 4161ea-4161f8 1209->1211 1214 416213-41621a call 416e29 1210->1214 1215 41620b-416212 call 41616a 1210->1215 1211->1210 1220 416224-416233 call 41843a call 41b669 1214->1220 1221 41621c-416223 call 41616a 1214->1221 1215->1214 1228 416235-41623c call 4117af 1220->1228 1229 41623d-416258 GetCommandLineW call 42235f call 4222b1 1220->1229 1221->1220 1228->1229 1236 416262-416269 call 422082 1229->1236 1237 41625a-416261 call 4117af 1229->1237 1242 416273-41627c call 41186e 1236->1242 1243 41626b-416272 call 4117af 1236->1243 1237->1236 1248 416285-41628d call 42203c 1242->1248 1249 41627e-416284 call 4117af 1242->1249 1243->1242 1254 416295-416297 1248->1254 1255 41628f-416293 1248->1255 1249->1248 1256 416298-4162a0 call 40d7f0 1254->1256 1255->1256 1258 4162a5-4162ab 1256->1258 1259 4162b3-41630f call 411a4b call 4171d1 1258->1259 1260 4162ad-4162ae call 411a1f 1258->1260 1260->1259
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                                                                                                          • String ID:
                                                                                                          • API String ID: 2477803136-0
                                                                                                          • Opcode ID: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                                                                                                          • Instruction ID: 5d71fe406d9f608d9de966b229f2038f561e79c4b175df4472a1e640f9164680
                                                                                                          • Opcode Fuzzy Hash: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                                                                                                          • Instruction Fuzzy Hash: 6A21A671D00315A9DB14BBB2A9467EE2664AF1074CF1144AFF9056A2D3EEBCC8C1461D
                                                                                                          Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                          • String ID: FILE
                                                                                                          • API String ID: 3888824918-3121273764
                                                                                                          • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                                          • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                                                                          • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                                          • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                                                                          Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32 ref: 00410326
                                                                                                          • RegisterClassExW.USER32 ref: 00410359
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                                          • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                                          • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(009C36A8,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                          • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                                          • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                                                                          • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                                          • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                                                                          Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                                          • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                                          • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                                          • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                                          • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                                          • RegisterClassExW.USER32 ref: 004102C6
                                                                                                            • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                                                                            • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                                                                            • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                                            • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                                            • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                                            • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                                            • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(009C36A8,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                          • String ID: #$0$PGH
                                                                                                          • API String ID: 423443420-3673556320
                                                                                                          • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                                          • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                                                                          • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                                          • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                                                                          Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • _fseek.LIBCMT ref: 004525DA
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                                          • __fread_nolock.LIBCMT ref: 00452618
                                                                                                          • __fread_nolock.LIBCMT ref: 00452629
                                                                                                          • __fread_nolock.LIBCMT ref: 00452644
                                                                                                          • __fread_nolock.LIBCMT ref: 00452661
                                                                                                          • _fseek.LIBCMT ref: 0045267D
                                                                                                          • _malloc.LIBCMT ref: 00452689
                                                                                                          • _malloc.LIBCMT ref: 00452696
                                                                                                          • __fread_nolock.LIBCMT ref: 004526A7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1911931848-0
                                                                                                          • Opcode ID: 39e525b20cc1aefa4f385fb402171190d52ed58ba15884977f2bec0a08687c0e
                                                                                                          • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                                                                          • Opcode Fuzzy Hash: 39e525b20cc1aefa4f385fb402171190d52ed58ba15884977f2bec0a08687c0e
                                                                                                          • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                                                                          Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1406 40f450-40f45c call 425210 1409 40f460-40f478 1406->1409 1409->1409 1410 40f47a-40f4a8 call 413990 call 410f70 1409->1410 1415 40f4b0-40f4d1 call 4151b0 1410->1415 1418 40f531 1415->1418 1419 40f4d3-40f4da 1415->1419 1420 40f536-40f540 1418->1420 1421 40f4dc-40f4de 1419->1421 1422 40f4fd-40f517 call 41557c 1419->1422 1424 40f4e0-40f4e2 1421->1424 1425 40f51c-40f51f 1422->1425 1426 40f4e6-40f4ed 1424->1426 1425->1415 1427 40f521-40f52c 1426->1427 1428 40f4ef-40f4f2 1426->1428 1429 40f543-40f54e 1427->1429 1430 40f52e-40f52f 1427->1430 1431 42937a-4293a0 call 41557c call 4151b0 1428->1431 1432 40f4f8-40f4fb 1428->1432 1434 40f550-40f553 1429->1434 1435 40f555-40f560 1429->1435 1430->1428 1442 4293a5-4293c3 call 4151d0 1431->1442 1432->1422 1432->1424 1434->1428 1437 429372 1435->1437 1438 40f566-40f571 1435->1438 1437->1431 1440 429361-429367 1438->1440 1441 40f577-40f57a 1438->1441 1440->1426 1443 42936d 1440->1443 1441->1428 1442->1420 1443->1437
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock_fseek_strcat
                                                                                                          • String ID: AU3!$EA06
                                                                                                          • API String ID: 3818483258-2658333250
                                                                                                          • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                                          • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                                                                          • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                                          • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                                                                          Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1446 410130-410142 SHGetMalloc 1447 410148-410158 SHGetDesktopFolder 1446->1447 1448 42944f-429459 call 411691 1446->1448 1449 4101d1-4101e0 1447->1449 1450 41015a-410188 call 411691 1447->1450 1449->1448 1456 4101e6-4101ee 1449->1456 1458 4101c5-4101ce 1450->1458 1459 41018a-4101a1 SHGetPathFromIDListW 1450->1459 1458->1449 1460 4101a3-4101b1 call 411691 1459->1460 1461 4101b4-4101c0 1459->1461 1460->1461 1461->1458
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                                                                          • String ID: C:\Users\user\Desktop\7xonkSJwuY.exe
                                                                                                          • API String ID: 192938534-577618991
                                                                                                          • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                                          • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                                                                          • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                                          • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                                                                          Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1464 401230-40123b 1465 401241-401272 call 4131f0 call 401be0 1464->1465 1466 4012c5-4012cd 1464->1466 1471 401274-401292 1465->1471 1472 4012ae-4012bf KillTimer SetTimer 1465->1472 1473 42aa61-42aa67 1471->1473 1474 401298-40129c 1471->1474 1472->1466 1475 42aa8b-42aaa7 Shell_NotifyIconW 1473->1475 1476 42aa69-42aa86 Shell_NotifyIconW 1473->1476 1477 4012a2-4012a8 1474->1477 1478 42aaac-42aab3 1474->1478 1475->1472 1476->1472 1477->1472 1481 42aaf8-42ab15 Shell_NotifyIconW 1477->1481 1479 42aad7-42aaf3 Shell_NotifyIconW 1478->1479 1480 42aab5-42aad2 Shell_NotifyIconW 1478->1480 1479->1472 1480->1472 1481->1472
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00401257
                                                                                                            • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                                                                            • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                                                                            • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                                                                            • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                                          • KillTimer.USER32(?,?), ref: 004012B0
                                                                                                          • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                                                                          • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1792922140-0
                                                                                                          • Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                                                          • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                                                                          • Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
                                                                                                          • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                                                                          Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1482 414f10-414f2c 1483 414f4f 1482->1483 1484 414f2e-414f31 1482->1484 1486 414f51-414f55 1483->1486 1484->1483 1485 414f33-414f35 1484->1485 1487 414f37-414f46 call 417f23 1485->1487 1488 414f56-414f5b 1485->1488 1500 414f47-414f4c call 417ebb 1487->1500 1489 414f6a-414f6d 1488->1489 1490 414f5d-414f68 1488->1490 1493 414f7a-414f7c 1489->1493 1494 414f6f-414f77 call 4131f0 1489->1494 1490->1489 1492 414f8b-414f9e 1490->1492 1498 414fa0-414fa6 1492->1498 1499 414fa8 1492->1499 1493->1487 1497 414f7e-414f89 1493->1497 1494->1493 1497->1487 1497->1492 1502 414faf-414fb1 1498->1502 1499->1502 1500->1483 1504 4150a1-4150a4 1502->1504 1505 414fb7-414fbe 1502->1505 1504->1486 1507 414fc0-414fc5 1505->1507 1508 415004-415007 1505->1508 1507->1508 1511 414fc7 1507->1511 1509 415071-415072 call 41e6b1 1508->1509 1510 415009-41500d 1508->1510 1517 415077-41507b 1509->1517 1513 41500f-415018 1510->1513 1514 41502e-415035 1510->1514 1515 415102 1511->1515 1516 414fcd-414fd1 1511->1516 1518 415023-415028 1513->1518 1519 41501a-415021 1513->1519 1521 415037 1514->1521 1522 415039-41503c 1514->1522 1520 415106-41510f 1515->1520 1523 414fd3 1516->1523 1524 414fd5-414fd8 1516->1524 1517->1520 1527 415081-415085 1517->1527 1528 41502a-41502c 1518->1528 1519->1528 1520->1486 1521->1522 1529 415042-41504e call 41453a call 41ed9e 1522->1529 1530 4150d5-4150d9 1522->1530 1523->1524 1525 4150a9-4150af 1524->1525 1526 414fde-414fff call 41ee9b 1524->1526 1535 4150b1-4150bd call 4131f0 1525->1535 1536 4150c0-4150d0 call 417f23 1525->1536 1542 415099-41509b 1526->1542 1527->1530 1534 415087-415096 1527->1534 1528->1522 1550 415053-415058 1529->1550 1532 4150eb-4150fd call 417f23 1530->1532 1533 4150db-4150e8 call 4131f0 1530->1533 1532->1500 1533->1532 1534->1542 1535->1536 1536->1500 1542->1504 1542->1505 1551 415114-415118 1550->1551 1552 41505e-415061 1550->1552 1551->1520 1552->1515 1553 415067-41506f 1552->1553 1553->1542
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 3886058894-0
                                                                                                          • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                                          • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                                                                          • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                                          • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                                                                          Function 03E8C520 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1554 3e8c520-3e8c572 call 3e8c420 CreateFileW 1557 3e8c57b-3e8c588 1554->1557 1558 3e8c574-3e8c576 1554->1558 1561 3e8c58a-3e8c596 1557->1561 1562 3e8c59b-3e8c5b2 VirtualAlloc 1557->1562 1559 3e8c6d4-3e8c6d8 1558->1559 1561->1559 1563 3e8c5bb-3e8c5e1 CreateFileW 1562->1563 1564 3e8c5b4-3e8c5b6 1562->1564 1566 3e8c5e3-3e8c600 1563->1566 1567 3e8c605-3e8c61f ReadFile 1563->1567 1564->1559 1566->1559 1568 3e8c621-3e8c63e 1567->1568 1569 3e8c643-3e8c647 1567->1569 1568->1559 1570 3e8c668-3e8c67f WriteFile 1569->1570 1571 3e8c649-3e8c666 1569->1571 1574 3e8c6aa-3e8c6cf CloseHandle VirtualFree 1570->1574 1575 3e8c681-3e8c6a8 1570->1575 1571->1559 1574->1559 1575->1559
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03E8C565
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                          • Instruction ID: 6df113fe7405ff0e7404763e522fd6ffc41fcc93293db4b423b0099833878f90
                                                                                                          • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                          • Instruction Fuzzy Hash: 42512C75E50208FBDF60DFA0CC49FEEB778AF48B04F109654F60AEA180DA749A449B64
                                                                                                          Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1584 401be0-401bf5 1585 401bfb-401c12 call 4013a0 1584->1585 1586 401cde-401ce3 1584->1586 1589 42a9a0-42a9b0 LoadStringW 1585->1589 1590 401c18-401c34 call 4021e0 1585->1590 1592 42a9bb-42a9c8 call 40df50 1589->1592 1595 401c3a-401c3e 1590->1595 1596 42a9cd-42a9ea call 40d3b0 call 437a81 1590->1596 1600 401c53-401cd9 call 4131f0 call 41326a call 411691 Shell_NotifyIconW call 402620 1592->1600 1595->1592 1598 401c44-401c4e call 40d3b0 1595->1598 1596->1600 1608 42a9f0-42aa04 call 40d3b0 call 437a81 1596->1608 1598->1600 1600->1586
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • _memset.LIBCMT ref: 00401C62
                                                                                                          • _wcsncpy.LIBCMT ref: 00401CA1
                                                                                                          • _wcscpy.LIBCMT ref: 00401CBD
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                                                                          • String ID: Line:
                                                                                                          • API String ID: 1620655955-1585850449
                                                                                                          • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                                          • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                                                                          • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                                          • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                                                                          Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1617 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                                          • ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                                          • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateShow
                                                                                                          • String ID: AutoIt v3$edit
                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                          • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                                          • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                                                                          • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                                          • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                                                                          Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __lock.LIBCMT ref: 00413AA6
                                                                                                            • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                                                            • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                                                            • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                                                          • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                                          • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                                          • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                                          • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                          • String ID:
                                                                                                          • API String ID: 2714421763-0
                                                                                                          • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                                          • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                                                                          • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                                          • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                                                                          Function 03E8DFF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 03E8DEE0: Sleep.KERNELBASE(000001F4), ref: 03E8DEF1
                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03E8E152
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFileSleep
                                                                                                          • String ID: GTZ6PV7COIL7XRZ2HR06D9MWT05Q9P
                                                                                                          • API String ID: 2694422964-4197755427
                                                                                                          • Opcode ID: 96ec097fae0332044011870418eaa1988b9c53edfedcbbd30e3233f3a32032f9
                                                                                                          • Instruction ID: 02ac34477ed627995fbcc73e18a8514a9c0891dfb08acadf7c3c14999ee144a7
                                                                                                          • Opcode Fuzzy Hash: 96ec097fae0332044011870418eaa1988b9c53edfedcbbd30e3233f3a32032f9
                                                                                                          • Instruction Fuzzy Hash: FD719030D04288DAEF11DBA4D844BEEBB79AF55304F044299D65C7B2C0D7BA0B49CBA6
                                                                                                          Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                                                                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                                                                            • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                                                                          • _strcat.LIBCMT ref: 0040F603
                                                                                                            • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                                                                            • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 1194219731-2761332787
                                                                                                          • Opcode ID: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                                                                                                          • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                                                                          • Opcode Fuzzy Hash: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                                                                                                          • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                                                                          Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0040E202
                                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell__memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 928536360-0
                                                                                                          • Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                                                          • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                                                                          • Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
                                                                                                          • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                                                                          Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc.LIBCMT ref: 00411734
                                                                                                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                                          • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                            • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 1411284514-0
                                                                                                          • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                                          • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                                                                          • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                                          • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                                                                          Function 03E8CC00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 03E8CC45
                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 03E8CC64
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CreateExit
                                                                                                          • String ID: D
                                                                                                          • API String ID: 126409537-2746444292
                                                                                                          • Opcode ID: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                                                                          • Instruction ID: ea9141200dff1afa2ce3fc45eaa6f09f96b9b66d5643541541e12feafcfdc72d
                                                                                                          • Opcode Fuzzy Hash: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                                                                          • Instruction Fuzzy Hash: DCF0F47594024CABDB60EFE0CD49FEE777CBF44705F148608FB0E9A140DA7496488761
                                                                                                          Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                                          • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                                                                          • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                                          • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                                                                          Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                          • String ID:
                                                                                                          • API String ID: 3677997916-0
                                                                                                          • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                                          • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                                                                          • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                                          • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                                                                          Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _malloc.LIBCMT ref: 00435278
                                                                                                            • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                                            • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                                            • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                                          • _malloc.LIBCMT ref: 00435288
                                                                                                          • _malloc.LIBCMT ref: 00435298
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _malloc$AllocateHeap
                                                                                                          • String ID:
                                                                                                          • API String ID: 680241177-0
                                                                                                          • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                                          • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                                                                          • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                                          • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                                                                          Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: e8abe42c1057cb3860218bb04af0a307767d699fcca626a70098e271a71bf477
                                                                                                          • Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
                                                                                                          • Opcode Fuzzy Hash: e8abe42c1057cb3860218bb04af0a307767d699fcca626a70098e271a71bf477
                                                                                                          • Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E
                                                                                                          Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                                          • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                                                                          • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                                          • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                                                                          Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __lock_file_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 26237723-0
                                                                                                          • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                                          • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                                                                          • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                                          • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                                                                          Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                          • __lock_file.LIBCMT ref: 00414EE4
                                                                                                            • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                                                                          • __fclose_nolock.LIBCMT ref: 00414EEE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 717694121-0
                                                                                                          • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                                          • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                                                                          • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                                          • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                                                                          Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TranslateMessage.USER32(?), ref: 004098F6
                                                                                                          • DispatchMessageW.USER32(?), ref: 00409901
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$DispatchTranslate
                                                                                                          • String ID:
                                                                                                          • API String ID: 1706434739-0
                                                                                                          • Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                                                          • Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
                                                                                                          • Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
                                                                                                          • Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A
                                                                                                          Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • TranslateMessage.USER32(?), ref: 004098F6
                                                                                                          • DispatchMessageW.USER32(?), ref: 00409901
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$DispatchTranslate
                                                                                                          • String ID:
                                                                                                          • API String ID: 1706434739-0
                                                                                                          • Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                                                          • Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
                                                                                                          • Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
                                                                                                          • Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A
                                                                                                          Function 03E8CC70 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 03E8C4E0: GetFileAttributesW.KERNELBASE(?), ref: 03E8C4EB
                                                                                                          • CreateDirectoryW.KERNELBASE(?,00000000), ref: 03E8CDDE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesCreateDirectoryFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3401506121-0
                                                                                                          • Opcode ID: 22b675a4f43430501539b9e1fcaf32deff5e261cdec910f5493c857523801977
                                                                                                          • Instruction ID: 99412e9eeb0da2d3bf106cd2b50ba281739dd6134c7f0b27ed0d767c858990f5
                                                                                                          • Opcode Fuzzy Hash: 22b675a4f43430501539b9e1fcaf32deff5e261cdec910f5493c857523801977
                                                                                                          • Instruction Fuzzy Hash: 1B619431E10209D7EF14EFA0D944BEFB33AEF58300F105569A60DEB290EB759A44CBA5
                                                                                                          Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                                                                          Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                                                                                          • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                                                                          • Opcode Fuzzy Hash: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                                                                                          • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                                                                          Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 181713994-0
                                                                                                          • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                                          • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                                                                          • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                                          • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                                                                          Function 03E8C4E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNELBASE(?), ref: 03E8C4EB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188754299-0
                                                                                                          • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                          • Instruction ID: 96e09831bf1405581b011c13d47dee62ee83c37233fb736291de2870234bd2ef
                                                                                                          • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                          • Instruction Fuzzy Hash: 06E08630D16208DBCF10DBA888146E9B3A8D707310F204B54E80EC3180D53099409625
                                                                                                          Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHeap
                                                                                                          • String ID:
                                                                                                          • API String ID: 10892065-0
                                                                                                          • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                                          • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                                                                          • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                                          • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                                                                          Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                                                                          • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$PointerWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 539440098-0
                                                                                                          • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                                          • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                                                                          • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                                          • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                                                                          Function 03E8C4B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNELBASE(?), ref: 03E8C4BB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188754299-0
                                                                                                          • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                          • Instruction ID: b82d4731748b42adbad858ebb5c162b0bbdd069762a1d6cab414bbfa23db755a
                                                                                                          • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                          • Instruction Fuzzy Hash: AAD0A771D0520CEBCB10EFB49C049EAB3ACD705324F104794FD1EC3280D6319A849760
                                                                                                          Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 181713994-0
                                                                                                          • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                                          • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                                                                          • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                                          • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                                                                          Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wfsopen
                                                                                                          • String ID:
                                                                                                          • API String ID: 197181222-0
                                                                                                          • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                          • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                                                                          • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                          • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                                                                          Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 2962429428-0
                                                                                                          • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                                          • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                                                                          • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                                          • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                                                                          Function 03E8DEDC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 03E8DEF1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Sleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 3472027048-0
                                                                                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                          • Instruction ID: d6812557643f35c38d224527d38e2e07c0d3ab76a5e507f86b1d89499f0c0bb2
                                                                                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                          • Instruction Fuzzy Hash: 6CE0BF7494410DEFDB00EFA8D9496DE7BB4EF04301F1006A1FD05E7680DB309E549A66
                                                                                                          Function 03E8DEE0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 03E8DEF1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Sleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 3472027048-0
                                                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                          • Instruction ID: 8251c1b0009dab11061c7b6c0cbc8f425b22051152c002ddf3489f22d34e84ce
                                                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                          • Instruction Fuzzy Hash: 06E0E67494410DDFDB00EFB8D94969E7FB4EF04301F1002A1FD05E2280D7309D509A62

                                                                                                          Non-executed Functions

                                                                                                          Function 004045E0 Relevance: 81.9, Strings: 63, Instructions: 3193COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ApG$BnE$DvE$F)G$GSG$IqE$K@G$LbF$MdF$MuE$NgF$O*F$PIF$QbG$R+F$RnG$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
                                                                                                          • API String ID: 0-4260964411
                                                                                                          • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                                          • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                                                                          • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                                          • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                                                                          Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                                                                          • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                                                                          • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                                                                          • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                                                                          • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                                                                          • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                                                                          • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                                                                          • SendMessageW.USER32 ref: 0047C2FB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$State$LongProcWindow
                                                                                                          • String ID: @GUI_DRAGID$F
                                                                                                          • API String ID: 1562745308-4164748364
                                                                                                          • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                                          • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                                                                          • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                                          • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                                                                          Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                                                                          • IsIconic.USER32(?), ref: 004375E1
                                                                                                          • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                                                                          • SetForegroundWindow.USER32(?), ref: 004375FD
                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                                                                          • SetForegroundWindow.USER32(?), ref: 00437645
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                                                                          • SetForegroundWindow.USER32(?), ref: 004376AD
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 3778422247-2988720461
                                                                                                          • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                                          • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                                                                          • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                                          • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                                                                          Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0044621B
                                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                                                                          • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                                                                          • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                                                                          • _wcslen.LIBCMT ref: 0044639E
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          • _wcsncpy.LIBCMT ref: 004463C7
                                                                                                          • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                                                                          • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                                                                          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                                                                          • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                                                                          • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                                                                          • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                                                                          • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                                                                          • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                                                                          • String ID: $default$winsta0
                                                                                                          • API String ID: 2173856841-1027155976
                                                                                                          • Opcode ID: 8783c105518f9fa52f5c80a6299cf7ec7b6e28c011eada52347f54b488ad9e21
                                                                                                          • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                                                                          • Opcode Fuzzy Hash: 8783c105518f9fa52f5c80a6299cf7ec7b6e28c011eada52347f54b488ad9e21
                                                                                                          • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                                                                          Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\7xonkSJwuY.exe,?,C:\Users\user\Desktop\7xonkSJwuY.exe,004A8E80,C:\Users\user\Desktop\7xonkSJwuY.exe,0040F3D2), ref: 0040FFCA
                                                                                                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                                                                            • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                                                                            • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                          • _wcscat.LIBCMT ref: 0044BD96
                                                                                                          • _wcscat.LIBCMT ref: 0044BDBF
                                                                                                          • __wsplitpath.LIBCMT ref: 0044BDEC
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                                                                          • _wcscpy.LIBCMT ref: 0044BE73
                                                                                                          • _wcscat.LIBCMT ref: 0044BE85
                                                                                                          • _wcscat.LIBCMT ref: 0044BE97
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                                                                          • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                                                                          • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                                                                          • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 2188072990-1173974218
                                                                                                          • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                                          • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                                                                          • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                                          • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                                                                          Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __invoke_watson.LIBCMT ref: 004203A4
                                                                                                            • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                                                                            • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                                                                            • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                                                                                            • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                                                                                            • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                                                                            • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                                                                          • __get_daylight.LIBCMT ref: 004203B0
                                                                                                          • __invoke_watson.LIBCMT ref: 004203BF
                                                                                                          • __get_daylight.LIBCMT ref: 004203CB
                                                                                                          • __invoke_watson.LIBCMT ref: 004203DA
                                                                                                          • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                                                                          • _strlen.LIBCMT ref: 00420442
                                                                                                          • __malloc_crt.LIBCMT ref: 00420449
                                                                                                          • _strlen.LIBCMT ref: 0042045F
                                                                                                          • _strcpy_s.LIBCMT ref: 0042046D
                                                                                                          • __invoke_watson.LIBCMT ref: 00420482
                                                                                                          • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                                                                            • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                                                                            • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                                            • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                                            • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                                            • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                                                          • __invoke_watson.LIBCMT ref: 004205CC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                                                                          • String ID: S\
                                                                                                          • API String ID: 4084823496-393906132
                                                                                                          • Opcode ID: bfd6cdc7a190622994bdb3310041947ed274155285f24883495b8b38dd551b1f
                                                                                                          • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                                                                          • Opcode Fuzzy Hash: bfd6cdc7a190622994bdb3310041947ed274155285f24883495b8b38dd551b1f
                                                                                                          • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                                                                          Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                                                                          • __swprintf.LIBCMT ref: 00434D91
                                                                                                          • _wcslen.LIBCMT ref: 00434D9B
                                                                                                          • _wcslen.LIBCMT ref: 00434DB0
                                                                                                          • _wcslen.LIBCMT ref: 00434DC5
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                                                                          • _memset.LIBCMT ref: 00434E27
                                                                                                          • _wcslen.LIBCMT ref: 00434E3C
                                                                                                          • _wcsncpy.LIBCMT ref: 00434E6F
                                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                          • String ID: :$\$\??\%s
                                                                                                          • API String ID: 302090198-3457252023
                                                                                                          • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                                          • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                                                                          • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                                          • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                                                                          Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                                                                          • GetLastError.KERNEL32 ref: 004644B4
                                                                                                          • GetCurrentThread.KERNEL32 ref: 004644C8
                                                                                                          • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                                                                          • String ID: SeDebugPrivilege
                                                                                                          • API String ID: 1312810259-2896544425
                                                                                                          • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                                          • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                                                                          • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                                          • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                                                                          Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                                                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                                                                          • __wsplitpath.LIBCMT ref: 004038B2
                                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                          • _wcscpy.LIBCMT ref: 004038C7
                                                                                                          • _wcscat.LIBCMT ref: 004038DC
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                                                                            • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                                                                          • _wcscpy.LIBCMT ref: 004039C2
                                                                                                          • _wcslen.LIBCMT ref: 00403A53
                                                                                                          • _wcslen.LIBCMT ref: 00403AAA
                                                                                                          Strings
                                                                                                          • Error opening the file, xrefs: 0042B8AC
                                                                                                          • Unterminated string, xrefs: 0042B9BA
                                                                                                          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                                                                          • _, xrefs: 00403B48
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                          • API String ID: 4115725249-188983378
                                                                                                          • Opcode ID: e410348e96554644cb024ebf95e8b2d2088fffc0e8404256067a24ee959a0054
                                                                                                          • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                                                                          • Opcode Fuzzy Hash: e410348e96554644cb024ebf95e8b2d2088fffc0e8404256067a24ee959a0054
                                                                                                          • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                                                                          Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00434C88
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                                                                          • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00434D35
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00434D43
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 1409584000-438819550
                                                                                                          • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                                          • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                                                                          • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                                          • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                                                                          Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Timetime$Sleep
                                                                                                          • String ID: BUTTON
                                                                                                          • API String ID: 4176159691-3405671355
                                                                                                          • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                                          • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                                                                          • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                                          • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                                                                          Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,74DE8FB0,74DE8FB0,?,?,00000000), ref: 00442E40
                                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                                                                                          • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                                                                                          • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00442F80
                                                                                                            • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 2640511053-438819550
                                                                                                          • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                                                          • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                                                                                          • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                                                          • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                                                                                          Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                                                                            • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                                                                            • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                                                                            • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                                                                          • _memset.LIBCMT ref: 00445E61
                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                                                                          • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                                                                          • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                                                                          • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                                                                          • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3490752873-0
                                                                                                          • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                                          • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                                                                          • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                                          • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                                                                          Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                                                                          • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                                                                          • _memset.LIBCMT ref: 0047AB7C
                                                                                                          • _wcslen.LIBCMT ref: 0047AC68
                                                                                                          • _memset.LIBCMT ref: 0047ACCD
                                                                                                          • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                                                                          • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                                                                          Strings
                                                                                                          • NULL Pointer assignment, xrefs: 0047AD84
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                                                                          • String ID: NULL Pointer assignment
                                                                                                          • API String ID: 1588287285-2785691316
                                                                                                          • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                                          • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                                                                          • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                                          • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                                                                          Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                                                                          • GetLastError.KERNEL32 ref: 00436504
                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                                                                          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                                                                          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                          • String ID: SeShutdownPrivilege
                                                                                                          • API String ID: 2938487562-3733053543
                                                                                                          • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                                          • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                                                                          • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                                          • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                                                                          Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __swprintf.LIBCMT ref: 00436162
                                                                                                          • __swprintf.LIBCMT ref: 00436176
                                                                                                            • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                                                                          • __wcsicoll.LIBCMT ref: 00436185
                                                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                                                                          • LockResource.KERNEL32(00000000), ref: 004361B5
                                                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                                                                          • LockResource.KERNEL32(?), ref: 004361FD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 2406429042-0
                                                                                                          • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                                          • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                                                                          • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                                          • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                                                                          Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                                                                          • GetLastError.KERNEL32 ref: 0045D59D
                                                                                                          • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                          • API String ID: 4194297153-14809454
                                                                                                          • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                                          • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                                                                          • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                                          • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                                                                          Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                          • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                          • _wcslen.LIBCMT ref: 0047AE18
                                                                                                          • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                                                                          • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                                                                          • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 1915432386-2761332787
                                                                                                          • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                                          • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                                                                          • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                                          • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                                                                          Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: DEFINE$`$h$h
                                                                                                          • API String ID: 0-4194577831
                                                                                                          • Opcode ID: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                                                                                                          • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                                                                          • Opcode Fuzzy Hash: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                                                                                                          • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                                                                          Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006), ref: 004648B0
                                                                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 004648DA
                                                                                                          • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                                                                          • closesocket.WSOCK32(00000000), ref: 0046492D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$bindclosesocketsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 2609815416-0
                                                                                                          • Opcode ID: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                                                                                                          • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                                                                          • Opcode Fuzzy Hash: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                                                                                                          • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                                                                          Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                                                                          • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                                                                          • __wsplitpath.LIBCMT ref: 004370A5
                                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                          • _wcscat.LIBCMT ref: 004370BA
                                                                                                          • __wcsicoll.LIBCMT ref: 004370C8
                                                                                                          • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                          • String ID:
                                                                                                          • API String ID: 2547909840-0
                                                                                                          • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                                          • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                                                                          • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                                          • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                                                                          Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                                                                          • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                                                                          • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                                                                          • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 2693929171-438819550
                                                                                                          • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                                          • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                                                                          • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                                          • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                                                                          Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __wcsicoll.LIBCMT ref: 0043643C
                                                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                                                                          • __wcsicoll.LIBCMT ref: 00436466
                                                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicollmouse_event
                                                                                                          • String ID: DOWN
                                                                                                          • API String ID: 1033544147-711622031
                                                                                                          • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                                          • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                                                                          • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                                          • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                                                                          Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00474213
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 4170576061-0
                                                                                                          • Opcode ID: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                                                                                                          • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                                                                          • Opcode Fuzzy Hash: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                                                                                                          • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                                                                          Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                                          • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                                          • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                                          • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3539004672-0
                                                                                                          • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                                          • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                                                                          • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                                          • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                                                                          Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                          • IsWindowVisible.USER32 ref: 00477314
                                                                                                          • IsWindowEnabled.USER32 ref: 00477324
                                                                                                          • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                                                                          • IsIconic.USER32 ref: 0047733F
                                                                                                          • IsZoomed.USER32 ref: 0047734D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                          • String ID:
                                                                                                          • API String ID: 292994002-0
                                                                                                          • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                                          • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                                                                          • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                                          • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                                                                          Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                                                          • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                                          • String ID:
                                                                                                          • API String ID: 3397143404-0
                                                                                                          • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                                          • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                                                                          • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                                          • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                                                                          Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _strncmp
                                                                                                          • String ID: ACCEPT$^$h
                                                                                                          • API String ID: 909875538-4263704089
                                                                                                          • Opcode ID: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                                                                                                          • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                                                                          • Opcode Fuzzy Hash: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                                                                                                          • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                                                                          Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                                          • String ID:
                                                                                                          • API String ID: 3541575487-0
                                                                                                          • Opcode ID: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                                                                                          • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                                                                          • Opcode Fuzzy Hash: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                                                                                          • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                                                                          Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                                                                          • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00436B13
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 48322524-0
                                                                                                          • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                                          • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                                                                          • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                                          • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                                                                          Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __time64.LIBCMT ref: 004433A2
                                                                                                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                                                          • String ID: rJ
                                                                                                          • API String ID: 2893107130-1865492326
                                                                                                          • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                                          • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                                                                          • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                                          • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                                                                          Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __time64.LIBCMT ref: 004433A2
                                                                                                            • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                                            • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                                                          • String ID: rJ
                                                                                                          • API String ID: 2893107130-1865492326
                                                                                                          • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                                          • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                                                                          • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                                          • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                                                                          Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 901099227-0
                                                                                                          • Opcode ID: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                                                                                          • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                                                                          • Opcode Fuzzy Hash: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                                                                                          • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                                                                          Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                                                                          • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 2295610775-0
                                                                                                          • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                                          • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                                                                          • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                                          • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                                                                          Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 0vH$HH
                                                                                                          • API String ID: 0-728391547
                                                                                                          • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                                          • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                                                                          • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                                          • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                                                                          Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2102423945-0
                                                                                                          • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                                          • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                                                                          • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                                          • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                                                                          Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Proc
                                                                                                          • String ID:
                                                                                                          • API String ID: 2346855178-0
                                                                                                          • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                                          • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                                                                          • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                                          • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                                                                          Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • BlockInput.USER32(00000001), ref: 0045A272
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BlockInput
                                                                                                          • String ID:
                                                                                                          • API String ID: 3456056419-0
                                                                                                          • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                                          • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                                                                          • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                                          • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                                                                          Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LogonUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 1244722697-0
                                                                                                          • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                                          • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                                                                          • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                                          • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                                                                          Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: NameUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2645101109-0
                                                                                                          • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                                          • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                                                                          • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                                          • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                                                                          Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192549508-0
                                                                                                          • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                                          • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                                                                          • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                                          • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                                                                          Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                          • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                                                                          • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                          • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                                                                          Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                          • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                                                                          • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                          • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                                                                          Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                          • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                                                                          • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                          • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                                                                          Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                          • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                                                                          • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                          • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                                                                          Function 03E8F2A0 Relevance: .1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                          • Instruction ID: 57a34919c1f7279bcae1e9c9f52e8cac65e91a90233e602c82478d2f108b8fdd
                                                                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                          • Instruction Fuzzy Hash: 7841A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                                                                                                          Function 03E8F130 Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                          • Instruction ID: 2fab3cb4f96d460dcced9308d88a88b2285c853ad8cbe95f30e776a320d07969
                                                                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                          • Instruction Fuzzy Hash: 45019278E00209EFCB44EF98D5909AEF7B5FB48310F2086D9D809A7301E730AE42DB80
                                                                                                          Function 03E8F190 Relevance: .0, Instructions: 35COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                          • Instruction ID: f0bac22b750e336d156cc0b65c2abbbb8703c3128ab6e40505e94cd4474d23c5
                                                                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                          • Instruction Fuzzy Hash: 33019678E00209EFCB45EF98D5909ADF7B5FB48310F208699D809A7301D730AE42DB80
                                                                                                          Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                                          • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                                                                          • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                                          • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                                                                          Function 03E8DAB0 Relevance: .0, Instructions: 6COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1684600582.0000000003E8B000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E8B000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3e8b000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                          Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(?), ref: 004593D7
                                                                                                          • DeleteObject.GDI32(?), ref: 004593F1
                                                                                                          • DestroyWindow.USER32(?), ref: 00459407
                                                                                                          • GetDesktopWindow.USER32 ref: 0045942A
                                                                                                          • GetWindowRect.USER32(00000000), ref: 00459431
                                                                                                          • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                                                                          • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                                                                          • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                                                                          • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                                                                          • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                                                                          • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                                                                          • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                                                                          • GetStockObject.GDI32(00000011), ref: 004597B7
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                                                                          • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                                                                          • DeleteDC.GDI32(00000000), ref: 004597E1
                                                                                                          • _wcslen.LIBCMT ref: 00459800
                                                                                                          • _wcscpy.LIBCMT ref: 0045981F
                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                                                                          • GetDC.USER32(?), ref: 004598DE
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00459919
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                                                                          • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                                                                          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                                          • API String ID: 4040870279-2373415609
                                                                                                          • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                                          • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                                                                          • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                                          • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                                                                          Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(00000012), ref: 00441E64
                                                                                                          • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                                                                          • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                                                                          • SelectObject.GDI32(?,?), ref: 00441EBA
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                                                                                          • GetSysColor.USER32(00000010), ref: 00441EF8
                                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                                                                          • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                                                                                          • DeleteObject.GDI32(?), ref: 00441F1B
                                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                                                                                          • FillRect.USER32(?,?,?), ref: 00441FB6
                                                                                                            • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                                            • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                                            • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                                            • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                                            • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                                            • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                                            • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                                            • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                                            • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                                                                            • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                                            • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                                            • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                                                                            • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 69173610-0
                                                                                                          • Opcode ID: 930605f3cd1c335a452d6420eef3f3c10f8d3d9e6664604232036969332d5250
                                                                                                          • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                                                                          • Opcode Fuzzy Hash: 930605f3cd1c335a452d6420eef3f3c10f8d3d9e6664604232036969332d5250
                                                                                                          • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                                                                          Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                          • API String ID: 1038674560-3360698832
                                                                                                          • Opcode ID: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                                                                                          • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                                                                          • Opcode Fuzzy Hash: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                                                                                          • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                                                                          Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                                          • GetSysColor.USER32(00000012), ref: 00433DA3
                                                                                                          • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                                          • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                                                                          • GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                                          • SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                                          • SelectObject.GDI32(?,?), ref: 00433E29
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                                          • GetWindowLongW.USER32 ref: 00433E8A
                                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                                                                          • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                                                                          • GetSysColor.USER32(00000011), ref: 00433F2E
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                                                                          • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                                                                          • SelectObject.GDI32(?,?), ref: 00433F63
                                                                                                          • DeleteObject.GDI32(?), ref: 00433F70
                                                                                                          • SelectObject.GDI32(?,?), ref: 00433F78
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                                                                          • SetTextColor.GDI32(?,?), ref: 00433F83
                                                                                                          • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 1582027408-0
                                                                                                          • Opcode ID: 697ef1e2b469c7a94178de5208286552364449c38c8500f3df1fcdb24db8d4eb
                                                                                                          • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                                                                          • Opcode Fuzzy Hash: 697ef1e2b469c7a94178de5208286552364449c38c8500f3df1fcdb24db8d4eb
                                                                                                          • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                                                                          Function 0046AEAF Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 417registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AFC2
                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,004848E8,00000000,?,00000000,?,?,?,?,?), ref: 0046B01C
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0046B069
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseConnectCreateRegistry
                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                          • API String ID: 3217815495-966354055
                                                                                                          • Opcode ID: 337752338d31dd93b2f835fa9ebc931d7674a1ff19a551d1bb3dd8001be44ee6
                                                                                                          • Instruction ID: d9d2404220d166b11353d33fb52652cf6d28829cdaa3b272cf204d1a2c990fb8
                                                                                                          • Opcode Fuzzy Hash: 337752338d31dd93b2f835fa9ebc931d7674a1ff19a551d1bb3dd8001be44ee6
                                                                                                          • Instruction Fuzzy Hash: 2CE1A1B1600300ABD710EF65C885F1BB7E8AF48704F14895EB945DB392D778E945CBAA
                                                                                                          Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 00456692
                                                                                                          • GetDesktopWindow.USER32 ref: 004566AA
                                                                                                          • GetWindowRect.USER32(00000000), ref: 004566B1
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                                                                          • DestroyWindow.USER32(?), ref: 00456731
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                                                                          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                                                                          • IsWindowVisible.USER32(?), ref: 00456812
                                                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                                                                          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                                                                          • GetWindowRect.USER32(?,?), ref: 0045685C
                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                                                                          • GetMonitorInfoW.USER32 ref: 00456894
                                                                                                          • CopyRect.USER32(?,?), ref: 004568A8
                                                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                          • String ID: ($,$tooltips_class32
                                                                                                          • API String ID: 541082891-3320066284
                                                                                                          • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                                          • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                                                                          • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                                          • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                                                                          Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcslen.LIBCMT ref: 00454DCF
                                                                                                          • _wcslen.LIBCMT ref: 00454DE2
                                                                                                          • __wcsicoll.LIBCMT ref: 00454DEF
                                                                                                          • _wcslen.LIBCMT ref: 00454E04
                                                                                                          • __wcsicoll.LIBCMT ref: 00454E11
                                                                                                          • _wcslen.LIBCMT ref: 00454E24
                                                                                                          • __wcsicoll.LIBCMT ref: 00454E31
                                                                                                            • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                                                                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                                                                          • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                                                                          • DestroyIcon.USER32(?), ref: 00454FA2
                                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                                                                          • String ID: .dll$.exe$.icl
                                                                                                          • API String ID: 2511167534-1154884017
                                                                                                          • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                                          • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                                                                          • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                                          • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                                                                          Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                                                                          • _wcslen.LIBCMT ref: 00436B79
                                                                                                          • _wcscpy.LIBCMT ref: 00436B9F
                                                                                                          • _wcscat.LIBCMT ref: 00436BC0
                                                                                                          • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                                                                          • _wcscat.LIBCMT ref: 00436C2A
                                                                                                          • _wcscat.LIBCMT ref: 00436C31
                                                                                                          • __wcsicoll.LIBCMT ref: 00436C4B
                                                                                                          • _wcsncpy.LIBCMT ref: 00436C62
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                          • API String ID: 1503153545-1459072770
                                                                                                          • Opcode ID: 4bf5914395717010b0ea9e2d69638f6034391d2624482ee6cf2f9dbb9f61e865
                                                                                                          • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                                                                          • Opcode Fuzzy Hash: 4bf5914395717010b0ea9e2d69638f6034391d2624482ee6cf2f9dbb9f61e865
                                                                                                          • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                                                                          Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                                                                          • _fseek.LIBCMT ref: 004527FC
                                                                                                          • __wsplitpath.LIBCMT ref: 0045285C
                                                                                                          • _wcscpy.LIBCMT ref: 00452871
                                                                                                          • _wcscat.LIBCMT ref: 00452886
                                                                                                          • __wsplitpath.LIBCMT ref: 004528B0
                                                                                                          • _wcscat.LIBCMT ref: 004528C8
                                                                                                          • _wcscat.LIBCMT ref: 004528DD
                                                                                                          • __fread_nolock.LIBCMT ref: 00452914
                                                                                                          • __fread_nolock.LIBCMT ref: 00452925
                                                                                                          • __fread_nolock.LIBCMT ref: 00452944
                                                                                                          • __fread_nolock.LIBCMT ref: 00452955
                                                                                                          • __fread_nolock.LIBCMT ref: 00452976
                                                                                                          • __fread_nolock.LIBCMT ref: 00452987
                                                                                                          • __fread_nolock.LIBCMT ref: 00452998
                                                                                                          • __fread_nolock.LIBCMT ref: 004529A9
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                                            • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                                            • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                                          • __fread_nolock.LIBCMT ref: 00452A39
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                          • String ID:
                                                                                                          • API String ID: 2054058615-0
                                                                                                          • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                                          • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                                                                          • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                                          • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                                                                          Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 0-4108050209
                                                                                                          • Opcode ID: 832d7dfe82571d46151d64c4ba74b7ae12496bc5cddea04242c0c379dd164914
                                                                                                          • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                                                                          • Opcode Fuzzy Hash: 832d7dfe82571d46151d64c4ba74b7ae12496bc5cddea04242c0c379dd164914
                                                                                                          • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                                                                          Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          • GetWindowRect.USER32(?,?), ref: 004701EA
                                                                                                          • GetClientRect.USER32(?,?), ref: 004701FA
                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00470202
                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00470216
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 00470238
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00470273
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                                                                                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                                                                                                          • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                                                                                                          • GetClientRect.USER32(?,?), ref: 00470371
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00470391
                                                                                                          • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                          • String ID: AutoIt v3 GUI
                                                                                                          • API String ID: 867697134-248962490
                                                                                                          • Opcode ID: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                                                                                          • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                                                                                          • Opcode Fuzzy Hash: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                                                                                          • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                                                                                          Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2353593579-4108050209
                                                                                                          • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                                          • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                                                                          • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                                          • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                                                                          Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32 ref: 0044A11D
                                                                                                          • GetClientRect.USER32(?,?), ref: 0044A18D
                                                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                                                                          • GetWindowDC.USER32(?), ref: 0044A1B3
                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                                                                          • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                                                                          • GetSysColor.USER32(0000000F), ref: 0044A216
                                                                                                          • GetSysColor.USER32(00000005), ref: 0044A21E
                                                                                                          • GetWindowDC.USER32 ref: 0044A277
                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                                                                          • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                                                                          • GetStockObject.GDI32(00000005), ref: 0044A312
                                                                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                          • String ID:
                                                                                                          • API String ID: 1744303182-0
                                                                                                          • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                                          • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                                                                          • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                                          • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                                                                          Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll$__wcsnicmp
                                                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                          • API String ID: 790654849-1810252412
                                                                                                          • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                                          • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                                                                          • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                                          • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                                                                          Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InitVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1927566239-0
                                                                                                          • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                                          • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                                                                          • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                                          • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                                                                          Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                                                                          • GetForegroundWindow.USER32 ref: 0046DBA4
                                                                                                          • IsWindow.USER32(?), ref: 0046DBDE
                                                                                                          • GetDesktopWindow.USER32 ref: 0046DCB5
                                                                                                          • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                                                                          • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                          • API String ID: 1322021666-1919597938
                                                                                                          • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                                          • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                                                                          • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                                          • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                                                                          Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                                                                                          • _wcsncpy.LIBCMT ref: 0045DF0F
                                                                                                          • __wsplitpath.LIBCMT ref: 0045DF54
                                                                                                          • _wcscat.LIBCMT ref: 0045DF6C
                                                                                                          • _wcscat.LIBCMT ref: 0045DF7E
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                                                                                          • _wcscpy.LIBCMT ref: 0045E019
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 3201719729-438819550
                                                                                                          • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                                                          • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                                                                                          • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                                                          • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                                                                                          Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll$IconLoad
                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                          • API String ID: 2485277191-404129466
                                                                                                          • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                                          • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                                                                          • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                                          • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                                                                          Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                                                                          • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                                                                          • strncnt.LIBCMT ref: 00428646
                                                                                                          • strncnt.LIBCMT ref: 0042865A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: strncnt$CompareErrorLastString
                                                                                                          • String ID:
                                                                                                          • API String ID: 1776594460-0
                                                                                                          • Opcode ID: cbede2ab3098dc57c4dac96df94d7a364594d4e519d6714e71dda43f36421ebe
                                                                                                          • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                                                                          • Opcode Fuzzy Hash: cbede2ab3098dc57c4dac96df94d7a364594d4e519d6714e71dda43f36421ebe
                                                                                                          • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                                                                          Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00454606
                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00454688
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                                                                          • GetDesktopWindow.USER32 ref: 00454708
                                                                                                          • GetWindowRect.USER32(00000000), ref: 0045470F
                                                                                                          • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                                                                          • GetClientRect.USER32(?,?), ref: 0045476F
                                                                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                                                                          • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                          • String ID:
                                                                                                          • API String ID: 3869813825-0
                                                                                                          • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                                          • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                                                                          • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                                          • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                                                                          Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                                                                          • GetCursorInfo.USER32 ref: 00458E03
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Cursor$Load$Info
                                                                                                          • String ID:
                                                                                                          • API String ID: 2577412497-0
                                                                                                          • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                                          • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                                                                          • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                                          • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                                                                          Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                                                                          • GetFocus.USER32 ref: 004696E0
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$CtrlFocus
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1534620443-4108050209
                                                                                                          • Opcode ID: 3dab727c688772619e9efc5d23afb6fcae73775eddc560d175f3e695e52b8611
                                                                                                          • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                                                                          • Opcode Fuzzy Hash: 3dab727c688772619e9efc5d23afb6fcae73775eddc560d175f3e695e52b8611
                                                                                                          • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                                                                          Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00468107
                                                                                                          • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                                                                          • GetMenuItemCount.USER32(?), ref: 00468227
                                                                                                          • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                                                                          • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                                                                          • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                                                                          • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                                                                          • GetMenuItemCount.USER32 ref: 004682DC
                                                                                                          • SetMenuItemInfoW.USER32 ref: 00468317
                                                                                                          • GetCursorPos.USER32(00000000), ref: 00468322
                                                                                                          • SetForegroundWindow.USER32(?), ref: 0046832D
                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                                                                          • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 3993528054-4108050209
                                                                                                          • Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                                                          • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                                                                          • Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
                                                                                                          • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                                                                          Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                                                                            • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                                            • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                                            • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                                          • SendMessageW.USER32(?), ref: 0046F34C
                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                                                                          • _wcscat.LIBCMT ref: 0046F3BC
                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                                                                          • DragFinish.SHELL32(?), ref: 0046F414
                                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                          • API String ID: 4085615965-3440237614
                                                                                                          • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                                          • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                                                                          • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                                          • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                                                                          Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll
                                                                                                          • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                          • API String ID: 3832890014-4202584635
                                                                                                          • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                                          • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                                                                          • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                                          • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                                                                          Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 004669C4
                                                                                                          • _wcsncpy.LIBCMT ref: 00466A21
                                                                                                          • _wcsncpy.LIBCMT ref: 00466A4D
                                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                          • _wcstok.LIBCMT ref: 00466A90
                                                                                                            • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                                                                          • _wcstok.LIBCMT ref: 00466B3F
                                                                                                          • _wcscpy.LIBCMT ref: 00466BC8
                                                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                                                                          • _wcslen.LIBCMT ref: 00466D1D
                                                                                                          • _memset.LIBCMT ref: 00466BEE
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • _wcslen.LIBCMT ref: 00466D4B
                                                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                          • String ID: X$HH
                                                                                                          • API String ID: 3021350936-1944015008
                                                                                                          • Opcode ID: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                                                                                          • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                                                                          • Opcode Fuzzy Hash: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                                                                                          • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                                                                          Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0045F4AE
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                                                                          • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                                                                          • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoItemMenu$Sleep_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1504565804-4108050209
                                                                                                          • Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                                                          • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                                                                          • Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
                                                                                                          • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                                                                          Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateDestroy
                                                                                                          • String ID: ,$tooltips_class32
                                                                                                          • API String ID: 1109047481-3856767331
                                                                                                          • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                                          • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                                                                          • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                                          • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                                                                          Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcsncpy.LIBCMT ref: 0045CCFA
                                                                                                          • __wsplitpath.LIBCMT ref: 0045CD3C
                                                                                                          • _wcscat.LIBCMT ref: 0045CD51
                                                                                                          • _wcscat.LIBCMT ref: 0045CD63
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                                                                          • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                                                                          • _wcscpy.LIBCMT ref: 0045CE14
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 1153243558-438819550
                                                                                                          • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                                          • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                                                                          • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                                          • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                                                                          Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00455127
                                                                                                          • GetMenuItemInfoW.USER32 ref: 00455146
                                                                                                          • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                                                                          • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                                                                          • GetMenuItemCount.USER32(?), ref: 004551D9
                                                                                                          • SetMenu.USER32(?,00000000), ref: 004551E7
                                                                                                          • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                                                                          • DrawMenuBar.USER32 ref: 00455207
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1663942905-4108050209
                                                                                                          • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                                          • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                                                                          • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                                          • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                                                                          Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1481289235-0
                                                                                                          • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                                          • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                                                                          • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                                          • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                                                                          Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                                                                          • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                                                                          • SendMessageW.USER32 ref: 0046FBAF
                                                                                                          • SendMessageW.USER32 ref: 0046FBE2
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                                                                          • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                                                                          • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                                                                          • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                                                                          • SendMessageW.USER32 ref: 0046FD00
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                                                                          • String ID:
                                                                                                          • API String ID: 2632138820-0
                                                                                                          • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                                          • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                                                                          • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                                          • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                                                                          Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                                                                          • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CursorLoad
                                                                                                          • String ID:
                                                                                                          • API String ID: 3238433803-0
                                                                                                          • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                                          • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                                                                          • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                                          • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                                                                          Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                                                                          • _wcslen.LIBCMT ref: 00460B00
                                                                                                          • __swprintf.LIBCMT ref: 00460B9E
                                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00460D21
                                                                                                          • GetParent.USER32(?), ref: 00460D40
                                                                                                          • ScreenToClient.USER32(00000000), ref: 00460D47
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                          • String ID: %s%u
                                                                                                          • API String ID: 1899580136-679674701
                                                                                                          • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                                          • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                                                                          • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                                          • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                                                                          Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                          • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                                                                          • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                                                                          • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                                                                          • API String ID: 2485709727-934586222
                                                                                                          • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                                          • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                                                                          • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                                          • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                                                                          Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 3381189665-2761332787
                                                                                                          • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                                          • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                                                                          • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                                          • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                                                                          Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 00434585
                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                                                                          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                          • String ID: (
                                                                                                          • API String ID: 3300687185-3887548279
                                                                                                          • Opcode ID: f1a61bd92dc1e5bf4a907c179000b9c6a14a2e3466c3eeb116f883cf8bb2fa69
                                                                                                          • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                                                                          • Opcode Fuzzy Hash: f1a61bd92dc1e5bf4a907c179000b9c6a14a2e3466c3eeb116f883cf8bb2fa69
                                                                                                          • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                                                                          Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                                                                          • __swprintf.LIBCMT ref: 0045E4D9
                                                                                                          • _printf.LIBCMT ref: 0045E595
                                                                                                          • _printf.LIBCMT ref: 0045E5B7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString_printf$__swprintf_wcslen
                                                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                                                                          • API String ID: 3590180749-2894483878
                                                                                                          • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                                          • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                                                                          • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                                          • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                                                                          Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                                                                          • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                                                                          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                                                                          • DeleteObject.GDI32(?), ref: 0046F950
                                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                                                                          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                                                                          • DeleteObject.GDI32(?), ref: 0046F9CF
                                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                                                                          • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                                                                          • DestroyIcon.USER32(?), ref: 0046FA4F
                                                                                                          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                                                                          • DeleteObject.GDI32(?), ref: 0046FA68
                                                                                                          • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3412594756-0
                                                                                                          • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                                          • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                                                                          • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                                          • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                                                                          Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                          • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                          • API String ID: 4013263488-4113822522
                                                                                                          • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                                          • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                                                                          • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                                          • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                                                                          Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                                                                          • String ID:
                                                                                                          • API String ID: 228034949-0
                                                                                                          • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                                          • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                                                                          • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                                          • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                                                                          Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                                                                          • DeleteObject.GDI32(?), ref: 00433603
                                                                                                          • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3969911579-0
                                                                                                          • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                                          • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                                                                          • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                                          • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                                                                          Function 0045EEFF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045EF6C
                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EF81
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045EF94
                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045EFAB
                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EFB8
                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045EFD2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$_wcslen
                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                          • API String ID: 2420728520-1007645807
                                                                                                          • Opcode ID: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
                                                                                                          • Instruction ID: e5e6e3524f15ee9b53aa238c1547bf14c0af5fa70a1fb0ad50a0449216793e57
                                                                                                          • Opcode Fuzzy Hash: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
                                                                                                          • Instruction Fuzzy Hash: F321A53164830476E220FB51DC87F9E7798AB84B14F200D3BBA407A0D1DBA8E94CC76E
                                                                                                          Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32 ref: 00445A8D
                                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                                                                          • __wcsicoll.LIBCMT ref: 00445AC4
                                                                                                          • __wcsicoll.LIBCMT ref: 00445AE0
                                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                          • API String ID: 3125838495-3381328864
                                                                                                          • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                                          • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                                                                          • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                                          • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                                                                          Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CopyVariant$ErrorLast
                                                                                                          • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                                                                          • API String ID: 2286883814-4206948668
                                                                                                          • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                                          • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                                                                          • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                                          • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                                                                          Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                                            • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                          • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                                                                          • _wcscpy.LIBCMT ref: 00475F18
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                          • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                                                                          • API String ID: 3052893215-4176887700
                                                                                                          • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                                          • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                                                                          • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                                          • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                                                                          Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                                                                          • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                                                                          • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                                                                          • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                                                                          • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                                                                            • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                                                                          • String ID: Version$\TypeLib$interface\
                                                                                                          • API String ID: 656856066-939221531
                                                                                                          • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                                          • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                                                                          • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                                          • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                                                                          Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                                                                          • __swprintf.LIBCMT ref: 0045E6EE
                                                                                                          • _printf.LIBCMT ref: 0045E7A9
                                                                                                          • _printf.LIBCMT ref: 0045E7D2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString_printf$__swprintf_wcslen
                                                                                                          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                          • API String ID: 3590180749-2354261254
                                                                                                          • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                                          • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                                                                          • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                                          • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                                                                          Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                          • String ID: %.15g$0x%p$False$True
                                                                                                          • API String ID: 3038501623-2263619337
                                                                                                          • Opcode ID: 19a4eb4a0385f4e3e29933f3f54d071d1af3cac5b39b122aee5b24a105b2230c
                                                                                                          • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                                                                                                          • Opcode Fuzzy Hash: 19a4eb4a0385f4e3e29933f3f54d071d1af3cac5b39b122aee5b24a105b2230c
                                                                                                          • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                                                                                                          Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • _memset.LIBCMT ref: 00458194
                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                                                                          • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                          • API String ID: 2255324689-22481851
                                                                                                          • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                                          • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                                                                          • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                                          • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                                                                          Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                                                                          • __wcsicoll.LIBCMT ref: 004585D6
                                                                                                          • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                                                                          • String ID: ($interface$interface\
                                                                                                          • API String ID: 2231185022-3327702407
                                                                                                          • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                                          • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                                                                          • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                                          • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                                                                          Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                          • String ID: 0.0.0.0
                                                                                                          • API String ID: 2691793716-3771769585
                                                                                                          • Opcode ID: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
                                                                                                          • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                                                                          • Opcode Fuzzy Hash: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
                                                                                                          • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                                                                          Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                                                                          • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                                                                            • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                                                                            • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                                                                          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                                                                          • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                                                                          • __lock.LIBCMT ref: 00416B8A
                                                                                                          • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                                                                          • __lock.LIBCMT ref: 00416BAB
                                                                                                          • ___addlocaleref.LIBCMT ref: 00416BC9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                                          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                          • API String ID: 1028249917-2843748187
                                                                                                          • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                                          • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                                                                          • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                                          • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                                                                          Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                                                                          • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                                                                          • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                                                                          • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                                                                          • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CharNext
                                                                                                          • String ID:
                                                                                                          • API String ID: 1350042424-0
                                                                                                          • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                                          • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                                                                          • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                                          • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                                                                          Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                                                                          • SetKeyboardState.USER32(?), ref: 00453C5A
                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                                                                          • GetKeyState.USER32(000000A0), ref: 00453C99
                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                                                                          • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                                                                          • GetKeyState.USER32(00000011), ref: 00453D15
                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                                                                          • GetKeyState.USER32(00000012), ref: 00453D4D
                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                                                                          • GetKeyState.USER32(0000005B), ref: 00453D85
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: State$Async$Keyboard
                                                                                                          • String ID:
                                                                                                          • API String ID: 541375521-0
                                                                                                          • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                                          • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                                                                          • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                                          • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                                                                          Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                                                                          • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                                                                          • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                                          • String ID:
                                                                                                          • API String ID: 3096461208-0
                                                                                                          • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                                          • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                                                                          • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                                          • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                                                                          Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 136442275-0
                                                                                                          • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                                          • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                                                                          • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                                          • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                                                                          Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 535477410-2761332787
                                                                                                          • Opcode ID: e91c6bd909ad74ed1928ed0244ed8aa8a8dc52ba60fb0b240039b69f8a910896
                                                                                                          • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                                                                          • Opcode Fuzzy Hash: e91c6bd909ad74ed1928ed0244ed8aa8a8dc52ba60fb0b240039b69f8a910896
                                                                                                          • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                                                                          Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                                                                          • _wcslen.LIBCMT ref: 00460502
                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                                                                          • GetWindowRect.USER32(?,?), ref: 004606AD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                                                                          • String ID: ThumbnailClass
                                                                                                          • API String ID: 4123061591-1241985126
                                                                                                          • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                                          • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                                                                          • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                                          • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                                                                          Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                                            • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                                            • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                                          • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                                                                          • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                                                                          • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                                                                          • ReleaseCapture.USER32 ref: 0046F589
                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                                                                          • API String ID: 2483343779-2060113733
                                                                                                          • Opcode ID: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                                                                                          • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                                                                          • Opcode Fuzzy Hash: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                                                                                          • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                                                                          Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                                                                          • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                                                                          • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                                                                          • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                                                                          • DestroyIcon.USER32(?), ref: 0046FFCC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                          • String ID: 2
                                                                                                          • API String ID: 1331449709-450215437
                                                                                                          • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                                          • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                                                                          • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                                          • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                                                                          Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DestroyWindow
                                                                                                          • String ID: static
                                                                                                          • API String ID: 3375834691-2160076837
                                                                                                          • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                                                          • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                                                                          • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                                                          • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                                                                          Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                                                                          • _memcmp.LIBCMT ref: 004394A9
                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                                                                          Strings
                                                                                                          • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                                                                          • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                                                                          • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                                                                          • API String ID: 1446985595-805462909
                                                                                                          • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                                          • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                                                                          • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                                          • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                                                                          Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                                                                          • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                          • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                                                                          • API String ID: 2907320926-41864084
                                                                                                          • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                                          • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                                                                          • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                                          • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                                                                          Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                                                                          • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                          • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 1932665248-0
                                                                                                          • Opcode ID: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                                                                                          • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                                                                          • Opcode Fuzzy Hash: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                                                                                          • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                                                                          Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                                                                          • _memset.LIBCMT ref: 004481BA
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                                                                          • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                                                                          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                                                                          • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                                                                          • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 830647256-0
                                                                                                          • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                                          • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                                                                          • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                                          • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                                                                          Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                                          • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                                                                          • DeleteObject.GDI32(00000000), ref: 0046EB4F
                                                                                                          • DestroyIcon.USER32(00000000), ref: 0046EB67
                                                                                                          • DeleteObject.GDI32(6F315E3C), ref: 0046EB7F
                                                                                                          • DestroyWindow.USER32(00000007), ref: 0046EB97
                                                                                                          • DestroyIcon.USER32(?), ref: 0046EBBF
                                                                                                          • DestroyIcon.USER32(?), ref: 0046EBCD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 802431696-0
                                                                                                          • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                                          • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                                                                          • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                                          • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                                                                          Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                                                                          • GetKeyState.USER32(000000A0), ref: 00444E26
                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                                                                          • GetKeyState.USER32(000000A1), ref: 00444E51
                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                                                                          • GetKeyState.USER32(00000011), ref: 00444E77
                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                                                                          • GetKeyState.USER32(00000012), ref: 00444E9D
                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                                                                          • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: State$Async$Keyboard
                                                                                                          • String ID:
                                                                                                          • API String ID: 541375521-0
                                                                                                          • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                                          • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                                                                          • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                                          • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                                                                          Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                                                                          • _wcslen.LIBCMT ref: 00450944
                                                                                                          • _wcscat.LIBCMT ref: 00450955
                                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                                                                          • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                          • String ID: -----$SysListView32
                                                                                                          • API String ID: 4008455318-3975388722
                                                                                                          • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                                          • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                                                                          • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                                          • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                                                                          Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00448625
                                                                                                          • CreateMenu.USER32 ref: 0044863C
                                                                                                          • SetMenu.USER32(?,00000000), ref: 0044864C
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                                                                          • IsMenu.USER32(?), ref: 004486EB
                                                                                                          • CreatePopupMenu.USER32 ref: 004486F5
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                                                                          • DrawMenuBar.USER32 ref: 00448742
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 176399719-4108050209
                                                                                                          • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                                          • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                                                                          • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                                          • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                                                                          Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                                                                          • GetParent.USER32 ref: 004692A4
                                                                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                                                                          • GetParent.USER32 ref: 004692C7
                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CtrlParent$_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 2040099840-1403004172
                                                                                                          • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                                          • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                                                                          • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                                          • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                                                                          Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                                                                          • GetParent.USER32 ref: 0046949E
                                                                                                          • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                                                                          • GetParent.USER32 ref: 004694C1
                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CtrlParent$_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 2040099840-1403004172
                                                                                                          • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                                          • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                                                                          • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                                          • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                                                                          Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                                                                          • SendMessageW.USER32(75C123D0,00001001,00000000,00000000), ref: 00448E73
                                                                                                          • SendMessageW.USER32(75C123D0,00001026,00000000,00000000), ref: 00448E7E
                                                                                                            • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 3771399671-0
                                                                                                          • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                                          • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                                                                          • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                                          • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                                                                          Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3413494760-0
                                                                                                          • Opcode ID: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                                                                                          • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                                                                          • Opcode Fuzzy Hash: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                                                                                          • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                                                                          Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                                                                          • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                          • String ID:
                                                                                                          • API String ID: 2156557900-0
                                                                                                          • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                                          • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                                                                          • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                                          • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                                                                          Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll
                                                                                                          • String ID: 0%d$DOWN$OFF
                                                                                                          • API String ID: 3832890014-468733193
                                                                                                          • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                                          • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                                                                          • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                                          • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                                                                          Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                                                                          • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                                                                          • VariantClear.OLEAUT32 ref: 0045E970
                                                                                                          • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                                                                          • __swprintf.LIBCMT ref: 0045EB1F
                                                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                                                                          Strings
                                                                                                          • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                                                                          • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                          • API String ID: 43541914-1568723262
                                                                                                          • Opcode ID: 59f20d5c687eca5b8ac21bf224ed8e62dc0999386ac77495242af5446a13f09a
                                                                                                          • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                                                                          • Opcode Fuzzy Hash: 59f20d5c687eca5b8ac21bf224ed8e62dc0999386ac77495242af5446a13f09a
                                                                                                          • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                                                                          Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DecrementInterlocked$Sleep
                                                                                                          • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                                                                          • API String ID: 2250217261-3412429629
                                                                                                          • Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                                                                          • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                                                                          • Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
                                                                                                          • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                                                                          Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                          • API String ID: 0-1603158881
                                                                                                          • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                                          • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                                                                          • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                                          • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                                                                          Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00479D1F
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00479F06
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00479F11
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                                                                            • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                                                                            • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                                                                            • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                                                                          • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                          • API String ID: 665237470-60002521
                                                                                                          • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                                          • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                                                                          • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                                          • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                                                                          Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 535477410-2761332787
                                                                                                          • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                                          • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                                                                          • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                                          • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                                                                          Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0045F317
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                                                                          • IsMenu.USER32(?), ref: 0045F380
                                                                                                          • CreatePopupMenu.USER32 ref: 0045F3C5
                                                                                                          • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                          • String ID: 0$2
                                                                                                          • API String ID: 3311875123-3793063076
                                                                                                          • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                                          • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                                                                          • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                                          • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                                                                          Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\7xonkSJwuY.exe), ref: 0043719E
                                                                                                          • LoadStringW.USER32(00000000), ref: 004371A7
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                                                                          • LoadStringW.USER32(00000000), ref: 004371C0
                                                                                                          • _printf.LIBCMT ref: 004371EC
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                                                                          Strings
                                                                                                          • C:\Users\user\Desktop\7xonkSJwuY.exe, xrefs: 00437189
                                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString$Message_printf
                                                                                                          • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\7xonkSJwuY.exe
                                                                                                          • API String ID: 220974073-1641240998
                                                                                                          • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                                          • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                                                                          • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                                          • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                                                                          Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                                          • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                                                                          • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                                          • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                                                                          Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\7xonkSJwuY.exe,?,C:\Users\user\Desktop\7xonkSJwuY.exe,004A8E80,C:\Users\user\Desktop\7xonkSJwuY.exe,0040F3D2), ref: 0040FFCA
                                                                                                            • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                          • String ID:
                                                                                                          • API String ID: 978794511-0
                                                                                                          • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                                          • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                                                                          • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                                          • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                                                                          Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                                          • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                                                                          • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                                          • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                                                                          Function 00455EF5 Relevance: 13.6, APIs: 9, Instructions: 126windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00455F01
                                                                                                          • _memset.LIBCMT ref: 00455F12
                                                                                                          • SendMessageW.USER32 ref: 00455F43
                                                                                                          • SendMessageW.USER32(?,0000104B,00000000,?), ref: 00455F82
                                                                                                          • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00455FF5
                                                                                                          • _wcslen.LIBCMT ref: 00455FFC
                                                                                                          • _wcslen.LIBCMT ref: 00456018
                                                                                                          • CharNextW.USER32(00000000,?,?,?), ref: 00456034
                                                                                                          • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00456060
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$_wcslen$CharLongNextWindow_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2321321212-0
                                                                                                          • Opcode ID: 9fe44bf13dfe9639860e83451fa7f42e7831dc5b74bf465a4309150460e9ba2c
                                                                                                          • Instruction ID: 728fd5b54b682decfcd50b06f9b7fb359c8698431e162ed45c662fcf507213b6
                                                                                                          • Opcode Fuzzy Hash: 9fe44bf13dfe9639860e83451fa7f42e7831dc5b74bf465a4309150460e9ba2c
                                                                                                          • Instruction Fuzzy Hash: 5D41D172204241ABE3108F68DC45BABB7E4FB84321F004A2EF954D72D1E7B9904A8B66
                                                                                                          Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                                                                            • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                                                                            • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                                                                          • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                                                                          • Sleep.KERNEL32(00000000), ref: 00445D70
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2014098862-0
                                                                                                          • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                                          • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                                                                          • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                                          • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                                                                          Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc_malloc$_strcat_strlen
                                                                                                          • String ID: AU3_FreeVar
                                                                                                          • API String ID: 2184576858-771828931
                                                                                                          • Opcode ID: 1ef90bf7f38c1b50a8ded2c1e083fe246c2464ef976d18a6f5d92ba7f5ede2fa
                                                                                                          • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                                                                          • Opcode Fuzzy Hash: 1ef90bf7f38c1b50a8ded2c1e083fe246c2464ef976d18a6f5d92ba7f5ede2fa
                                                                                                          • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                                                                          Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                                                                          • DestroyWindow.USER32(?), ref: 0042A751
                                                                                                          • UnregisterHotKey.USER32(?), ref: 0042A778
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                          • String ID: close all
                                                                                                          • API String ID: 4174999648-3243417748
                                                                                                          • Opcode ID: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                                                                                          • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                                                                          • Opcode Fuzzy Hash: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                                                                                          • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                                                                          Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 1291720006-3916222277
                                                                                                          • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                                          • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                                                                          • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                                          • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                                                                          Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastselect
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 215497628-2761332787
                                                                                                          • Opcode ID: 0c289dde452dc5b8e8f80b5941646edeec8777aba5bf19acf69e203ec63bbfa9
                                                                                                          • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                                                                          • Opcode Fuzzy Hash: 0c289dde452dc5b8e8f80b5941646edeec8777aba5bf19acf69e203ec63bbfa9
                                                                                                          • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                                                                          Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __snwprintf__wcsicoll_wcscpy
                                                                                                          • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                                                          • API String ID: 1729044348-3708979750
                                                                                                          • Opcode ID: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                                                                                          • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                                                                          • Opcode Fuzzy Hash: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                                                                                          • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                                                                          Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\7xonkSJwuY.exe,?,C:\Users\user\Desktop\7xonkSJwuY.exe,004A8E80,C:\Users\user\Desktop\7xonkSJwuY.exe,0040F3D2), ref: 0040FFCA
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                                                                          • _wcscat.LIBCMT ref: 0044BCAA
                                                                                                          • _wcslen.LIBCMT ref: 0044BCB7
                                                                                                          • _wcslen.LIBCMT ref: 0044BCCB
                                                                                                          • SHFileOperationW.SHELL32 ref: 0044BD16
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 2326526234-1173974218
                                                                                                          • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                                          • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                                                                          • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                                          • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                                                                          Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                                                                          • _wcslen.LIBCMT ref: 004366DD
                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                                                                          • GetLastError.KERNEL32 ref: 0043670F
                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                                                                          • _wcsrchr.LIBCMT ref: 0043674C
                                                                                                            • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                          • String ID: \
                                                                                                          • API String ID: 321622961-2967466578
                                                                                                          • Opcode ID: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                                                                                          • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                                                                          • Opcode Fuzzy Hash: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                                                                                          • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                                                                          Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                          • API String ID: 1038674560-2734436370
                                                                                                          • Opcode ID: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                                                                                          • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                                                                          • Opcode Fuzzy Hash: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                                                                                          • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                                                                          Function 0047439D Relevance: 12.3, APIs: 8, Instructions: 268COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8a5e7e2b220d2e4bb8ffc9ff05fb60d96dc8bc30e577e31ee69d5eb2f1750fd2
                                                                                                          • Instruction ID: 650af14def374fe6fd11052fbef22cb8aa6c894e3601bf285572d08ae3c4fed9
                                                                                                          • Opcode Fuzzy Hash: 8a5e7e2b220d2e4bb8ffc9ff05fb60d96dc8bc30e577e31ee69d5eb2f1750fd2
                                                                                                          • Instruction Fuzzy Hash: 439192726043009BD710EF65DC82BABB3E9AFD4714F004D2EF548E7291D779E944875A
                                                                                                          Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
                                                                                                          • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
                                                                                                          • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
                                                                                                          • __wsplitpath.LIBCMT ref: 00436FA0
                                                                                                          • _wcscat.LIBCMT ref: 00436FB2
                                                                                                          • __wcsicoll.LIBCMT ref: 00436FC4
                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,00000104,00000000,?,00000004,?), ref: 00437003
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                                                                                          • String ID:
                                                                                                          • API String ID: 2903788889-0
                                                                                                          • Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                                                          • Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
                                                                                                          • Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                                                          • Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766
                                                                                                          Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(?), ref: 0044157D
                                                                                                          • GetDC.USER32(00000000), ref: 00441585
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3864802216-0
                                                                                                          • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                                          • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                                                                          • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                                          • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                                                                          Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                                          • ExitThread.KERNEL32 ref: 0041410F
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                                          • __freefls@4.LIBCMT ref: 00414135
                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                          • String ID:
                                                                                                          • API String ID: 1925773019-0
                                                                                                          • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                                          • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                                                                          • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                                          • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                                                                          Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                                                                          • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                                                                          • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                                                                          • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                                                                          • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                                                                          • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                                                                          • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                                                                          • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                                          • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                                                                          • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                                          • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                                                                          Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00464ADE
                                                                                                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                                          • inet_addr.WSOCK32(?), ref: 00464B1F
                                                                                                          • gethostbyname.WSOCK32(?), ref: 00464B29
                                                                                                          • _memset.LIBCMT ref: 00464B92
                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                                                                          • WSACleanup.WSOCK32 ref: 00464CE4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                                                                          • String ID:
                                                                                                          • API String ID: 3424476444-0
                                                                                                          • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                                          • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                                                                          • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                                          • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                                                                          Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MetricsSystem
                                                                                                          • String ID:
                                                                                                          • API String ID: 4116985748-0
                                                                                                          • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                                          • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                                                                          • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                                          • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                                                                          Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 535477410-0
                                                                                                          • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                                          • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                                                                          • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                                          • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                                                                          Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                          • _memset.LIBCMT ref: 004538C4
                                                                                                          • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                                                                          • _wcslen.LIBCMT ref: 00453960
                                                                                                          • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 3530711334-4108050209
                                                                                                          • Opcode ID: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                                                                                          • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                                                                          • Opcode Fuzzy Hash: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                                                                                          • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                                                                          Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 3488606520-2761332787
                                                                                                          • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                                          • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                                                                          • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                                          • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                                                                          Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                                          • LineTo.GDI32(?,?), ref: 004474BF
                                                                                                          • CloseFigure.GDI32(?), ref: 004474C6
                                                                                                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                                          • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                          • String ID:
                                                                                                          • API String ID: 4082120231-0
                                                                                                          • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                                          • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                                                                          • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                                          • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                                                                          Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                          • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                                          • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                                          • LineTo.GDI32(?,?), ref: 004474BF
                                                                                                          • CloseFigure.GDI32(?), ref: 004474C6
                                                                                                          • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                                          • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                          • String ID:
                                                                                                          • API String ID: 4082120231-0
                                                                                                          • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                                          • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                                                                          • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                                          • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                                                                          Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                                                                          • String ID:
                                                                                                          • API String ID: 288456094-0
                                                                                                          • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                                          • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                                                                          • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                                          • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                                                                          Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 004449B0
                                                                                                          • GetKeyboardState.USER32(?), ref: 004449C3
                                                                                                          • SetKeyboardState.USER32(?), ref: 00444A0F
                                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                                          • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                                                                          • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                                          • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                                                                          Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 00444BA9
                                                                                                          • GetKeyboardState.USER32(?), ref: 00444BBC
                                                                                                          • SetKeyboardState.USER32(?), ref: 00444C08
                                                                                                          • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                                                                          • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                                                                          • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                                                                          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                                          • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                                                                          • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                                          • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                                                                          Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                                          • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                                                                          • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                                          • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                                                                          Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConnectRegistry_wcslen
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 535477410-2761332787
                                                                                                          • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                                          • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                                                                          • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                                          • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                                                                          Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00457C34
                                                                                                          • _memset.LIBCMT ref: 00457CE8
                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                          • String ID: <$@
                                                                                                          • API String ID: 1325244542-1426351568
                                                                                                          • Opcode ID: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                                                                                          • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                                                                          • Opcode Fuzzy Hash: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                                                                                          • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                                                                          Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                                                                          • __wsplitpath.LIBCMT ref: 004737E1
                                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                          • _wcscat.LIBCMT ref: 004737F6
                                                                                                          • __wcsicoll.LIBCMT ref: 00473818
                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                          • String ID:
                                                                                                          • API String ID: 2547909840-0
                                                                                                          • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                                          • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                                                                          • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                                          • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                                                                          Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                                                                          • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                                                                          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2354583917-0
                                                                                                          • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                                          • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                                                                          • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                                          • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                                                                          Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                          • GetMenu.USER32 ref: 004776AA
                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                                                                          • _wcslen.LIBCMT ref: 0047771A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$CountItemStringWindow_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1823500076-0
                                                                                                          • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                                          • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                                                                          • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                                          • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                                                                          Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                                                                          • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 896007046-0
                                                                                                          • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                                          • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                                                                          • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                                          • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                                                                          Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                                          • SendMessageW.USER32(03001B98,000000F1,00000000,00000000), ref: 004414C6
                                                                                                          • SendMessageW.USER32(03001B98,000000F1,00000001,00000000), ref: 004414F1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 312131281-0
                                                                                                          • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                                          • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                                                                          • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                                          • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                                                                          Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 004484C4
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                                                                          • IsMenu.USER32(?), ref: 0044857B
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                                                                          • DrawMenuBar.USER32 ref: 004485E4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 3866635326-4108050209
                                                                                                          • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                                          • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                                                                          • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                                          • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                                                                          Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00472499
                                                                                                          • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                                                                          • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                          • String ID: 0vH
                                                                                                          • API String ID: 327565842-3662162768
                                                                                                          • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                                          • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                                                                          • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                                          • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                                                                          Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                                                                          • GetFocus.USER32 ref: 00448B1C
                                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3429747543-0
                                                                                                          • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                                          • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                                                                          • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                                          • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                                                                          Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                                                                          • __swprintf.LIBCMT ref: 0045D3CC
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                          • String ID: %lu$HH
                                                                                                          • API String ID: 3164766367-3924996404
                                                                                                          • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                                          • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                                                                          • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                                          • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                                                                          Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: Msctls_Progress32
                                                                                                          • API String ID: 3850602802-3636473452
                                                                                                          • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                                          • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                                                                          • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                                          • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                                                                          Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00455451
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                                          • String ID:
                                                                                                          • API String ID: 3985565216-0
                                                                                                          • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                                                          • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                                                                          • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                                                          • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                                                                          Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                                                                          • __calloc_crt.LIBCMT ref: 00415743
                                                                                                          • __getptd.LIBCMT ref: 00415750
                                                                                                          • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                                                                          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                                                                          • __dosmaperr.LIBCMT ref: 004157A9
                                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1269668773-0
                                                                                                          • Opcode ID: db8aef5968a57f9392d96923d824da0b97b30735f98488ed4da1dd9b8d69f402
                                                                                                          • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                                                                          • Opcode Fuzzy Hash: db8aef5968a57f9392d96923d824da0b97b30735f98488ed4da1dd9b8d69f402
                                                                                                          • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                                                                          Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                                                                            • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                                                                          • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1957940570-0
                                                                                                          • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                                          • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                                                                          • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                                          • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                                                                          Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                                          • ExitThread.KERNEL32 ref: 004156BD
                                                                                                          • __freefls@4.LIBCMT ref: 004156D9
                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                          • String ID:
                                                                                                          • API String ID: 4166825349-0
                                                                                                          • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                                          • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                                                                          • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                                          • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                                                                          Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                                                                          • API String ID: 2574300362-3261711971
                                                                                                          • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                                          • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                                                                          • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                                          • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                                                                          Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                                          • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                                                                          • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                                          • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                                                                          Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClientRect.USER32(?,?), ref: 00433724
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                                                                          • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00433814
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00433842
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                          • String ID:
                                                                                                          • API String ID: 3220332590-0
                                                                                                          • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                                          • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                                                                          • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                                          • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                                                                          Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1612042205-0
                                                                                                          • Opcode ID: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                                                                                          • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                                                                          • Opcode Fuzzy Hash: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                                                                                          • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                                                                          Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                                                                          • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                                                                          • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                                                                          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                                                                          • SendInput.USER32 ref: 0044C6E2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$InputSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 2221674350-0
                                                                                                          • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                                          • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                                                                          • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                                          • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                                                                          Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$_wcscat
                                                                                                          • String ID:
                                                                                                          • API String ID: 2037614760-0
                                                                                                          • Opcode ID: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                                                                                          • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                                                                          • Opcode Fuzzy Hash: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                                                                                          • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                                                                          Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                                          • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 4189319755-0
                                                                                                          • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                                          • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                                                                          • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                                          • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                                                                          Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                                                                          • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 1726766782-0
                                                                                                          • Opcode ID: d1f4c8b32701f3515452156a35d83f93081eba70680028f938022ee8972e20b1
                                                                                                          • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                                                                          • Opcode Fuzzy Hash: d1f4c8b32701f3515452156a35d83f93081eba70680028f938022ee8972e20b1
                                                                                                          • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                                                                          Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                                                                          • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                                                                          • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                                                                          • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                                                                          • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 642888154-0
                                                                                                          • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                                          • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                                                                          • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                                          • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                                                                          Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                                                                          • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 1976402638-0
                                                                                                          • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                                          • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                                                                          • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                                          • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                                                                          Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32 ref: 00442597
                                                                                                            • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                                                                          • GetDesktopWindow.USER32 ref: 004425BF
                                                                                                          • GetWindowRect.USER32(00000000), ref: 004425C6
                                                                                                          • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                          • GetCursorPos.USER32(?), ref: 00442624
                                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 4137160315-0
                                                                                                          • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                                          • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                                                                          • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                                          • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                                                                          Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Enable$Show$MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 1871949834-0
                                                                                                          • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                                          • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                                                                          • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                                          • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                                                                          Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0044961A
                                                                                                          • SendMessageW.USER32 ref: 0044964A
                                                                                                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                                                                          • _wcslen.LIBCMT ref: 004496BA
                                                                                                          • _wcslen.LIBCMT ref: 004496C7
                                                                                                          • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                                                                          • String ID:
                                                                                                          • API String ID: 1624073603-0
                                                                                                          • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                                          • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                                                                          • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                                          • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                                                                          Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                                          • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                                                                          • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                                          • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                                                                          Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1640429340-0
                                                                                                          • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                                          • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                                                                          • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                                          • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                                                                          Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 3354276064-0
                                                                                                          • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                                          • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                                                                          • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                                          • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                                                                          Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 752480666-0
                                                                                                          • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                                          • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                                                                          • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                                          • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                                                                          Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(00000000), ref: 0045527A
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                          • String ID:
                                                                                                          • API String ID: 3275902921-0
                                                                                                          • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                                          • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                                                                          • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                                          • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                                                                          Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                                                                          • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                                                                          • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                          • String ID:
                                                                                                          • API String ID: 1413079979-0
                                                                                                          • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                                          • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                                                                          • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                                          • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                                                                          Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                                                                          • __calloc_crt.LIBCMT ref: 0041419B
                                                                                                          • __getptd.LIBCMT ref: 004141A8
                                                                                                          • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                                                                          • __dosmaperr.LIBCMT ref: 00414201
                                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1803633139-0
                                                                                                          • Opcode ID: 0633609dd6787eeb7369be4beec68ec3a5aed62216cc83941d5f71efc1565539
                                                                                                          • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                                                                          • Opcode Fuzzy Hash: 0633609dd6787eeb7369be4beec68ec3a5aed62216cc83941d5f71efc1565539
                                                                                                          • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                                                                          Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                          • String ID:
                                                                                                          • API String ID: 3275902921-0
                                                                                                          • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                                          • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                                                                          • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                                          • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                                                                          Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32 ref: 004554DF
                                                                                                          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3691411573-0
                                                                                                          • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                                                          • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                                                                          • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                                                          • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                                                                          Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                                                                          • String ID:
                                                                                                          • API String ID: 1814673581-0
                                                                                                          • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                                          • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                                                                          • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                                          • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                                                                          Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                          • String ID:
                                                                                                          • API String ID: 2833360925-0
                                                                                                          • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                                          • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                                                                          • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                                          • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                                                                          Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                                                                          • LineTo.GDI32(?,?,?), ref: 00447227
                                                                                                          • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                                                                          • LineTo.GDI32(?,?,?), ref: 0044723D
                                                                                                          • EndPath.GDI32(?), ref: 0044724E
                                                                                                          • StrokePath.GDI32(?), ref: 0044725C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                          • String ID:
                                                                                                          • API String ID: 372113273-0
                                                                                                          • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                                          • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                                                                          • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                                          • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                                                                          Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Virtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4278518827-0
                                                                                                          • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                                          • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                                                                          • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                                          • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                                                                          Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 0044CBEF
                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDevice$Release
                                                                                                          • String ID:
                                                                                                          • API String ID: 1035833867-0
                                                                                                          • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                                          • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                                                                          • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                                          • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                                                                          Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                                                                          • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                                                                            • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                                                                          • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                                                                          • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 3495660284-0
                                                                                                          • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                                          • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                                                                          • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                                          • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                                                                          Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 839392675-0
                                                                                                          • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                                          • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                                                                          • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                                          • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                                                                          Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\7xonkSJwuY.exe,00000004), ref: 00436055
                                                                                                          • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                                                                          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                                                                          • GetLastError.KERNEL32 ref: 00436081
                                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                                                                          • String ID:
                                                                                                          • API String ID: 1690418490-0
                                                                                                          • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                                          • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                                                                          • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                                          • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                                                                          Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                                          • CoInitialize.OLE32(00000000), ref: 00475B71
                                                                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                                                                          • CoUninitialize.OLE32 ref: 00475D71
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                          • String ID: .lnk$HH
                                                                                                          • API String ID: 886957087-3121654589
                                                                                                          • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                                          • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                                                                          • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                                          • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                                                                          Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1173514356-4108050209
                                                                                                          • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                                          • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                                                                          • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                                          • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                                                                          Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 763830540-1403004172
                                                                                                          • Opcode ID: 7f2c4204b424c93c7ac22b89fbd31dfb367e10b18f94ca1fc21d6a87b04bc3c1
                                                                                                          • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                                                                          • Opcode Fuzzy Hash: 7f2c4204b424c93c7ac22b89fbd31dfb367e10b18f94ca1fc21d6a87b04bc3c1
                                                                                                          • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                                                                          Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentHandleProcess$Duplicate
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 2124370227-2873401336
                                                                                                          • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                                          • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                                                                          • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                                          • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                                                                          Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                                            • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                                            • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentHandleProcess$Duplicate
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 2124370227-2873401336
                                                                                                          • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                                          • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                                                                          • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                                          • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                                                                          Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                                                                          • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                                                                          • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                                                                          • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                          • String ID: SysAnimate32
                                                                                                          • API String ID: 3529120543-1011021900
                                                                                                          • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                                          • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                                                                          • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                                          • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                                                                          Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                                                                          • TranslateMessage.USER32(?), ref: 0044308B
                                                                                                          • DispatchMessageW.USER32(?), ref: 00443096
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$Peek$DispatchTranslate
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 1795658109-438819550
                                                                                                          • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                                          • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                                                                          • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                                          • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                                                                          Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                            • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                                            • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                                            • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                                            • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                                          • GetFocus.USER32 ref: 004609EF
                                                                                                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                                                                            • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                                                                          • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                                                                          • __swprintf.LIBCMT ref: 00460A7A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                                                                          • String ID: %s%d
                                                                                                          • API String ID: 991886796-1110647743
                                                                                                          • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                                          • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                                                                          • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                                          • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                                                                          Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$_sprintf
                                                                                                          • String ID: %02X
                                                                                                          • API String ID: 891462717-436463671
                                                                                                          • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                                          • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                                                                          • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                                          • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                                                                          Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0042CD00
                                                                                                          • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                                                                            • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\7xonkSJwuY.exe,?,C:\Users\user\Desktop\7xonkSJwuY.exe,004A8E80,C:\Users\user\Desktop\7xonkSJwuY.exe,0040F3D2), ref: 0040FFCA
                                                                                                            • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                                                                            • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                                                                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                                                                            • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                                                                            • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                                                                            • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                                                                          • String ID: $OH$@OH$X
                                                                                                          • API String ID: 3491138722-1394974532
                                                                                                          • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                                          • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                                                                          • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                                          • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                                                                          Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                                                                          • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                          • String ID:
                                                                                                          • API String ID: 2449869053-0
                                                                                                          • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                                          • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                                                                          • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                                          • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                                                                          Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                                                                          • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                                                                          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                                                                          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                                                                          • SendInput.USER32 ref: 0044C509
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: KeyboardMessagePostState$InputSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3031425849-0
                                                                                                          • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                                          • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                                                                          • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                                          • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                                                                          Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Enum$CloseDeleteOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2095303065-0
                                                                                                          • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                                          • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                                                                          • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                                          • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                                                                          Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                                                                          • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                                                          • String ID:
                                                                                                          • API String ID: 2832842796-0
                                                                                                          • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                                          • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                                                                          • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                                          • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                                                                          Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClientRect.USER32(?,?), ref: 00447997
                                                                                                          • GetCursorPos.USER32(?), ref: 004479A2
                                                                                                          • ScreenToClient.USER32(?,?), ref: 004479BE
                                                                                                          • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                                                                          • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1822080540-0
                                                                                                          • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                                          • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                                                                          • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                                          • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                                                                          Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                                          • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 659298297-0
                                                                                                          • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                                          • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                                                                          • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                                          • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                                                                          Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 004478A7
                                                                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                                                                          • GetCursorPos.USER32(?), ref: 00447935
                                                                                                          • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CursorMenuPopupTrack$Proc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1300944170-0
                                                                                                          • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                                          • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                                                                          • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                                          • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                                                                          Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                          • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                          • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                          • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                            • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                                            • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                                            • Part of subcall function 004413F0: SendMessageW.USER32(03001B98,000000F1,00000000,00000000), ref: 004414C6
                                                                                                            • Part of subcall function 004413F0: SendMessageW.USER32(03001B98,000000F1,00000001,00000000), ref: 004414F1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$EnableMessageSend$LongShow
                                                                                                          • String ID:
                                                                                                          • API String ID: 142311417-0
                                                                                                          • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                                          • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                                                                          • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                                          • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                                                                          Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0044955A
                                                                                                            • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                                          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                                                                          • _wcslen.LIBCMT ref: 004495C1
                                                                                                          • _wcslen.LIBCMT ref: 004495CE
                                                                                                          • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                                                                          • String ID:
                                                                                                          • API String ID: 1843234404-0
                                                                                                          • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                                          • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                                                                          • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                                          • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                                                                          Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                                          • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                                                                          • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                                          • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                                                                          Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindowVisible.USER32(?), ref: 00445721
                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                                                                          • _wcslen.LIBCMT ref: 004457A3
                                                                                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3087257052-0
                                                                                                          • Opcode ID: 707967777abbcb615846d4014dd15678eb91240126a64b2d293a4799175c36b7
                                                                                                          • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                                                                          • Opcode Fuzzy Hash: 707967777abbcb615846d4014dd15678eb91240126a64b2d293a4799175c36b7
                                                                                                          • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                                                                          Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindow.USER32(00000000), ref: 00459DEF
                                                                                                          • GetForegroundWindow.USER32 ref: 00459E07
                                                                                                          • GetDC.USER32(00000000), ref: 00459E44
                                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                                          • String ID:
                                                                                                          • API String ID: 4156661090-0
                                                                                                          • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                                          • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                                                                          • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                                          • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                                                                          Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006), ref: 00464985
                                                                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                                                                          • connect.WSOCK32(00000000,00000000,00000010), ref: 004649CD
                                                                                                          • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                                                                          • closesocket.WSOCK32(00000000), ref: 00464A07
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 245547762-0
                                                                                                          • Opcode ID: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                                                                                                          • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                                                                          • Opcode Fuzzy Hash: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                                                                                                          • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                                                                          Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                          • BeginPath.GDI32(?), ref: 004471B7
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$Select$BeginCreateDeletePath
                                                                                                          • String ID:
                                                                                                          • API String ID: 2338827641-0
                                                                                                          • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                                          • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                                                                          • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                                          • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                                                                          Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 2875609808-0
                                                                                                          • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                                          • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                                                                          • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                                          • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                                                                          Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32 ref: 0046FD00
                                                                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                                                                          • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                                                                          • DestroyIcon.USER32(?), ref: 0046FD58
                                                                                                          • DestroyIcon.USER32(?), ref: 0046FD5F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$DestroyIcon
                                                                                                          • String ID:
                                                                                                          • API String ID: 3419509030-0
                                                                                                          • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                                          • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                                                                          • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                                          • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                                                                          Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __getptd.LIBCMT ref: 004175AE
                                                                                                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                                          • __amsg_exit.LIBCMT ref: 004175CE
                                                                                                          • __lock.LIBCMT ref: 004175DE
                                                                                                          • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                                                                          • InterlockedIncrement.KERNEL32(03002CE0), ref: 00417626
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                          • String ID:
                                                                                                          • API String ID: 4271482742-0
                                                                                                          • Opcode ID: d6cef3bb51e24a67cec8ab44f6757d259217b52fb7d0b28ccec9cb26f86fa195
                                                                                                          • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                                                                          • Opcode Fuzzy Hash: d6cef3bb51e24a67cec8ab44f6757d259217b52fb7d0b28ccec9cb26f86fa195
                                                                                                          • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                                                                          Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                          • String ID:
                                                                                                          • API String ID: 4023252218-0
                                                                                                          • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                                          • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                                                                          • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                                          • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                                                                          Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                                                                          • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                                                                          • MessageBeep.USER32(00000000), ref: 0046036D
                                                                                                          • KillTimer.USER32(?,0000040A), ref: 00460392
                                                                                                          • EndDialog.USER32(?,00000001), ref: 004603AB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3741023627-0
                                                                                                          • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                                          • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                                                                          • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                                          • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                                                                          Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1489400265-0
                                                                                                          • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                                          • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                                                                          • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                                          • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                                                                          Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 1042038666-0
                                                                                                          • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                                          • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                                                                          • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                                          • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                                                                          Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                          • String ID:
                                                                                                          • API String ID: 2625713937-0
                                                                                                          • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                                          • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                                                                          • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                                          • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                                                                          Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                                          • ExitThread.KERNEL32 ref: 0041410F
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                                          • __freefls@4.LIBCMT ref: 00414135
                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 132634196-0
                                                                                                          • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                                          • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                                                                          • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                                          • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                                                                          Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                                                                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                                          • __getptd_noexit.LIBCMT ref: 00415620
                                                                                                          • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                                                                          • __freeptd.LIBCMT ref: 0041563B
                                                                                                          • ExitThread.KERNEL32 ref: 00415643
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 3798957060-0
                                                                                                          • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                                          • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                                                                          • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                                          • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                                                                          Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                                          • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                                            • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                            • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                            • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                          • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                                            • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                          • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                                            • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                                          • ExitThread.KERNEL32 ref: 004156BD
                                                                                                          • __freefls@4.LIBCMT ref: 004156D9
                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1537469427-0
                                                                                                          • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                                          • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                                                                          • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                                          • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                                                                          Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _malloc
                                                                                                          • String ID: Default$|k
                                                                                                          • API String ID: 1579825452-2254895183
                                                                                                          • Opcode ID: 3487a4ebd3b6326aef9d7885c20b94cf9b3333ebd549fd878091b2165ba8d13b
                                                                                                          • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                                                                          • Opcode Fuzzy Hash: 3487a4ebd3b6326aef9d7885c20b94cf9b3333ebd549fd878091b2165ba8d13b
                                                                                                          • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                                                                          Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memcmp
                                                                                                          • String ID: '$[$h
                                                                                                          • API String ID: 2931989736-1224472061
                                                                                                          • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                                          • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                                                                          • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                                          • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                                                                          Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _strncmp
                                                                                                          • String ID: >$R$U
                                                                                                          • API String ID: 909875538-1924298640
                                                                                                          • Opcode ID: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                                                                                                          • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                                                                          • Opcode Fuzzy Hash: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                                                                                                          • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                                                                          Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                                          • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                                                          • CoUninitialize.OLE32 ref: 0046CE50
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                          • String ID: .lnk
                                                                                                          • API String ID: 886957087-24824748
                                                                                                          • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                                          • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                                                                          • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                                          • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                                                                          Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen
                                                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                          • API String ID: 176396367-557222456
                                                                                                          • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                                          • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                                                                          • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                                          • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                                                                          Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                                                                          • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearCopyInit_malloc
                                                                                                          • String ID: 4RH
                                                                                                          • API String ID: 2981388473-749298218
                                                                                                          • Opcode ID: 886d72268d4c4b31cd7e9b97dec5c8ab100e14167db6bca7b584ef53709687b2
                                                                                                          • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                                                                          • Opcode Fuzzy Hash: 886d72268d4c4b31cd7e9b97dec5c8ab100e14167db6bca7b584ef53709687b2
                                                                                                          • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                                                                          Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                            • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                          • __wcsnicmp.LIBCMT ref: 0046681A
                                                                                                          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                          • String ID: LPT$HH
                                                                                                          • API String ID: 3035604524-2728063697
                                                                                                          • Opcode ID: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                                                                                          • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                                                                          • Opcode Fuzzy Hash: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                                                                                          • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                                                                          Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                                                                            • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                                                                          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$MemoryProcess$ReadWrite
                                                                                                          • String ID: @
                                                                                                          • API String ID: 4055202900-2766056989
                                                                                                          • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                                          • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                                                                          • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                                          • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                                                                          Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CrackInternet_memset_wcslen
                                                                                                          • String ID: |
                                                                                                          • API String ID: 915713708-2343686810
                                                                                                          • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                                          • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                                                                          • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                                          • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                                                                          Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                                                                          • HttpQueryInfoW.WININET ref: 0044A892
                                                                                                            • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3705125965-3916222277
                                                                                                          • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                                          • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                                                                          • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                                          • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                                                                          Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long
                                                                                                          • String ID: SysTreeView32
                                                                                                          • API String ID: 847901565-1698111956
                                                                                                          • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                                          • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                                                                          • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                                          • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                                                                          Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                                                                          • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                                                                          • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                          • String ID: AU3_GetPluginDetails
                                                                                                          • API String ID: 145871493-4132174516
                                                                                                          • Opcode ID: 86e4c61e32d2ed878dfd7fe720ec64e92d9a8cb9aafa3c38a6749b64446316ec
                                                                                                          • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                                                                          • Opcode Fuzzy Hash: 86e4c61e32d2ed878dfd7fe720ec64e92d9a8cb9aafa3c38a6749b64446316ec
                                                                                                          • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                                                                          Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DestroyWindow
                                                                                                          • String ID: msctls_updown32
                                                                                                          • API String ID: 3375834691-2298589950
                                                                                                          • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                                          • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                                                                          • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                                          • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                                                                          Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                                                                          • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                                                                          • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$MoveWindow
                                                                                                          • String ID: Listbox
                                                                                                          • API String ID: 3315199576-2633736733
                                                                                                          • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                                          • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                                                                          • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                                          • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                                                                          Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 2507767853-2761332787
                                                                                                          • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                                          • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                                                                          • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                                          • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                                                                          Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                                                                          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 2507767853-2761332787
                                                                                                          • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                                          • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                                                                          • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                                          • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                                                                          Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                                                                          • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: msctls_trackbar32
                                                                                                          • API String ID: 3850602802-1010561917
                                                                                                          • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                                          • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                                                                          • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                                          • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                                                                          Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                                          • gethostbyname.WSOCK32(?), ref: 0046BD78
                                                                                                          • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                                                                          • inet_ntoa.WSOCK32(00000000), ref: 0046BDCD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                                                                          • String ID: HH
                                                                                                          • API String ID: 1515696956-2761332787
                                                                                                          • Opcode ID: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                                                                                                          • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                                                                          • Opcode Fuzzy Hash: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                                                                                                          • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                                                                          Function 0046CD9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                                          • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                                                          • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                                                          • CoUninitialize.OLE32 ref: 0046CE50
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                          • String ID: .lnk
                                                                                                          • API String ID: 886957087-24824748
                                                                                                          • Opcode ID: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                                                                                                          • Instruction ID: 634f95a1702cd93f148e07eb64efb4b351689d97c5b229aafe37579347e0b37e
                                                                                                          • Opcode Fuzzy Hash: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                                                                                                          • Instruction Fuzzy Hash: E821AF312083009FC700EF55C985F5ABBF4EF89724F148A6EF9549B2E2D7B5A805CB56
                                                                                                          Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          • GetMenuItemInfoW.USER32 ref: 004497EA
                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                                                                          • DrawMenuBar.USER32 ref: 00449828
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$InfoItem$Draw_malloc
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 772068139-4108050209
                                                                                                          • Opcode ID: aba2b2f37e8aede0e07af882035f7c7ba327ed0a8d43e4983355c33413849c0f
                                                                                                          • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                                                                          • Opcode Fuzzy Hash: aba2b2f37e8aede0e07af882035f7c7ba327ed0a8d43e4983355c33413849c0f
                                                                                                          • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                                                                          Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocTask_wcslen
                                                                                                          • String ID: hkG
                                                                                                          • API String ID: 2651040394-3610518997
                                                                                                          • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                                          • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                                                                          • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                                          • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                                                                          Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                          • API String ID: 2574300362-1816364905
                                                                                                          • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                                          • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                                                                          • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                                          • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                                                                          Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,00000000,?,?,00000101,?,?), ref: 004343DE
                                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                          • API String ID: 2574300362-58917771
                                                                                                          • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                                          • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                                                                          • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                                          • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                                                                          Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                          • API String ID: 2574300362-3530519716
                                                                                                          • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                                          • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                                                                          • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                                          • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                                                                          Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                                                                          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                          • API String ID: 2574300362-275556492
                                                                                                          • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                                          • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                                                                          • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                                          • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                                                                          Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: IsWow64Process$kernel32.dll
                                                                                                          • API String ID: 2574300362-3024904723
                                                                                                          • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                                                          • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                                                                          • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                                                          • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                                                                          Function 0040EEE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,0040E5BF,?), ref: 0040EEEB
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EEFD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                          • API String ID: 2574300362-192647395
                                                                                                          • Opcode ID: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                                                                          • Instruction ID: 788ba9bdae5bc0ddad915f4d08bdcf590d5e3b2ea1e3da194f5c7121584c3133
                                                                                                          • Opcode Fuzzy Hash: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                                                                                                          • Instruction Fuzzy Hash: ABD0C9B0944703AAC7311F72C91C70A7AE4AB40341F204C3EB996E1691DBBCC0508B2C
                                                                                                          Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: c8a8680659340ce3ae7b61d15611f915275d61821cdaab737acf418eefb31e18
                                                                                                          • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                                                                          • Opcode Fuzzy Hash: c8a8680659340ce3ae7b61d15611f915275d61821cdaab737acf418eefb31e18
                                                                                                          • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                                                                          Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __flush.LIBCMT ref: 00414630
                                                                                                          • __fileno.LIBCMT ref: 00414650
                                                                                                          • __locking.LIBCMT ref: 00414657
                                                                                                          • __flsbuf.LIBCMT ref: 00414682
                                                                                                            • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                            • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                          • String ID:
                                                                                                          • API String ID: 3240763771-0
                                                                                                          • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                                          • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                                                                          • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                                          • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                                                                          Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                          • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                          • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CopyVariant$ErrorLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 2286883814-0
                                                                                                          • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                                          • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                                                                          • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                                          • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                                                                          Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                                                                          • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                                                                          • #21.WSOCK32 ref: 004740E0
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$socket
                                                                                                          • String ID:
                                                                                                          • API String ID: 1881357543-0
                                                                                                          • Opcode ID: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                                                                                                          • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                                                                          • Opcode Fuzzy Hash: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                                                                                                          • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                                                                          Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                                          • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                                          • MessageBeep.USER32(00000000), ref: 00441DF2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1352109105-0
                                                                                                          • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                                          • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                                                                          • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                                          • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                                                                          Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                                                                          • __isleadbyte_l.LIBCMT ref: 004238B2
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 3058430110-0
                                                                                                          • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                                          • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                                                                          • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                                          • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                                                                          Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                                                                          • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                                                                          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 3321077145-0
                                                                                                          • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                                          • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                                                                          • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                                          • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                                                                          Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 004505BF
                                                                                                          • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                                                                          • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                                                                          • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Proc$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 2351499541-0
                                                                                                          • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                                          • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                                                                          • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                                          • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                                                                          Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                                                                            • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                                                                          • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                                                                          • __itow.LIBCMT ref: 00461461
                                                                                                          • __itow.LIBCMT ref: 004614AB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$__itow$_wcslen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2875217250-0
                                                                                                          • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                                          • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                                                                          • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                                          • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                                                                          Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32 ref: 00472806
                                                                                                            • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                                                                            • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                                                                            • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                                                                          • GetCaretPos.USER32(?), ref: 0047281A
                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                                                                          • GetForegroundWindow.USER32 ref: 0047285C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2759813231-0
                                                                                                          • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                                          • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                                                                          • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                                          • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                                                                          Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                                          • String ID:
                                                                                                          • API String ID: 2169480361-0
                                                                                                          • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                                          • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                                                                          • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                                          • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                                                                          Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32 ref: 00448CB8
                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                                                                          • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                                                                          • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 312131281-0
                                                                                                          • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                                          • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                                                                          • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                                          • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                                                                          Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • select.WSOCK32 ref: 0045890A
                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                                                                          • accept.WSOCK32(00000000,00000000,00000000), ref: 00458927
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastacceptselect
                                                                                                          • String ID:
                                                                                                          • API String ID: 385091864-0
                                                                                                          • Opcode ID: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                                                                                                          • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                                                                          • Opcode Fuzzy Hash: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                                                                                                          • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                                                                          Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                                          • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                                                                          • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                                          • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                                                                          Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00433695
                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                          • String ID:
                                                                                                          • API String ID: 1358664141-0
                                                                                                          • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                                          • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                                                                          • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                                          • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                                                                          Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 2880819207-0
                                                                                                          • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                                          • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                                                                          • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                                          • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                                                                          Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00434037
                                                                                                          • ScreenToClient.USER32(?,?), ref: 0043405B
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00434085
                                                                                                          • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 357397906-0
                                                                                                          • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                                          • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                                                                          • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                                          • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                                                                          Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                          • String ID:
                                                                                                          • API String ID: 3016257755-0
                                                                                                          • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                          • Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
                                                                                                          • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                          • Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85
                                                                                                          Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __wsplitpath.LIBCMT ref: 00436A45
                                                                                                            • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                          • __wsplitpath.LIBCMT ref: 00436A6C
                                                                                                          • __wcsicoll.LIBCMT ref: 00436A93
                                                                                                          • __wcsicoll.LIBCMT ref: 00436AB0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                          • String ID:
                                                                                                          • API String ID: 1187119602-0
                                                                                                          • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                                          • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                                                                          • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                                          • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                                                                          Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1597257046-0
                                                                                                          • Opcode ID: ef4c8eb1668fb764ac9879486c39433899b48e1b70f0ed706df85b8b39ec7f0c
                                                                                                          • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                                                                          • Opcode Fuzzy Hash: ef4c8eb1668fb764ac9879486c39433899b48e1b70f0ed706df85b8b39ec7f0c
                                                                                                          • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                                                                          Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                          • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyObject$IconWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3349847261-0
                                                                                                          • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                                          • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                                                                          • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                                          • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                                                                          Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                          • String ID:
                                                                                                          • API String ID: 2223660684-0
                                                                                                          • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                                          • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                                                                          • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                                          • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                                                                          Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                            • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                            • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                            • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                          • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                                                                          • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                                                                          • EndPath.GDI32(?), ref: 004472B0
                                                                                                          • StrokePath.GDI32(?), ref: 004472BE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                          • String ID:
                                                                                                          • API String ID: 2783949968-0
                                                                                                          • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                                          • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                                                                          • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                                          • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                                                                          Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __getptd.LIBCMT ref: 00417D1A
                                                                                                            • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                                            • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                                          • __getptd.LIBCMT ref: 00417D31
                                                                                                          • __amsg_exit.LIBCMT ref: 00417D3F
                                                                                                          • __lock.LIBCMT ref: 00417D4F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3521780317-0
                                                                                                          • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                                          • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                                                                          • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                                          • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                                                                          Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDesktopWindow.USER32 ref: 00471144
                                                                                                          • GetDC.USER32(00000000), ref: 0047114D
                                                                                                          • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2889604237-0
                                                                                                          • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                                          • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                                                                          • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                                          • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                                                                          Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDesktopWindow.USER32 ref: 00471102
                                                                                                          • GetDC.USER32(00000000), ref: 0047110B
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2889604237-0
                                                                                                          • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                                          • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                                                                          • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                                          • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                                                                          Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                                          • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                                          • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2710830443-0
                                                                                                          • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                                          • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                                                                          • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                                          • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                                                                          Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                                                                          • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                                                                          • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                                                                            • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                                                                            • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 146765662-0
                                                                                                          • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                                          • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                                                                          • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                                          • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                                                                          Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                                                                            • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                                          • __getptd_noexit.LIBCMT ref: 00414080
                                                                                                          • __freeptd.LIBCMT ref: 0041408A
                                                                                                          • ExitThread.KERNEL32 ref: 00414093
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 3182216644-0
                                                                                                          • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                                          • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                                                                          • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                                          • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                                                                          Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharLower
                                                                                                          • String ID: $8'I
                                                                                                          • API String ID: 2358735015-3608026889
                                                                                                          • Opcode ID: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                                                                                          • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                                                                          • Opcode Fuzzy Hash: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                                                                                          • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                                                                          Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                            • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                                                                            • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                            • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                                                                          • String ID: AutoIt3GUI$Container
                                                                                                          • API String ID: 3380330463-3941886329
                                                                                                          • Opcode ID: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                                                                                          • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                                                                          • Opcode Fuzzy Hash: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                                                                                          • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                                                                          Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcslen.LIBCMT ref: 00409A61
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                            • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                            • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                            • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                          • String ID: 0vH
                                                                                                          • API String ID: 1143807570-3662162768
                                                                                                          • Opcode ID: 06636c051a656e0db8e48e9a81f0f7daa77b956eb8708b24b717754a54bb628e
                                                                                                          • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                                                                          • Opcode Fuzzy Hash: 06636c051a656e0db8e48e9a81f0f7daa77b956eb8708b24b717754a54bb628e
                                                                                                          • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                                                                          Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: HH$HH
                                                                                                          • API String ID: 0-1787419579
                                                                                                          • Opcode ID: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                                                                                                          • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                                                                          • Opcode Fuzzy Hash: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                                                                                                          • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                                                                          Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                          • Opcode ID: 38f09aa922346eb88559bb972c0ed36bedb4057ad35cf6b519ccfeef0a85981d
                                                                                                          • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                                                                          • Opcode Fuzzy Hash: 38f09aa922346eb88559bb972c0ed36bedb4057ad35cf6b519ccfeef0a85981d
                                                                                                          • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                                                                          Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: '
                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                          • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                                          • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                                                                          • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                                          • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                                                                          Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 0-4108050209
                                                                                                          • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                                          • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                                                                          • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                                          • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                                                                          Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                                                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: Combobox
                                                                                                          • API String ID: 3850602802-2096851135
                                                                                                          • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                                          • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                                                                          • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                                          • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                                                                          Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                                          • String ID: edit
                                                                                                          • API String ID: 2978978980-2167791130
                                                                                                          • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                                          • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                                                                          • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                                          • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                                                                          Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000), ref: 00474833
                                                                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                                          • String ID: @
                                                                                                          • API String ID: 2783356886-2766056989
                                                                                                          • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                                          • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                                                                          • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                                          • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                                                                          Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: htonsinet_addr
                                                                                                          • String ID: 255.255.255.255
                                                                                                          • API String ID: 3832099526-2422070025
                                                                                                          • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                                          • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                                                                          • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                                          • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                                                                          Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 455545452-1403004172
                                                                                                          • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                                          • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                                                                          • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                                          • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                                                                          Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InternetOpen
                                                                                                          • String ID: <local>
                                                                                                          • API String ID: 2038078732-4266983199
                                                                                                          • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                                          • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                                                                          • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                                          • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                                                                          Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 455545452-1403004172
                                                                                                          • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                                          • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                                                                          • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                                          • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                                                                          Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                          • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend_wcslen
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 455545452-1403004172
                                                                                                          • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                                          • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                                                                          • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                                          • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                                                                          Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                                                                            • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                          • wsprintfW.USER32 ref: 004560E9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend_mallocwsprintf
                                                                                                          • String ID: %d/%02d/%02d
                                                                                                          • API String ID: 1262938277-328681919
                                                                                                          • Opcode ID: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                                                                                          • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                                                                          • Opcode Fuzzy Hash: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                                                                                          • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                                                                          Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 529655941-2988720461
                                                                                                          • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                                          • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                                                                          • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                                          • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                                                                          Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                                                                          • PostMessageW.USER32(00000000), ref: 00442247
                                                                                                            • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 529655941-2988720461
                                                                                                          • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                                          • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                                                                          • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                                          • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                                                                          Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                                                                            • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1683921949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1683910928.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683962404.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1683976890.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1684003368.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_7xonkSJwuY.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message_doexit
                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                          • API String ID: 1993061046-4017498283
                                                                                                          • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                                          • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                                                                          • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                                          • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E